diff --git a/.gitignore b/.gitignore index 2628a5390..18e738864 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.DS_Store .idea/ .vscode/ tools/target/ diff --git a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json index d097e3c26..f2c4baf37 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json @@ -1 +1 @@ -{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value shall be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"perspectives":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectives"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm","title":"Hash Algorithm","description":"The standard, well-known algorithm used to compute the hash."},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue","title":"Hash Value","description":"The value of the hash computed using the standard, well-known algorithm."}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","perspective","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","swid-tag","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","perspective":"A CycloneDX perspective defines a domain-specific view, enabling different audiences to interpret and navigate the data through their own conceptual lens.","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","swid-tag":"A Software Identification (SWID) tag document conforming to ISO/IEC 19770-2. The reference resolves to the XML SoftwareIdentity document itself, including all of its metadata (entities, evidence, payload, links, and meta elements). This is distinct from the `swid` identifier scheme, which carries only the tagId of a SWID tag.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signatures":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatures","title":"Signatures","description":"Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"parties":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/parties"},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"componentOrChoice":{"title":"Component or Component Choice","description":"An entry in a components array. May be a concrete component, or a component-choice wrapper that expresses a conditional or alternate relationship between two or more components. The discriminator is the `type` property: when `type` is `component-choice`, the entry shall conform to the `componentChoice` schema; otherwise it shall conform to the `component` schema.","oneOf":[{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentChoice"}]},"componentChoice":{"type":"object","title":"Component Choice","description":"A wrapper that expresses a conditional or alternate relationship between two or more components. Use to model approved alternates, multi-sourced parts, build variants, and required component groups in physical device bills of materials.","required":["type","operator","components"],"additionalProperties":false,"properties":{"type":{"type":"string","const":"component-choice","title":"Type","description":"Discriminator for a component-choice entry. The value shall be the literal string `component-choice`."},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component-choice elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"A display name for the choice. Typically corresponds to a reference designator, a design intent name, or a description of the role the chosen component fulfils.","examples":["2N2222 or PN2222A Transistor","U1 5V LDO Regulator"]},"description":{"type":"string","title":"Description","description":"A description of the choice and the rationale behind the alternates."},"operator":{"type":"string","enum":["OR","XOR","AND"],"meta:enum":{"OR":"Any non-empty subset of the contained components may be installed. Use for approved alternates where more than one may legitimately appear in a given instance.","XOR":"Exactly one of the contained components is installed in any single instance. Use for approved alternates that are mutually exclusive per instance, while the population of units may include multiple alternates across sourcing.","AND":"All of the contained components are installed together as a group. Use for tightly coupled component sets such as a transceiver and its required matching balun."},"title":"Operator","description":"The logical relationship between the contained components."},"components":{"type":"array","minItems":2,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"title":"Components","description":"Two or more alternate or grouped entries. Each entry may itself be a component-choice to express nested alternates, such as a choice between kits."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."},"accountInfo":{"type":"string","title":"Account Information","description":"The account or user information associated with the occurrence."},"systemOwner":{"type":"string","title":"System Owner","description":"The owner of the system where the component was found."},"startTime":{"type":"string","format":"date-time","title":"Start Time","description":"The date and time when the process detecting the occurrence started."},"endTime":{"type":"string","format":"date-time","title":"End Time","description":"The date and time when the process detecting the occurrence ended."},"usageCount":{"type":"integer","minimum":0,"title":"Usage Count","description":"The number of times the component occurred in the detecting process."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["scheme"],"additionalProperties":false,"properties":{"scheme":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityScheme"},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the scheme that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}},"identifiers":{"type":"array","title":"Identifiers","description":"Identifiers asserted by one or more parties to identify this component. Each entry groups one or more identity claims by the party asserting them. Identifiers carry positive claims of identity. For unverified or inferred identity data, use evidence.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identifier"},"uniqueItems":true},"identifier":{"type":"object","title":"Identifier","description":"A set of identifiers attributed to a single asserting party.","required":["party","identities"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"party":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Asserting Party","description":"Reference using bom-link or bom-ref to the party making the identity assertion."},"identities":{"type":"array","title":"Identities","description":"The discrete identity claims asserted by the party.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identity"},"minItems":1,"uniqueItems":true}}},"identity":{"type":"object","title":"Identity","description":"A single identity claim, pairing a typed identifier scheme with the value asserted under that scheme.","required":["scheme","value"],"additionalProperties":false,"properties":{"scheme":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityScheme"},"value":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityValue"}}},"identityScheme":{"title":"Identifier Scheme","description":"The scheme under which an identifier is asserted. Either a predefined value or a custom scheme described by name and description.","oneOf":[{"type":"string","enum":["purl","cpe","swid","swhid","omniborid","epc-rfid","giai","gln","gmn","gtin-8","gtin-12","gtin-13","gtin-14","mpn","part-number","model-number","sku","serial-number","asset-tag","udi-di","udi-pi","fcc-id","imei","mac-address","tei"],"meta:enum":{"purl":"Package-URL identifier, conforming to the Package-URL specification.","cpe":"Common Platform Enumeration name, conforming to NIST Interagency Report 7695.","swid":"Software Identification tag identifier, conforming to ISO/IEC 19770-2.","swhid":"Software Heritage persistent identifier.","omniborid":"OmniBOR Artifact Identifier, also known as a gitoid.","epc-rfid":"Electronic Product Code - RFID (EPC Tag Data Standard)","giai":"Global Individual Asset Identifier (GIAI)","gln":"Global Location Number (GLN)","gmn":"Global Model Number (GMN)","gtin-8":"Global Trade Identification Number (GTIN-8 / EAN/UCC-8)","gtin-12":"Global Trade Identification Number (GTIN-12 / UPC-A)","gtin-13":"Global Trade Identification Number (GTIN-13 / EAN/UCC-13)","gtin-14":"Global Trade Identification Number (GTIN / EAN/UCC-14 or ITF-14)","mpn":"Manufacturer Part Number, assigned by the original manufacturer.","part-number":"Part number assigned by a distributor, integrator, or operator.","model-number":"Product model number assigned by the manufacturer.","sku":"Stock Keeping Unit, assigned by a seller or distributor.","serial-number":"Unique identifier for an individual instance of a product.","asset-tag":"Asset tag assigned by the owning or operating organization.","udi-di":"Unique Device Identifier, Device Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.","udi-pi":"Unique Device Identifier, Production Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.","fcc-id":"United States Federal Communications Commission equipment identifier.","imei":"International Mobile Equipment Identity, conforming to 3GPP TS 23.003.","mac-address":"IEEE 802 Media Access Control address.","tei":"Transparency Exchange Identifier conforming to the Transparency Exchange API specification."}},{"type":"object","title":"Custom Identifier Scheme","description":"A custom identifier scheme not represented in the predefined taxonomy.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom identifier scheme."},"description":{"type":"string","title":"Description","description":"A description of the custom identifier scheme."}}}]},"identityValue":{"type":"string","minLength":1,"title":"Identifier Value","description":"The value of an identifier."}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"array","title":"Implementation platforms","description":"The target platforms for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","items":{"type":"string","title":"Platform","description":"The target platform for the implementation.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","riscv32","riscv64","other","unknown"],"meta:enum":{"generic":"Platform-independent implementation.","x86_32":"Intel/AMD 32-bit x86 architecture.","x86_64":"Intel/AMD 64-bit x86-64 architecture.","armv7-a":"ARM 32-bit application profile (Cortex-A).","armv7-m":"ARM 32-bit microcontroller profile (Cortex-M).","armv8-a":"ARM 64-bit application profile (AArch64).","armv8-m":"ARM 32-bit microcontroller with TrustZone.","armv9-a":"ARM 64-bit with enhanced security features.","armv9-m":"ARM microcontroller with advanced security.","s390x":"IBM Z series mainframe 64-bit.","ppc64":"IBM PowerPC 64-bit big-endian.","ppc64le":"IBM PowerPC 64-bit little-endian.","riscv32":"RISC-V 32-bit open standard architecture.","riscv64":"RISC-V 64-bit open standard architecture.","other":"Another platform.","unknown":"The platform is not known."}}},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","cavp","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","cavp":"Cryptographic Algorithm Validation Program","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","siv","gcm-siv","ocb","eax","kw","kwp","cts","xts","gmac","cmac","xpn","ff1","ff3-1","other","unknown"],"meta:enum":{"cbc":"Cipher Block Chaining mode.","ecb":"Electronic Codebook mode.","ccm":"Counter with CBC-MAC (AEAD).","gcm":"Galois/Counter Mode (AEAD).","cfb":"Cipher Feedback mode.","ofb":"Output Feedback mode.","ctr":"Counter mode.","siv":"Synthetic Initialization Vector mode.","gcm-siv":"GCM with Synthetic IV (nonce-misuse resistant).","ocb":"Offset Codebook Mode (AEAD).","eax":"Encrypt-then-Authenticate-then-Translate mode.","kw":"AES Key Wrap (RFC 3394).","kwp":"AES Key Wrap with Padding (RFC 5649).","cts":"Ciphertext Stealing mode.","xts":"XEX Tweaked-codebook with Stealing (disk encryption).","gmac":"Galois Message Authentication Code","cmac":"Cipher-based Message Authentication Code","xpn":"Extended Packet Numbering mode.","ff1":"Format-preserving encryption mode 1.","ff3-1":"Format-preserving encryption mode 3, update 1.","other":"Another mode of operation.","unknown":"The mode is not known."}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","pss","x931","other","unknown"],"meta:enum":{"pkcs5":"PKCS#5 padding for password-based cryptography.","pkcs7":"PKCS#7 padding with length-indicating bytes.","pkcs1v15":"PKCS#1 v1.5 padding for RSA.","oaep":"Optimal Asymmetric Encryption Padding for RSA.","raw":"No padding applied.","pss":"Probabilistic Signature Scheme for RSA signatures.","x931":"ANSI X9.31 padding for RSA.","other":"Another padding scheme.","unknown":"The padding scheme is not known."}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction"}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6},"secProperties":{"type":"array","title":"Security Properties","description":"Formal guarantees about an algorithm's resistance to specific adversarial capabilities under a defined threat model. Example: Key Encapsulation Mechanisms (KEMs) may target IND-CPA or IND-CCA security; choosing IND-CCA impacts safe use in settings with active/chosen-ciphertext attacks.","items":{"type":"string","title":"Security Property","examples":["IND-CPA","IND-CCA","IND-CCA2","SUF-CMA","EUF-CMA","collision-resistant","preimage-resistant","second-preimage-resistant"]}}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint"},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"},"keyUsage":{"type":"array","title":"Key Usage","description":"Defines the permitted cryptographic usage for the asset.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction","title":"Usage","description":"A permitted cryptographic usage."}}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"cryptographicFunction":{"type":"string","title":"Cryptographic Function","description":"A cryptographic function or usage.","enum":["generate","paramgen","paramver","keygen","keyver","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","keyagree","wrap","unwrap","other","unknown"],"meta:enum":{"generate":"Generates random data, IVs, or nonces.","paramgen":"Generates cryptographic domain parameters.","paramver":"Verifies cryptographic domain parameters.","keygen":"Generates cryptographic keys.","keyver":"Verifies cryptographic keys.","encrypt":"Transforms plaintext into ciphertext.","decrypt":"Transforms ciphertext into plaintext.","digest":"Computes a hash value from input data.","tag":"Generates an authentication tag for data integrity.","keyderive":"Derives keys from another key or shared secret.","sign":"Creates a digital signature using a private key.","verify":"Verifies a digital signature using a public key.","encapsulate":"Encapsulates a secret using a public key (KEM).","decapsulate":"Decapsulates a secret using a private key (KEM).","keyagree":"Derives a shared secret between parties.","wrap":"Encrypts a key for secure storage or transport.","unwrap":"Decrypts a wrapped key to recover the original key.","other":"Another cryptographic function.","unknown":"The cryptographic function is not known."}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"fingerprint":{"type":"object","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset.","oneOf":[{"title":"Standard Hash","description":"A fingerprint computed using a standard, well-known hash algorithm.","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},{"title":"Custom Fingerprint","description":"A fingerprint computed with a custom or non-standard algorithm not covered by the standard hash algorithms.","required":["customAlg","customContent"],"additionalProperties":false,"properties":{"customAlg":{"type":"string","title":"Custom Fingerprint Algorithm","description":"The name of the custom algorithm used to compute the fingerprint."},"customContent":{"type":"string","title":"Custom Fingerprint Content","description":"The value of the fingerprint computed using the custom algorithm."}}}]},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"type":"array","title":"References","description":"The bom-refs to the assets securing this asset (e.g., algorithms, hardware, keys).","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","enum":["inbound","outbound","bi-directional","unknown"],"meta:enum":{"inbound":"Data that enters a service.","outbound":"Data that exits a service.","bi-directional":"Data flows in and out of the service.","unknown":"The directional flow of data is not known."},"title":"Data flow direction","description":"Specifies the flow direction of the data. Direction is relative to the service."}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-jss_X590_2023_10-2.0":{"type":"null","title":"CycloneDX Model for JSON Signature Scheme (JSS)","description":"JSON Schema implementing ITU-T X.590 (10/2023) – JSON Signature Scheme (JSS). Defines the structure for digitally signing JSON objects while keeping the payload in JSON format. Supports single signatures, multiple independent signatures, and chained counter-signatures. Intended for use as a $defs import in CycloneDX 2.0.","$defs":{"timestamp":{"title":"Timestamp","description":"An RFC 3339 timestamp in the UTC+0 time zone. Must use the 'Z' suffix. Sub-second precision, when present, MUST be exactly three digits (millisecond precision). If no sub-second digits are included, the decimal point MUST NOT be present. Matches the pattern: yyyy-mm-ddThh:mm:ss[.sss]Z","type":"string","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](?:\\.[0-9]+)?Z$","examples":["2023-10-29T13:56:08Z","2023-10-29T13:56:08.000Z","2023-11-15T08:30:00.123Z"]},"identifier":{"title":"Identifier","description":"A Universally Unique Identifier (UUID) conformant with RFC 4122. Used to uniquely identify a signature object. Signatures sharing the same 'id' are treated as versions of the same logical signature, differentiated by their 'modified' timestamp.","type":"string","format":"uuid","pattern":"^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$","examples":["f47ac10b-58cc-4372-a567-0e02b2c3d479"]},"hashAlgorithm":{"title":"Hash Algorithm","description":"This property identifies the hashing algorithm, as defined by the Internet Assigned Numbers Authority (IANA)…, that was used to hash the JCS version of the full JSON object (JSON Object + JSS Signature) and is a case-sensitive ASCII string. Implementations MAY use any current and widely accepted hashing algorithm (e.g., sha-256, sha-512) that is defined in the IANA registry. The actual signing process, defined in the algorithm property, sometimes uses an internal hashing algorithm inside the signing process itself, this property MAY identify the same hashing algorithm as the signing process or MAY identify a different hashing algorithm.","type":"string","pattern":"^[a-z0-9-]+$","examples":["sha-256","sha-384","sha-512","sha3-256","sha3-512"]},"algorithmVocabulary":{"title":"Signature Algorithm Type Vocabulary (signature-algorithm-type-ov)","description":"NOTE – At the time of this writing quantum safe algorithms could come from those defined in XMSS [IETF RFC 8391] section 5.3 or LMS [IETF RFC 8554] section 5.1 and other algorithms could come from those defined in JWA [IETF RFC 7518] section 3.1 or [IETF RFC 8037] section 3.1 (see the table below for a list of values from those RFCs). While JWA [IETF RFC 7518] section 3.1 defines the following symmetric algorithms: HS256, HS384, and HS512, these algorithms SHOULD NOT be used. If one of these three symmetric algorithms is used, the sharing and transmission of those keys is out of scope for this Recommendation.","type":"string","enum":["XMSS-SHA2_10_256","XMSS-SHA2_16_256","XMSS-SHA2_20_256","LMS_SHA256_M32_H5","LMS_SHA256_M32_H10","LMS_SHA256_M32_H15","LMS_SHA256_M32_H20","LMS_SHA256_M32_H25","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512","Ed25519","Ed448"]},"algorithm":{"title":"Signing Algorithm","description":"This property identifies the algorithm that was used to sign the JSON data and is a case-sensitive ASCII string. The value for this property SHOULD come from the signature-algorithm-type-ov vocabulary (see clause 6.2.2) and SHOULD be a current and widely accepted quantum safe algorithm, but MAY use any currently accepted safe algorithm.","type":"string","anyOf":[{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithmVocabulary"},{"type":"string","title":"Other algorithm identifier","description":"Any other current, widely accepted, safe algorithm identifier not present in the signature-algorithm-type-ov vocabulary (X.590 clause 6.2.2 makes that vocabulary a SHOULD, not a MUST)."}],"examples":["Ed25519","ES256","XMSS-SHA2_10_256","LMS_SHA256_M32_H5","PS512"]},"publicKey":{"title":"Public Key (PEM, header-stripped)","description":"This property contains a privacy enhanced mail (PEM) encoded public key without the header and footer for the algorithm selected in the algorithm property.","type":"string","pattern":"^[A-Za-z0-9+/]+={0,2}$","examples":["MCowBQYDK2VwAyEAubMonBfU9pvIbj5RCiWQLD45Jvu6mKr+kQXjvjW8ZkU="]},"publicCertChain":{"title":"Public Certificate Chain","description":"This property contains a public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.7 of [IETF RFC 7517] as quoted here. This property \"contains a chain (X.509 certificate chain) of one or more PKIX certificates [IETF RFC 5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (section 4 of [IETF RFC 4648] – not base64URL.encoded) DER [b-ITU-T X.690] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key.\" This property is called \"x5c\" in section 4.7 of [IETF RFC 7517].","type":"array","items":{"type":"string","description":"Base64-encoded (standard, not base64URL) DER-encoded PKIX certificate value (RFC 5280)."},"minItems":1},"certUrl":{"title":"Certificate URL","description":"This property contains a uniform resource identifier (URI) [IETF RFC 3986] that refers to a resource for an X.509 public key certificate or certificate chain [IETF RFC 5280] for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.6 of [IETF RFC 7517] as quoted here. \"The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [IETF RFC 5280] in PEM-encoded form, with each certificate delimited as specified in section 6.1 of RFC 4945 [IETF RFC 4945]. The key in the first certificate MUST match the public key. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [IETF RFC 2818] [IETF RFC 5246]; the identity of the server MUST be validated, as per section 6 of RFC 6125 [IETF RFC 6125].\" This property is called \"x5u\" in section 4.6 of [IETF RFC 7517].","type":"string","format":"uri","pattern":"^https://","examples":["https://pki.example.com/certs/signing-cert.pem"]},"thumbprint":{"title":"Certificate Thumbprint","description":"This property contains a fingerprint of a public key or public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.9 of [IETF RFC 7517] as quoted here. This property \"is a base64URL.encoded SHA-256 thumbprint (a.k.a. digest, X.509 certificate SHA-256 thumbprint) of the DER encoding of an X.509 certificate [IETF RFC 5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key.\" This property is called \"x5t#S256\" in section 4.9 of [IETF RFC 7517].","type":"string","pattern":"^[A-Za-z0-9_-]{43}$","examples":["NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"]},"signatureObject":{"title":"Signature Object","description":"A JSS signature object as defined in ITU-T X.590 clause 6.2. Captures the hashing algorithm, signing algorithm, public key material (in one of four forms), the base64URL-encoded digital signature value, and optional metadata. May nest a child 'signature' property to form a counter-signature chain.","type":"object","properties":{"hash_algorithm":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/hashAlgorithm"},"algorithm":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithm"},"public_key":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicKey"},"public_cert_chain":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicCertChain"},"cert_url":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/certUrl"},"thumbprint":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/thumbprint"},"value":{"title":"Signature Value","description":"A base64URL.encoded signature that was created using the signature algorithm defined in the algorithm property and a key. In pseudo code it is defined as: base64URL.encode(sign(algorithm, key, hash(jcs()))).","type":"string","pattern":"^[A-Za-z0-9_-]+={0,2}$"},"signature":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject","title":"Counter-Signature","description":"This property enables a signature to be countersigned, meaning a signature can be signed by another signature."},"type":{"title":"Type Indicator","description":"The value of this property MUST be jss.","type":"string","const":"jss"},"id":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/identifier","title":"Signature Identifier","description":"A value that uniquely identifies the signature. All signatures with the same ID are considered different versions of the same signature and the version of the signature is identified by its modified property."},"related_to":{"title":"Related Object Reference","description":"A value that can identify the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.","type":"string"},"related_version":{"title":"Related Object Version","description":"A value that can identify the version of the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.","type":"string"},"created":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Created Timestamp","description":"The time at which this signature was originally created. The creator can use any time it deems most appropriate as the time the signature was created, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The created property MUST NOT be changed when creating a new version of the signature.","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$"},"modified":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Modified Timestamp","description":"The time that this particular version of the signature was last modified. The creator can use any time it deems most appropriate as the time that this version of the signature was modified, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The modified property MUST be later than or equal to the value of the created property. If the created and modified properties are the same, then this is the first version of the signature.","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$"},"revoked":{"title":"Revoked Flag","description":"A boolean that identifies if the signature creator deems that this signature is no longer valid. The default value is false.","type":"boolean","default":false},"signee":{"title":"Signee","description":"An unstructured string value for the name of the entity or organization that produced this signature.","type":"string"},"valid_from":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Valid From","description":"The time from which this signature is considered valid. If omitted, the signature is valid at all times or until the timestamp defined by valid_until. If the revoked property is true then this property MUST be ignored."},"valid_until":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Valid Until","description":"The time at which this signature is no longer considered valid. If the valid_until property is omitted, then there is no constraint on the latest time for which the signature is valid. This property MUST be greater than the timestamp in the valid_from property if the valid_from property is defined. If the revoked property is true then this property MUST be ignored."}},"required":["hash_algorithm","algorithm","value"],"anyOf":[{"required":["public_key"],"description":"Public key material provided as PEM-encoded public key (header/footer stripped)."},{"required":["public_cert_chain"],"description":"Public key material provided as a base64-encoded DER X.509 certificate chain."},{"required":["cert_url"],"description":"Public key material provided by reference to a TLS-accessible certificate URI."},{"required":["thumbprint"],"description":"Public key material referenced by a base64URL-encoded SHA-256 certificate thumbprint."}],"unevaluatedProperties":true},"signatures":{"title":"Signatures Array","description":"A JSON array of one or more signature objects. MUST be located at the top-level of the signed JSON object. The property name used to hold this array SHOULD be 'signatures', but implementations MAY use a different name provided it does not conflict with any other top-level property name in the host JSON object. All signature objects in this array are independent parallel signatures over the same JSON object; for chained counter-signatures, use the nested 'signature' property within an individual signature object.","type":"array","items":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject"},"minItems":1}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-party-2.0":{"type":"null","title":"CycloneDX Party Model","$defs":{"party":{"type":"object","title":"Party","description":"Identifies an organization, individual, system, or abstract archetype that participates in supplying, producing, attesting, operating, owning, regulating, or otherwise relating to the subject. Each party plays one or more named roles. Roles may carry preference order (`role.order`) to express primary, alternate, and secondary rankings among parties sharing the same role.\n\nExactly one identity sub-shape (`organization`, `person`, `system`, or `persona`) shall be present. Optional sub-objects layer inter-party relationships and standard extension data.","required":["roles"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"roles":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/role"},"title":"Roles","description":"One or more roles the party fulfils. Each role may carry an `order` indicating preference among parties sharing the same role (for example, primary versus alternate supplier)."},"organization":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/organization","description":"Identity attributes valid when the party is an organization, company, government body, or other collective."},"person":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/person","description":"Identity attributes valid when the party is an individual person."},"system":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/system","title":"System","description":"Identity attributes valid when the party is a software system, hardware system, service account, automation, or autonomous agent."},"persona":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/persona","title":"Persona","description":"Identity attributes valid when the party is an abstract archetype rather than a specific named instance."},"relations":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyRelations","title":"Relations","description":"Links from this party to other parties."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"required":["organization"]},{"required":["person"]},{"required":["system"]},{"required":["persona"]}]},"parties":{"type":"array","title":"Parties","description":"Parties associated with the subject. Each item identifies an organization, individual, system, or abstract archetype playing one or more named roles such as manufacturer, supplier, author, integrator, quality-control, or any custom role. The same party can hold multiple roles, each independently ranked via `role.order` to express preference (for example, primary supplier with order 1 and alternate supplier with order 2). Items may be inline party objects or references to parties declared elsewhere.","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"}},"partyChoice":{"title":"Party Choice","description":"A party represented either as a complete object or as a reference to a previously declared party.","oneOf":[{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/party"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A refLinkType pointing to a previously declared party."}]},"role":{"title":"Role","description":"A role that a party fulfils. May be a predefined role from the CycloneDX role taxonomy or a custom role definition. The optional `order` property ranks parties that share the same role, supporting use cases such as primary versus alternate suppliers in hardware manufacturing supply chains.","oneOf":[{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/preDefinedRole"},{"title":"Custom Role","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom role.","examples":["Chief Executive Officer","Data Protection Officer","Release Manager"]},"description":{"type":"string","title":"Description","description":"A description of the custom role, including its responsibilities and scope."},"order":{"type":"integer","minimum":1,"title":"Order","description":"Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked."}}}]},"preDefinedRole":{"title":"Pre-Defined Role","type":"object","required":["role"],"additionalProperties":false,"properties":{"role":{"type":"string","title":"Role","description":"A predefined role from the CycloneDX role taxonomy.","enum":["agent","assembler","asserter","attacker","auditor","author","broker","carrier","certificate-authority","committer","competitor","consignee","consignor","contributor","customer","custodian","customs-broker","data-controller","data-processor","data-recipient","data-subject","delegate","developer","distributor","end-user","engineer","exporter","freight-forwarder","holder","importer","insider-threat","inspector","insurer","integrator","issuer","key-escrow-agent","legal-contact","licensee","licensor","maintainer","manufacturer","operator","owner","packager","partner","principal","publisher","purchaser","quality-control","regulator","relying-party","repackager","researcher","reviewer","security-contact","signatory","steward","subject","supplier","support-contact","third-party-logistics","timestamp-authority","validation-authority","verifier","warehouse-operator"],"meta:enum":{"agent":"Software or AI agent acting autonomously or semi-autonomously, typically on behalf of a principal.","assembler":"The party that assembles or integrates constituent parts into the subject. Common in hardware manufacturing and software build pipelines.","asserter":"The party making assertions about the subject, such as patent ownership or compliance claims.","attacker":"A hostile party targeting the subject.","auditor":"The party that conducted an audit or assessment of the subject.","author":"The party that created the subject. Common when the subject is created through manual processes.","broker":"The party that acts as an intermediary in commercial transactions.","carrier":"The party that physically transports goods, such as shipping lines, airlines, or trucking companies.","certificate-authority":"The party that issues, signs, and manages digital certificates within a public key infrastructure.","committer":"The party who committed or pushed changes to a version control system.","competitor":"A competing party in the same market or domain as the subject's organization.","consignee":"The party designated to receive a shipment of goods.","consignor":"The party that sends or ships goods to a consignee.","contributor":"A party that contributed to the development of the subject without being the primary author.","customer":"Customer of the organization that owns the subject.","custodian":"The party responsible for the safe custody, transport, and storage of the subject.","customs-broker":"The party that facilitates the clearance of goods through customs barriers.","data-controller":"The party that determines the purposes and means of processing personal data.","data-processor":"The party that processes personal data on behalf of a data controller.","data-recipient":"The party to which personal data is disclosed.","data-subject":"The natural person whose personal data is processed.","delegate":"A party exercising authority on behalf of another party identified via relations.delegatedBy.","developer":"Software developer or platform engineer.","distributor":"The party that distributes the subject to downstream consumers or customers.","end-user":"The end user of a system, service, or product.","engineer":"Engineer responsible for designing, implementing, or operating a system.","exporter":"The party that sends goods to another country for trade or sale.","freight-forwarder":"The party that arranges the shipment and logistics of goods on behalf of shippers.","holder":"The party that holds a verifiable credential, claim, or asset.","importer":"The party that brings goods into a country from abroad for trade or sale.","insider-threat":"A hostile or negligent party with legitimate access.","inspector":"The party that inspects goods for quality, safety, or regulatory compliance.","insurer":"The party that provides insurance coverage.","integrator":"The party that integrates the subject into a larger system or product.","issuer":"The party that issues a credential, claim, identifier, or asset.","key-escrow-agent":"The party that holds copies of cryptographic keys in escrow.","legal-contact":"The designated party to contact for legal matters.","licensee":"The party to which a license for the subject has been granted.","licensor":"The party that grants a license for the subject.","maintainer":"The party responsible for ongoing maintenance, including updates, patches, and security fixes.","manufacturer":"The party that manufactured or produced the subject. Common when the subject is produced through automated processes.","operator":"The party responsible for operating or running the subject in a production environment.","owner":"The party that holds ownership rights over the subject.","packager":"The party that packages goods for storage, shipment, or retail sale.","partner":"Business partner with a defined relationship.","principal":"The party on whose behalf another party acts, paired with delegate.","publisher":"The party that published the subject, making it available for consumption.","purchaser":"The party that purchased the subject or a license for its use.","quality-control":"The party responsible for quality control activities, including inspection, testing, and verification.","regulator":"Government or industry regulator with administrative authority over the subject.","relying-party":"The party that relies on credentials, claims, or attestations issued by another party.","repackager":"The party that repackages the subject, potentially combining it with other components.","researcher":"Security researcher, bug bounty hunter, or academic conducting authorized study.","reviewer":"The party that reviewed the subject or its associated evidence.","security-contact":"The designated party to contact in the event of a security incident.","signatory":"The party authorized to sign on behalf of an organization, affirming the validity or accuracy of statements or attestations.","steward":"The party responsible for the content, context, and associated business rules of the subject.","subject":"The party to whom an issued credential, claim, or identifier is bound.","supplier":"The party that supplied the subject. The supplier may often be the manufacturer, but may also be a distributor or repackager.","support-contact":"The designated party to contact for technical support.","third-party-logistics":"The party that provides outsourced logistics services.","timestamp-authority":"The party that issues trusted timestamps.","validation-authority":"The party that provides certificate validation services.","verifier":"The party that verifies credentials, claims, or attestations.","warehouse-operator":"The party responsible for storing, handling, and managing inventory within a warehouse or distribution centre."}},"order":{"type":"integer","minimum":1,"title":"Order","description":"Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked. For example, a primary supplier may have `order: 1` while an alternate supplier has `order: 2`.","examples":[1,2,3]}}},"organization":{"type":"object","title":"Organization Identity","description":"Identity attributes for a party that is an organization, company, government body, or other collective.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The common display or trading name of the organization. Use when the registered legal name is unknown or when the everyday name differs from the legal one.","examples":["Acme","Globex"]},"legalName":{"type":"string","title":"Legal Name","description":"The registered legal name of the organization, including any suffix such as Inc., S.r.l., GmbH, or LLC.","examples":["Acme Microcontrollers S.r.l.","Acme Holdings, Inc."]},"description":{"type":"string","title":"Description","description":"A description of the organization itself, distinct from any role-specific or contextual description applied at the party wrapper level."},"logo":{"type":"string","format":"iri-reference","title":"Logo","description":"URL to an image representing the organization. Useful for catalog, datasheet, and user interface views."},"foundingDate":{"type":"string","format":"date","title":"Founding Date","description":"The date the organization was founded. Supports supplier due diligence and age-of-organization signals."},"dissolutionDate":{"type":"string","format":"date","title":"Dissolution Date","description":"The date the organization was dissolved or wound down. When present, the organization is no longer active."},"jurisdiction":{"type":"string","title":"Jurisdiction","description":"Country of registration as an ISO 3166-1 alpha-2 or alpha-3 code, optionally followed by an ISO 3166-2 subdivision separated by a hyphen.","examples":["US-DE","IT-BO","CHE"]},"identifiers":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/identifier"},"title":"Identifiers","description":"Identifiers issued to or associated with the organization. May include legal and registration identifiers (LEI, DUNS, CAGE, NCAGE, EORI, VAT, tax identifiers) and non-legal identifiers such as workload or machine identities."},"formerNames":{"type":"array","items":{"type":"string"},"title":"Former Names","description":"Prior names of the organization. Use when the entity has been renamed, merged, or acquired. Distinct from `aliases`, which captures concurrent alternate designations.","examples":[["Atmel Corporation"]]},"aliases":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Aliases","description":"Concurrent alternate designations for the organization. Distinct from `formerNames`, which captures historical names. Common when modeling tracked threat-actor groups that are known by different designations across threat-intelligence vendors.","examples":[["Fancy Bear","STRONTIUM","Sofacy","Sednit","Pawn Storm"]]},"url":{"type":"array","title":"URLs","description":"URLs associated with the organization. Each entry carries a `name` label and a `url` value so producers can describe homepage, support portal, press, status, code repository, and similar without ambiguity.","items":{"type":"object","required":["url"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the URL, such as `homepage`, `support`, `press`, `status`, or `repository`.","examples":["homepage","support","press","status","repository"]},"url":{"type":"string","format":"iri-reference","title":"URL"}}}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/postalAddress"},"title":"Addresses","description":"Physical addresses associated with the organization."}}},"person":{"type":"object","title":"Person Identity","description":"Identity attributes for a party that is an individual person. The name model is intentionally unstructured: a single freeform `name` captures the full name as the person wishes to be known, accommodating the wide variation of naming conventions across cultures. See https://www.w3.org/International/questions/qa-personal-names for background.","additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The person's full name as they wish to be known. A single freeform string. No assumption is made about given-versus-family ordering, mononym versus multi-component names, patronymics, or honorific embedding. Producers should use the form the person uses themselves.","examples":["Ada Lovelace","Suharto","Maria del Carmen García López","Nguyá»…n Văn An"]},"sortName":{"type":"string","title":"Sort Name","description":"Optional sortable form of the name for catalog and index views. Use when the natural form of `name` does not sort intuitively, for example a comma-separated last-name-first form.","examples":["Lovelace, Ada","García López, Maria del Carmen"]},"honorificPrefix":{"type":"string","title":"Honorific Prefix","description":"Honorific or title preceding the name, used in forms of address. Distinct from the name itself.","examples":["Dr.","Prof."]},"honorificSuffix":{"type":"string","title":"Honorific Suffix","description":"Honorific or post-nominal letters following the name, used in forms of address. Distinct from the name itself.","examples":["PhD","Esq."]},"jobTitle":{"type":"string","title":"Job Title","description":"The person's job title. Useful for credit lines and attribution.","examples":["Chief Information Security Officer","Data Protection Officer","Senior Software Engineer"]},"description":{"type":"string","title":"Description","description":"A description of the person, distinct from any role-specific or contextual description applied at the party wrapper level."},"email":{"type":"array","title":"Email","description":"Email addresses associated with the person. Each entry carries a `name` label and an `address` value so producers can describe work, personal, support, and similar contexts without ambiguity.","items":{"type":"object","required":["address"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the email, such as `work`, `personal`, `support`, or `security`.","examples":["work","personal","support","security"]},"address":{"type":"string","format":"idn-email","title":"Address"}}}},"phone":{"type":"array","title":"Phone","description":"Phone numbers associated with the person. Each entry carries a `name` label and a `number` value. Numbers should be expressed in E.164 form where possible.","items":{"type":"object","required":["number"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the phone, such as `office`, `mobile`, `fax`, or `pager`.","examples":["office","mobile","fax","pager"]},"number":{"type":"string","title":"Number","examples":["+1-555-0100","+44 20 7946 0958"]}}}},"url":{"type":"array","title":"URLs","description":"URLs associated with the person. Each entry carries a `name` label and a `url` value so producers can describe homepage, social profiles, code repositories, and similar without ambiguity.","items":{"type":"object","required":["url"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the URL, such as `homepage`, `github`, `linkedin`, `mastodon`, or `orcid`.","examples":["homepage","github","linkedin","orcid"]},"url":{"type":"string","format":"iri-reference","title":"URL"}}}},"address":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/postalAddress","title":"Address"},"affiliation":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Affiliation","description":"Reference using bom-link or bom-ref to an organization party with which the person is affiliated."}}},"system":{"type":"object","title":"System Identity","description":"Identity attributes for a party that is a software system, hardware system, service account, automation, or autonomous agent.","additionalProperties":false,"properties":{"kind":{"title":"Kind","description":"The kind of system the party represents. May be a predefined kind from the CycloneDX system-kind taxonomy expressed as a plain string, or a custom kind expressed as an object with `name` and optional `description`.","oneOf":[{"title":"Pre-Defined Kind","type":"string","enum":["software-system","hardware-system","service-account","machine-identity","automation","agent","bot","oracle","smart-contract","device","robot"],"meta:enum":{"software-system":"Application, service, or platform that performs actions as itself.","hardware-system":"Physical device or appliance that performs actions. Includes vehicles, drones, satellites, medical devices, network equipment, and industrial controllers unless a more specific kind applies.","service-account":"Non-human identity used by automation to authenticate.","machine-identity":"Cryptographic identity such as a certificate principal or workload identity.","automation":"Pipeline, job, or scheduled task that performs actions deterministically.","agent":"Autonomous or semi-autonomous agent that can plan and execute. Includes AI agents.","bot":"Scripted automation that interacts with an interface. Includes chatbots, robotic process automation bots, and scraping bots.","oracle":"External data feed or oracle, including blockchain oracles that bridge off-chain data into on-chain systems.","smart-contract":"On-chain program that executes deterministically.","device":"Physical end user device such as a phone or IoT device acting as a party in its own right.","robot":"Physical robot or autonomous mechanical system. For software-only counterparts, see `bot`, `agent`, or `automation`."}},{"title":"Custom Kind","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom kind."},"description":{"type":"string","title":"Description","description":"A description of the custom kind."}}}]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference to any bom-ref'd object that represents this system. The referenced object provides the underlying identity (component, service, blueprint asset, or other object type). Use to associate the party with its concrete representation declared elsewhere."},"identifiers":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/identifier"},"title":"Identifiers","description":"Machine identifiers for the system, such as service principal, workload identity, certificate subject, or device serial."},"permissions":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Permissions","description":"Capabilities or duties the system possesses."}}},"persona":{"type":"object","title":"Persona Identity","description":"Identity attributes for a party that is an abstract archetype rather than a specific named instance. Use for generic users, generic suppliers, or hypothesized attackers when a specific party is intentionally not named. When the specific instance is known (for example a tracked APT group), use `organization` instead.","additionalProperties":false,"properties":{"description":{"type":"string","title":"Description","description":"Free-text description of the persona instance. Use to refine the archetype with details relevant to the threat model, such as the persona's assumed context, history, or behavioral pattern.","examples":["Disgruntled administrator with elevated access to the payment gateway and motive driven by recent performance review."]},"archetype":{"title":"Archetype","description":"The persona archetype. May be a predefined archetype from the CycloneDX persona-archetype taxonomy expressed as a plain string, or a custom archetype expressed as an object with `name` and optional `description`.","oneOf":[{"title":"Pre-Defined Archetype","type":"string","enum":["end-user","power-user","administrator","developer","operator","internal","external","anonymous","guest","customer","partner","supplier","vendor","contractor","third-party","auditor","researcher","regulator","law-enforcement","attacker","insider-threat","hacktivist","nation-state","organized-crime","competitor","public"],"meta:enum":{"end-user":"Typical end user of the system.","power-user":"Advanced user with higher than average privileges.","administrator":"Administrative or privileged user.","developer":"Application developer or platform engineer.","operator":"Operational staff running the system.","internal":"Generic internal party.","external":"Generic external party without an account or operational relationship.","anonymous":"Unauthenticated visitor interacting with the system.","guest":"Semi-authenticated user with restricted privileges.","customer":"Customer of the organization that owns the subject.","partner":"Business partner with a defined relationship.","supplier":"Generic supplier providing goods or services on a transactional basis.","vendor":"Vendor delivering and operating goods or services with operational access to the subject.","contractor":"Third party with operational access under contract.","third-party":"Generic third party that does not fit partner, supplier, vendor, or contractor.","auditor":"External auditor or assessor.","researcher":"Security researcher, bug bounty hunter, or academic. Authorized probing party.","regulator":"Government or industry regulator with administrative authority over the subject.","law-enforcement":"Law enforcement entity with investigative authority.","attacker":"Generic hostile external party.","insider-threat":"Hostile or negligent party with legitimate access.","hacktivist":"Hostile party motivated by ideology or activism.","nation-state":"Hostile party sponsored or directed by a national government.","organized-crime":"Hostile party operating as part of an organized criminal enterprise.","competitor":"Generic competitor.","public":"General public not in direct interaction with the subject."}},{"title":"Custom Archetype","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name"},"description":{"type":"string","title":"Description"}}}]},"scope":{"type":"string","title":"Scope","enum":["internal","external","mixed"],"meta:enum":{"internal":"Persona is internal to the organization that owns the subject.","external":"Persona is external to the organization that owns the subject.","mixed":"Persona may appear in either internal or external contexts."}},"permissions":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Permissions","description":"Capabilities the persona is assumed to hold."},"assumedPosture":{"type":"string","title":"Assumed Security Posture","description":"Assumed security posture of the persona in this context.","examples":["authenticated","unauthenticated","authorized","privileged"]}}},"partyRelations":{"type":"object","title":"Party Relations","description":"Links from this party to other parties. Captures hierarchical, organizational, and delegation relationships. Order ranking is on the role itself (`role.order`), not here.","additionalProperties":false,"properties":{"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent","description":"Reference to a parent party. Models organizational hierarchy, group membership, and corporate parent or subsidiary relationships."},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Delegated By","description":"Reference to another party that delegated authority to this one. Models situations such as an autonomous agent acting on behalf of a human user, a contractor acting on behalf of a principal, or a service account assuming a role."}}},"identifier":{"type":"object","title":"Identifier","description":"An identifier issued by a recognized authority. Includes legal and registration identifiers as well as machine and workload identities.","required":["scheme","value"],"additionalProperties":false,"properties":{"scheme":{"title":"Scheme","description":"The identifier scheme. May be a predefined scheme from the CycloneDX identifier-scheme taxonomy expressed as a plain string, or a custom scheme expressed as an object with `name` and optional `description` and `url`.","oneOf":[{"title":"Pre-Defined Scheme","type":"string","enum":["lei","duns","ncage","cage","eori","vat","gst","ein","tin","ruc","bvd","swift-bic","sec-cik","isin","figi","opencorporates","gln","gtin","iso6523","ofac-sdn","un-lm","oidc-sub","spiffe","did","vc-id"],"meta:enum":{"lei":"Legal Entity Identifier per ISO 17442.","duns":"Dun and Bradstreet D-U-N-S Number.","ncage":"NATO Commercial and Government Entity code.","cage":"United States Commercial and Government Entity code.","eori":"Economic Operator Registration and Identification number used in European Union customs.","vat":"Value Added Tax registration number.","gst":"Goods and Services Tax registration number.","ein":"United States Employer Identification Number.","tin":"Generic Taxpayer Identification Number.","ruc":"Registro Unico de Contribuyentes used in several Latin American countries.","bvd":"Bureau van Dijk identifier.","swift-bic":"Business Identifier Code per ISO 9362.","sec-cik":"United States Securities and Exchange Commission Central Index Key.","isin":"International Securities Identification Number per ISO 6166.","figi":"Financial Instrument Global Identifier.","opencorporates":"OpenCorporates company identifier.","gln":"GS1 Global Location Number.","gtin":"GS1 Global Trade Item Number when the party is also a registered trade entity.","iso6523":"ISO 6523 organization identifier. The value should encode the four-digit International Code Designator (ICD) followed by the organization identifier per the registry referenced by the ICD.","ofac-sdn":"United States Office of Foreign Assets Control Specially Designated Nationals list identifier.","un-lm":"United Nations Locode for a specific facility or jurisdiction.","oidc-sub":"OpenID Connect subject identifier for a machine or service identity.","spiffe":"SPIFFE ID for a workload identity.","did":"W3C Decentralized Identifier (DID) per https://www.w3.org/TR/did-core/. Common for autonomous agents, federated services, and verifiable-credential subjects.","vc-id":"W3C Verifiable Credential identifier per https://www.w3.org/TR/vc-data-model/."}},{"title":"Custom Scheme","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name"},"description":{"type":"string","title":"Description"},"url":{"type":"string","format":"iri-reference","title":"URL","description":"URL of the scheme registry or specification."}}}]},"schemeVersion":{"type":"string","title":"Scheme Version","description":"The version of the scheme that issued this identifier, if applicable."},"value":{"type":"string","title":"Value","description":"The value of the identifier."},"issuedDate":{"type":"string","format":"date","title":"Issued Date"},"expirationDate":{"type":"string","format":"date","title":"Expiration Date"},"issuer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Issuer","description":"Reference using bom-link or bom-ref to the party that issued the identifier."}}},"postalAddress":{"type":"object","title":"Postal Address","description":"An address used to identify a contactable or operational location.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference Identifier","description":"An optional identifier that can be used to reference the address from elsewhere. Every bom-ref shall be unique within the containing instance. The value should not start with the prefix 'urn:cdx:' to avoid conflicts with BOM-Link identifiers."},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code. When the isoCode property is present, the value of isoCode is authoritative."},"region":{"type":"string","title":"Region","description":"The region or state in the country. When the isoCode property carries an ISO 3166-2 subdivision, the value of isoCode is authoritative.","examples":["Texas"]},"isoCode":{"type":"string","pattern":"^[A-Z]{2}(-[A-Z0-9]{1,3})?$","title":"ISO Code","description":"An ISO 3166-1 alpha-2 country code, optionally followed by an ISO 3166-2 subdivision code separated by a hyphen. When present, this property is authoritative over the free-text country and region properties.","examples":["IT-BO","US-CA","DE-BY"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address. Multi-line addresses are expressed as a single string with line breaks (`\\n`) between lines. Implementations and serialization formats are not required to preserve the order of elements in an array, so a multi-line address shall not be modeled as an array.","examples":["100 Main Street","Acme Tower\nSuite 1200\n100 Main Street"]},"coordinates":{"type":"object","title":"Geographic Coordinates","description":"Geographic coordinates of the address.","additionalProperties":false,"required":["latitude","longitude"],"properties":{"latitude":{"type":"number","minimum":-90,"maximum":90,"title":"Latitude","description":"Latitude in decimal degrees. Four or more decimal places are recommended for facility-level precision."},"longitude":{"type":"number","minimum":-180,"maximum":180,"title":"Longitude","description":"Longitude in decimal degrees. Four or more decimal places are recommended for facility-level precision."},"altitude":{"type":"number","title":"Altitude","description":"Altitude in meters above the reference ellipsoid identified by the datum property."},"datum":{"type":"string","title":"Datum","description":"The geodetic datum used for the coordinates. WGS84 is assumed when omitted.","default":"WGS84","examples":["WGS84","NAD83","ETRS89"]}}}}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-perspective-2.0":{"type":"null","title":"CycloneDX Perspective Model","$defs":{"perspectives":{"type":"array","title":"Perspectives","description":"Defines domain-specific views into the document, enabling different audiences to interpret and navigate the data through their own conceptual lens. Each perspective identifies relevant data types and may provide domain-specific terminology mappings.","items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspective"}},"perspective":{"type":"object","title":"Perspective","description":"A domain-specific view that identifies the types of data relevant to a particular audience and provides optional terminology mappings to facilitate interpretation. Perspectives enable tooling to generate filtered views, translate terminology, and validate document completeness against audience-specific requirements.","additionalProperties":false,"required":["name","mappings"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Perspective Name","description":"The name of the perspective, typically indicating the target audience or domain.","examples":["AI/ML Transparency","Device Manufacturing Regulatory Compliance","Minimum Elements of an SBOM"]},"description":{"type":"string","title":"Description","description":"A description of the perspective, its intended audience, and the use cases it supports."},"domains":{"type":"array","title":"Domains","description":"The domains or disciplines to which this perspective applies. Allows selection of multiple pre-defined domains, custom domains, or a combination of both.","items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveDomainChoice"}},"mappings":{"type":"array","title":"Data Type Mappings","description":"An array of mappings that identify the types of data relevant to this perspective using JSON path expressions. Each mapping may include domain-specific terminology.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveMapping"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"perspectiveMapping":{"type":"object","title":"Perspective Mapping","description":"Maps a JSON path expression to domain-specific terminology, enabling audiences to interpret CycloneDX data using familiar nomenclature. Each mapping identifies a data type within the document structure and may provide alternative names and descriptions used by the target audience.","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"Path Expression","description":"A [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression that identifies the types of data relevant to this perspective.","examples":["$.components[*].pedigree","$.components[?(@.type=='machine-learning-model')].modelCard","$.components[?(@.type=='cryptographic-asset')]","$.vulnerabilities"]},"nativeName":{"type":"string","title":"Native Name","description":"The domain-specific term used by the target audience to describe the data identified by the expression.","examples":["Foundation Models","Training Corpus","Cryptographic Inventory","Component Provenance"]},"nativeDescription":{"type":"string","title":"Native Description","description":"A domain-specific description of the data type, explaining its significance within the context of the perspective."},"relevance":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveRelevance"},"weight":{"type":"number","title":"Weight","description":"Describes the importance of a field in relation to other fields. Values shall be between 0.0 and 1.0. This allows for relative ranking of mappings, where higher values indicate greater importance.","minimum":0,"maximum":1},"rationale":{"type":"string","title":"Rationale","description":"Explains why this data type is relevant to the perspective and how it should be interpreted or used."}}},"perspectiveRelevance":{"type":"string","title":"Perspective Relevance","description":"Indicates the importance of a data type to a perspective.","enum":["required","recommended","optional","informative"],"meta:enum":{"required":"This data type is essential for the perspective and should always be present.","recommended":"This data type is highly relevant and should be included when available.","optional":"This data type provides supplementary information that may be useful.","informative":"This data type provides background context but is not directly actionable."}},"perspectiveDomainChoice":{"title":"Perspective Domain Choice","description":"Allows selection of a pre-defined domain or specification of a custom domain.","oneOf":[{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/preDefinedPerspectiveDomain"},{"type":"object","title":"Custom Domain","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Domain Name","description":"The name of the custom domain."},"description":{"type":"string","title":"Domain Description","description":"A description of the custom domain, its scope, and the concerns it addresses."}}}]},"preDefinedPerspectiveDomain":{"type":"string","title":"Pre-Defined Perspective Domain","description":"A pre-defined domain or discipline to which a perspective applies. Domains span security disciplines, safety engineering, industry verticals, technology areas, compliance frameworks, and cross-cutting concerns.","enum":["application-security","cloud-security","container-security","cryptographic-security","cyber-security","data-security","endpoint-security","firmware-security","hardware-security","identity-access-management","network-security","operational-security","physical-security","supply-chain-security","web-security","automotive-safety","aviation-safety","environmental-safety","functional-safety","machinery-safety","maritime-safety","nuclear-safety","patient-safety","process-safety","railway-safety","aerospace-defense","automotive","building-automation","consumer-electronics","critical-infrastructure","education","energy-utilities","financial-services","government","healthcare","insurance","legal","manufacturing","media-entertainment","pharmaceuticals","retail","telecommunications","transportation","artificial-intelligence","edge-computing","embedded-systems","industrial-control-systems","industrial-iot","internet-of-things","machine-learning","medical-devices","mobile","operational-technology","robotics","scada","smart-grid","data-protection","export-control","intellectual-property","legal-compliance","licensing","privacy","regulatory-compliance","maintainability","performance","quality-assurance","reliability","testability","incident-response","penetration-testing","red-team","risk-management","threat-intelligence","threat-modeling","vulnerability-management","accessibility","ethics","human-factors","interoperability","resilience","sustainability","transparency"],"meta:enum":{"application-security":"Security concerns related to software applications, including vulnerabilities, secure coding practices, input validation, and dependency management.","cloud-security":"Security concerns specific to cloud computing environments, including configuration, identity management, data protection, and shared responsibility models.","container-security":"Security concerns related to containerised applications, including image provenance, runtime protection, orchestration security, and supply chain integrity.","cryptographic-security":"Concerns related to cryptographic implementations, algorithm selection, key management, certificate handling, and post-quantum cryptography readiness.","cyber-security":"Broad security concerns encompassing threat detection, incident response, security operations, and defence-in-depth strategies.","data-security":"Concerns related to protecting data at rest, in transit, and in use, including encryption, access controls, and data loss prevention.","endpoint-security":"Security concerns for end-user devices including workstations, mobile devices, and peripherals, encompassing malware protection and device management.","firmware-security":"Security concerns specific to firmware, including secure boot, firmware updates, integrity verification, and protection against persistent threats.","hardware-security":"Security concerns related to physical hardware, including trusted platform modules, hardware security modules, side-channel attacks, and tamper resistance.","identity-access-management":"Concerns related to authentication, authorisation, identity lifecycle management, privileged access, and zero-trust architectures.","network-security":"Security concerns related to network infrastructure, including firewalls, intrusion detection, segmentation, and secure communications.","operational-security":"Security concerns related to the deployment, configuration, and day-to-day operation of systems in production environments.","physical-security":"Security concerns related to physical access controls, environmental protections, surveillance, and tamper evidence.","supply-chain-security":"Concerns related to the security, integrity, and trustworthiness of components, vendors, and processes throughout the supply chain.","web-security":"Security concerns specific to web applications and services, including OWASP Top 10 vulnerabilities, API security, and client-side protections.","automotive-safety":"Safety concerns for automotive systems aligned with ISO 26262, including hazard analysis, functional safety requirements, and ASIL classifications.","aviation-safety":"Safety concerns for aviation systems aligned with DO-178C, DO-254, and DO-326A, including design assurance levels and airworthiness requirements.","environmental-safety":"Concerns related to environmental protection, hazardous materials handling, emissions, and ecological impact assessment.","functional-safety":"Safety concerns aligned with IEC 61508 and derivative standards, focusing on systematic failures, safety integrity levels, and risk reduction.","machinery-safety":"Safety concerns for industrial machinery aligned with ISO 12100 and IEC 62443, including safeguarding, emergency stops, and risk assessment.","maritime-safety":"Safety concerns for maritime and offshore systems, including vessel automation, navigation systems, and compliance with maritime regulations.","nuclear-safety":"Safety concerns for nuclear facilities and systems, including defence-in-depth, safety classification, and regulatory compliance with nuclear standards.","patient-safety":"Safety concerns for medical devices and healthcare systems focusing on preventing harm to patients, including adverse event prevention and clinical risk management.","process-safety":"Safety concerns for industrial processes involving hazardous materials, including process hazard analysis, safety instrumented systems, and layers of protection.","railway-safety":"Safety concerns for railway systems aligned with EN 50126, EN 50128, and EN 50129, including signalling, train control, and safety cases.","aerospace-defense":"Concerns specific to aerospace and defence industries, including mission-critical systems, military standards, and classified information handling.","automotive":"Industry-specific concerns for automotive manufacturers and suppliers, including ISO/SAE 21434 cyber security and vehicle type approval.","building-automation":"Concerns related to building management systems, HVAC controls, access systems, and smart building infrastructure.","consumer-electronics":"Concerns specific to consumer electronic devices, including product safety, electromagnetic compatibility, and consumer protection regulations.","critical-infrastructure":"Concerns related to systems designated as critical infrastructure, including sector-specific requirements and national security considerations.","education":"Concerns specific to educational institutions and EdTech, including student data protection, FERPA compliance, and academic integrity.","energy-utilities":"Concerns specific to energy and utility sectors, including NERC CIP compliance, grid security, and operational continuity.","financial-services":"Concerns specific to financial institutions, including PCI DSS, SOX compliance, fraud prevention, and transaction integrity.","government":"Concerns specific to government agencies and contractors, including FedRAMP, FISMA, and public sector procurement requirements.","healthcare":"Concerns specific to healthcare organisations, including HIPAA compliance, electronic health records, and healthcare interoperability.","insurance":"Concerns specific to insurance industry, including actuarial data integrity, claims processing security, and regulatory compliance.","legal":"Concerns specific to legal industry, including attorney-client privilege, e-discovery, and legal hold requirements.","manufacturing":"Concerns specific to manufacturing environments, including production systems, quality management, and shop floor security.","media-entertainment":"Concerns specific to media and entertainment, including digital rights management, content protection, and broadcast systems.","pharmaceuticals":"Concerns specific to pharmaceutical industry, including FDA 21 CFR Part 11, GxP compliance, and drug safety systems.","retail":"Concerns specific to retail industry, including point-of-sale security, e-commerce platforms, and customer data protection.","telecommunications":"Concerns specific to telecommunications providers, including network infrastructure, subscriber data, and regulatory compliance.","transportation":"Concerns related to transportation systems beyond automotive and rail, including logistics, fleet management, and traffic control systems.","artificial-intelligence":"Concerns related to AI systems, including model transparency, algorithmic bias, explainability, and ethical considerations.","edge-computing":"Concerns specific to edge computing deployments, including distributed processing, local data handling, and remote device management.","embedded-systems":"Concerns specific to embedded systems development, including real-time constraints, resource limitations, and hardware-software integration.","industrial-control-systems":"Concerns specific to ICS environments, including PLCs, DCS, and industrial automation security aligned with IEC 62443.","industrial-iot":"Concerns specific to Industrial Internet of Things deployments, combining IT security with OT requirements and industrial protocols.","internet-of-things":"Concerns related to IoT devices and ecosystems, including device security, communication protocols, and fleet management.","machine-learning":"Concerns specific to ML models, including training data provenance, model lineage, performance metrics, and reproducibility.","medical-devices":"Concerns specific to medical device development aligned with IEC 62304, FDA guidance, and MDR/IVDR requirements.","mobile":"Concerns specific to mobile applications and devices, including app store requirements, mobile-specific vulnerabilities, and device management.","operational-technology":"Concerns specific to OT environments, bridging IT and industrial systems with focus on availability, safety, and legacy system integration.","robotics":"Concerns specific to robotic systems, including autonomous operation, human-robot interaction safety, and motion control security.","scada":"Concerns specific to Supervisory Control and Data Acquisition systems, including remote monitoring, control system security, and protocol vulnerabilities.","smart-grid":"Concerns specific to smart grid infrastructure, including advanced metering, grid automation, and distributed energy resource management.","data-protection":"Concerns related to data protection regulations such as GDPR, CCPA, and cross-border data transfer requirements.","export-control":"Concerns related to export control regulations, including EAR, ITAR, and dual-use technology restrictions.","intellectual-property":"Concerns related to patents, trade secrets, copyright, and other intellectual property rights and protections.","legal-compliance":"Regulatory and legal requirements, including contractual obligations, liability considerations, and legal holds.","licensing":"Concerns related to software licensing, licence compatibility, open source obligations, and commercial licensing terms.","privacy":"Concerns related to personal data protection, privacy by design, consent management, and individual rights.","regulatory-compliance":"Concerns related to compliance with industry-specific regulations, standards, and certification requirements.","maintainability":"Concerns related to the ease of maintaining, updating, and supporting software and systems over their lifecycle.","performance":"Concerns related to system performance, scalability, response times, and resource utilisation.","quality-assurance":"Concerns related to testing, validation, verification, and overall quality metrics and processes.","reliability":"Concerns related to system reliability, fault tolerance, mean time between failures, and degradation modes.","testability":"Concerns related to the ability to test components and systems, including test coverage, test automation, and test data management.","incident-response":"Concerns related to detecting, responding to, and recovering from security incidents and breaches.","penetration-testing":"Concerns related to authorised security testing, vulnerability assessment, and security validation activities.","red-team":"Concerns related to adversarial simulation, attack path analysis, and security control effectiveness testing.","risk-management":"Concerns related to risk identification, assessment, treatment, and ongoing risk monitoring.","threat-intelligence":"Concerns related to threat actor analysis, indicators of compromise, and proactive threat hunting.","threat-modeling":"Concerns related to identifying weaknesses, threats, countermeasures, attack surfaces, and trust boundaries.","vulnerability-management":"Concerns related to vulnerability identification, prioritisation, remediation tracking, and disclosure processes.","accessibility":"Concerns related to ensuring systems are usable by people with disabilities, including WCAG compliance.","ethics":"Concerns related to ethical considerations in technology development, including algorithmic fairness and responsible innovation.","human-factors":"Concerns related to human-system interaction, usability, operator error prevention, and ergonomic design.","interoperability":"Concerns related to the ability of systems to exchange and use information effectively across boundaries.","resilience":"Concerns related to system resilience, business continuity, disaster recovery, and graceful degradation.","sustainability":"Concerns related to environmental sustainability, energy efficiency, and responsible resource consumption.","transparency":"Concerns related to openness, auditability, and the ability for stakeholders to understand system behaviour and composition."}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings. Consumers should consider ratings in prioritization decisions; source ratings may differ and aid prioritization.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value shall be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"perspectives":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectives"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file +{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value shall be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"threats":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threats"},"risks":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risks"},"controls":{"$ref":"#/$defs/cyclonedx-control-2.0/$defs/controls"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"profiles":{"$ref":"#/$defs/cyclonedx-profile-2.0/$defs/profiles"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"perspectives":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectives"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}}},"cyclonedx-behavior-2.0":{"type":"null","title":"CycloneDX Behavior Model","$defs":{"behaviors":{"type":"object","title":"Behaviors","description":"Behaviors performed by objects within the BOM.","additionalProperties":false,"properties":{"instances":{"type":"array","title":"Instances","description":"Individual behavior instances.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance"}},"graphs":{"type":"array","title":"Graphs","description":"Behavior graphs that model behaviour over time as activity flows, state machines, or a mixture of the two.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorGraph"}}}},"behaviorInstance":{"type":"object","title":"Behavior Instance","description":"A behavior performed by one or more objects within the BOM.","additionalProperties":false,"required":["bom-ref","behavior"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"The behavior from the taxonomy."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"actors":{"type":"array","title":"Actors","description":"References using bom-link or bom-ref to objects that perform this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"targets":{"type":"array","title":"Targets","description":"References using bom-link or bom-ref to objects affected by this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"trigger":{"type":"string","title":"Trigger","description":"The condition or event that initiates a behavior.","enum":["startup","shutdown","scheduled","event-driven","user-initiated","api-call","signal","condition-based","continuous","on-demand","unknown"],"meta:enum":{"startup":"Triggered during system or component initialisation.","shutdown":"Triggered during system or component termination.","scheduled":"Triggered at predetermined times or intervals.","event-driven":"Triggered in response to a specific event.","user-initiated":"Triggered by explicit user action.","api-call":"Triggered by an API invocation.","signal":"Triggered by a system or inter-process signal.","condition-based":"Triggered when specific conditions are met.","continuous":"Runs continuously during normal operation.","on-demand":"Triggered on demand as needed.","unknown":"The trigger mechanism is not known."}},"ordering":{"type":"string","title":"Ordering","description":"Execution semantics for the nodes of a graph when transitions do not fully specify the order.","enum":["sequential","unordered","parallel"],"meta:enum":{"sequential":"Nodes execute in ordinal order. Each completes before the next begins.","unordered":"All nodes execute, but the order is not guaranteed.","parallel":"Nodes may execute concurrently."}},"acknowledgment":{"type":"array","title":"Acknowledgment","description":"Indicates how the behavior or graph was identified. Multiple values indicate the behavior was both declared and observed.","uniqueItems":true,"items":{"type":"string","enum":["declared","observed"],"meta:enum":{"declared":"The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.","observed":"The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis."}}},"behaviorGraph":{"type":"object","title":"Behavior Graph","description":"A graph of nodes joined by transitions that models behaviour over time. A node may be an activity, a state, an event, a gateway, or a start or end point, so the same construct expresses an activity or process flow (where the nodes are activities), a state machine (where the nodes are states), or a mixture of the two.","additionalProperties":false,"required":["bom-ref","nodes"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the graph."},"description":{"type":"string","title":"Description","description":"A description of the graph and the behaviour it models."},"kind":{"type":"string","title":"Kind","description":"An optional hint at the intent of the graph.","enum":["activity","state-machine","mixed"],"meta:enum":{"activity":"The graph models a process or activity flow whose nodes are activities.","state-machine":"The graph models a state machine whose nodes are states.","mixed":"The graph mixes activity and state nodes."}},"subject":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Subject","description":"Reference using bom-link or bom-ref to the object whose behaviour this graph describes."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"ordering":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/ordering"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"nodes":{"type":"array","title":"Nodes","description":"The nodes of the graph.","minItems":1,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorNode"}},"transitions":{"type":"array","title":"Transitions","description":"The transitions between nodes. Transitions express the ordering of an activity flow and the triggered, guarded moves of a state machine.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/transition"}}},"allOf":[{"if":{"properties":{"ordering":{"const":"sequential"}},"required":["ordering"]},"then":{"properties":{"nodes":{"items":{"required":["ordinal"]}}}}}]},"behaviorNode":{"type":"object","title":"Behavior Node","description":"A single node in a behavior graph. The kind determines what the node represents and which additional properties apply.","additionalProperties":false,"required":["bom-ref","kind"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"kind":{"type":"string","title":"Kind","description":"The kind of node.","enum":["activity","state","event","gateway","initial","final"],"meta:enum":{"activity":"An action that is performed, identified by a behavior, a behavior-instance reference, or a nested graph. The activity-flow counterpart of a step.","state":"A durable condition the subject rests in until a transition fires. The state-machine counterpart of a node. A composite state references its nested region through 'graph'.","event":"An intermediate event that occurs during the graph.","gateway":"A branch or merge point whose outgoing transitions carry the guards.","initial":"The starting point of the graph or of a composite node.","final":"A completion point of the graph or of a composite node."}},"name":{"type":"string","title":"Name","description":"The name of the node."},"description":{"type":"string","title":"Description","description":"A description of the node."},"ordinal":{"type":"integer","title":"Ordinal","minimum":1,"description":"Position within a sequential graph. Required when the graph ordering is 'sequential'. Ignored when transitions define the order."},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"For an activity node, the behavior performed, drawn from the taxonomy. Mutually exclusive with 'ref' and 'graph'."},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Behavior Reference","description":"For an activity node, a reference to a behavior instance. Mutually exclusive with 'behavior' and 'graph'."},"graph":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Graph Reference","description":"A reference to a nested behavior graph. For an activity node it is the sub-process performed and is mutually exclusive with 'behavior' and 'ref'; for a composite node it is the nested region."},"actors":{"type":"array","title":"Actors","description":"References using bom-link or bom-ref to objects that perform this node.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"targets":{"type":"array","title":"Targets","description":"References using bom-link or bom-ref to objects affected by this node.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"eventType":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger","title":"Event Type","description":"For an event node, the nature of the event, reusing the trigger vocabulary, such as signal, scheduled, or event-driven."},"gatewayKind":{"type":"string","title":"Gateway Kind","description":"For a gateway node, the branching semantics applied across its outgoing transitions.","enum":["exclusive","inclusive","parallel","complex"],"meta:enum":{"exclusive":"Exactly one outgoing transition is taken, the first whose guard holds.","inclusive":"Every outgoing transition whose guard holds is taken.","parallel":"All outgoing transitions are taken concurrently, forking and later joining execution.","complex":"Branch selection follows a complex condition described in the transition guards."}},"onEntry":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"On Entry","description":"For a state node, a reference to a behavior instance performed when the state is entered."},"onExit":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"On Exit","description":"For a state node, a reference to a behavior instance performed when the state is exited."},"doActivity":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Do Activity","description":"For a state node, a reference to a behavior instance performed while the subject remains in the state."}},"allOf":[{"if":{"properties":{"kind":{"const":"activity"}},"required":["kind"]},"then":{"oneOf":[{"required":["behavior"]},{"required":["ref"]},{"required":["graph"]}]}}]},"transition":{"type":"object","title":"Transition","description":"A directed edge from one node to another. In an activity flow it expresses ordering; in a state machine it expresses a triggered, guarded move between states.","additionalProperties":false,"required":["source","target"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the transition."},"description":{"type":"string","title":"Description","description":"A description of the transition."},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Source","description":"Reference to the source node."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Target","description":"Reference to the target node."},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"guard":{"type":"string","title":"Guard","description":"A guard condition; the transition fires only when it evaluates to true."},"default":{"type":"boolean","title":"Default","description":"Whether this transition is taken when no other guard from the same source node holds."},"effect":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Effect","description":"Reference to a behavior instance performed when the transition fires."}}}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","$defs":{"blueprints":{"type":"array","title":"Blueprints","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint"},"description":"A collection of blueprints, each supporting a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling."},"blueprint":{"type":"object","title":"Blueprint","description":"A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.","required":["name","modelTypes"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the blueprint, used to identify this model within the BOM and distinguish it from other blueprints.","minLength":1},"description":{"type":"string","title":"Description","description":"A detailed explanation of the blueprint, including its scope, the system or subsystem it represents, and any relevant context about the modelling objectives or intended audience."},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/metadata"},"modelTypes":{"type":"array","title":"Model Types","minItems":1,"uniqueItems":true,"description":"The types of models being represented.","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model."},"behaviors":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviors"},"dataStores":{"type":"array","title":"Data Stores","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore"},"description":"Structured description of data stores used in the model."},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet"},"description":"Datasets handled by the system, including placements and sensitivity."},"zones":{"type":"array","title":"Zones","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics."},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones."},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets."},"relationships":{"type":"array","title":"Relationships","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationship"},"description":"Static, structural relationships between elements of the model, complementing the runtime exchanges captured by flows."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/actor"},"description":"Human or system actors involved in the model, distinct from assets."},"assumptions":{"type":"array","title":"Assumptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process."},"visualizations":{"type":"array","title":"Visualizations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model."},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"type":"object","properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Use Case Reference","description":"A reference to a use case object defined in definitions."},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the blueprint assets that are involved in or exercised by this use case."},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the blueprint flows that are triggered or traversed during the execution of this use case."},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case."}}},"description":"Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements."},"requirements":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements, declared in definitions, that are derived from or related to this model."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"modelType":{"title":"Model Type","description":"The type of model being represented, either a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. Threat, risk, and privacy analyses are represented in their own models, which reference the blueprint, rather than as blueprint model types.","oneOf":[{"type":"string","title":"Predefined Model Type","description":"A predefined model type from the enumeration.","enum":["architecture","behavioral","conceptual","data-flow","deployment","logical","network","operational","physical","process"],"meta:enum":{"architecture":"An architecture model of the system or software, capturing its major components, their responsibilities, and the interfaces and relationships between them. Broader than a single view, it frames the overall design.","behavioral":"A behavioural model, capturing how the system acts over time through its processes, state changes, interactions, and control flow, as opposed to its static structure.","conceptual":"A conceptual model at the highest level of abstraction, capturing the key entities, concepts, and relationships in technology-neutral terms without implementation detail. The first level of the conceptual, logical, and physical progression.","data-flow":"A data flow model showing how data moves between processes, data stores, and external entities. This is the substrate most commonly used for STRIDE per-element threat analysis.","deployment":"A deployment model showing how software is allocated to runtime and infrastructure, including nodes, containers, environments, and the artifacts placed on them.","logical":"A logical model detailing the structure and behaviour of the system independent of any specific implementation technology. The middle level of the conceptual, logical, and physical progression.","network":"A network model showing topology and connectivity, including segments, links, and the paths over which components communicate.","operational":"An operational model describing how the system is run and supported in production, including procedures, responsibilities, and operational dependencies.","physical":"A physical model at the implementation level, capturing the tangible realization of the system such as hardware, devices, infrastructure, topology, and physical locations. The most concrete level of the conceptual, logical, and physical progression.","process":"A process model describing a business or system process as an ordered set of activities and decisions and the actors that carry them out."}},{"type":"object","title":"Custom Model Type","description":"A custom model type not covered by the predefined enumeration, allowing organisations to define domain-specific model categories.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom model type."},"description":{"type":"string","title":"Description","description":"A description of the custom model type."}}}]},"metadata":{"type":"object","title":"Blueprint Metadata","description":"Metadata about the creation, review, and approval of the blueprint.","additionalProperties":false,"properties":{"timestamp":{"type":"string","title":"Timestamp","format":"date-time","description":"When the blueprint was created or last updated."},"authors":{"type":"array","title":"Authors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"},"description":"The parties that created the blueprint. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `author`."},"reviewer":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party that reviewed the blueprint. The party's `roles` should include `reviewer`."},"reviewDate":{"type":"string","title":"Review Date","format":"date-time","description":"When the blueprint was reviewed."},"approver":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party that approved the blueprint. The party's `roles` should include `signatory` or a custom role identifying the approving authority."},"approvalDate":{"type":"string","title":"Approval Date","format":"date-time","description":"When the blueprint was approved."},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","title":"Validity Period","description":"The period during which the blueprint is considered valid.","additionalProperties":false,"properties":{"start":{"type":"string","title":"Start","format":"date-time","description":"When the blueprint becomes valid."},"end":{"type":"string","title":"End","format":"date-time","description":"When the blueprint expires."},"reviewFrequency":{"type":"string","title":"Review Frequency","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)."}}},"scope":{"type":"object","title":"Scope","description":"Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the scope."},"description":{"type":"string","title":"Description","description":"Description of what is included and excluded from the model."},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Explicit boundaries of the model."},"includedComponents":{"type":"array","title":"Included Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to components explicitly included."},"excludedComponents":{"type":"array","title":"Excluded Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to components explicitly excluded."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","title":"Asset","description":"A component, service, data store, actor, or other element included in the blueprint model. An actor asset references a party, since a party such as a person, persona, system, or organization may itself be an asset, including a person in the intelligence sense of a human source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset."},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the component this asset represents."},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the service this asset represents."},"partyRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the party this asset represents, such as a person, persona, system, or organization. Used when the asset is an actor."},"type":{"title":"Asset Type","description":"The kind of asset. Use the custom option for kinds not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Asset Type","enum":["actor","agent","api","broker","cache","component","container","data","data-store","device","endpoint","function","gateway","infrastructure","interface","model","module","network","process","queue","resource","service","stream","subsystem","system","tool"],"meta:enum":{"actor":"An actor that is an asset in its own right, referencing a party via partyRef. A party such as a system or organization is commonly an asset, and a person may be an asset in the intelligence sense of a human source.","agent":"Autonomous AI or software agent.","api":"API endpoint or interface.","broker":"Message broker or event bus infrastructure.","cache":"Caching layer or in-memory data store.","component":"Software component or application.","container":"Container or orchestration unit.","data":"Dataset.","data-store":"Database, file system, or data repository.","device":"Physical or IoT device.","endpoint":"Service endpoint or URL.","function":"Serverless function or lambda.","gateway":"API gateway, load balancer, or proxy.","infrastructure":"Infrastructure component.","interface":"System interface or contract.","model":"AI or machine learning model.","module":"Software module or package.","network":"Network segment or resource.","process":"Business or system process.","queue":"Message queue or task queue.","resource":"Generic resource or artifact.","service":"Service or microservice.","stream":"Data stream or event stream.","subsystem":"Part of a larger system.","system":"Complete system or application.","tool":"A tool or capability invoked by an agent, such as a function, API, or service exposed to an AI agent."}},{"type":"object","title":"Custom Asset Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom asset type."},"description":{"type":"string","title":"Description","description":"A description of the custom asset type."}}}]},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the asset."},"description":{"type":"string","title":"Description","description":"Description of the asset's role and purpose."},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the zone containing this asset."},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"responsibilities":{"type":"array","title":"Responsibilities","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Responsibilities or functions of this asset."},"interfaces":{"type":"array","title":"Interfaces","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset."},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage."},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required."},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"title":"Component Reference Asset","description":"An asset defined by reference to a component declared elsewhere in the BOM.","required":["bom-ref","componentRef"]},{"title":"Service Reference Asset","description":"An asset defined by reference to a service declared elsewhere in the BOM.","required":["bom-ref","serviceRef"]},{"title":"Party Reference Asset","description":"An asset defined by reference to a party declared elsewhere in the BOM, such as a person, persona, system, or organization that is itself an asset.","required":["bom-ref","partyRef"]},{"title":"Inline Asset","description":"An asset defined inline within the blueprint with an explicit type and name.","required":["bom-ref","type","name"]}]},"dataStore":{"type":"object","title":"Data Store","description":"A persistent storage system used within the modelled system to hold, retrieve, or manage data.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the data store."},"description":{"type":"string","title":"Description","description":"Purpose and contents of the store."},"type":{"title":"Type","description":"The type of data store. Use the custom option for technologies not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Data Store Type","enum":["block","blockchain","cache","column-family","data-lake","data-warehouse","document","event-log","file","graph","hierarchical","in-memory","key-value","ledger","message-queue","multi-model","object","registry","relational","search","spatial","time-series","vector"],"meta:enum":{"block":"Block storage exposing raw volumes.","blockchain":"Distributed ledger or blockchain storage.","cache":"Caching tier.","column-family":"Wide-column or column-family store.","data-lake":"Data lake or lakehouse for raw and semi-structured data.","data-warehouse":"Analytical data warehouse optimised for OLAP workloads.","document":"Document database.","event-log":"Event log or append-only streaming store.","file":"File system or network-attached storage.","graph":"Graph database.","hierarchical":"Hierarchical or tree-structured database, such as a directory store.","in-memory":"In-memory data store used as a primary store.","key-value":"Key-value store.","ledger":"Immutable, append-only ledger database.","message-queue":"Message queue or broker with persistent storage.","multi-model":"A store supporting multiple data models.","object":"Object storage.","registry":"Configuration or service registry.","relational":"Relational database.","search":"Search index or full-text search engine.","spatial":"Spatial or geospatial database.","time-series":"Time-series database.","vector":"Vector database for embeddings and similarity search."}},{"type":"object","title":"Custom Data Store Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom data store type."},"description":{"type":"string","title":"Description","description":"A description of the custom data store type."}}}]},"vendor":{"type":"string","title":"Vendor","description":"The vendor or publisher of the data store product."},"product":{"type":"string","title":"Product","description":"The name of the data store product."},"version":{"type":"string","title":"Version","description":"The version of the data store product."},"environment":{"type":"string","title":"Environment","description":"Deployment environment (prod, test, etc.)."},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the zone where the asset resides."},"location":{"type":"string","title":"Location","description":"Physical or logical hosting location."},"technologies":{"type":"array","title":"Technologies","uniqueItems":true,"items":{"type":"string"},"description":"Supporting technologies or services."},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to data sets stored here."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataSet":{"type":"object","title":"Data Set","description":"A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.","required":["bom-ref","name","description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the dataset."},"description":{"type":"string","title":"Description","minLength":1,"description":"What information is contained and why it exists."},"dataProfiles":{"type":"array","title":"Data Profiles","description":"Data profiles that govern the dataset. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile, typically declared in the root profiles catalogue.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice"}},"dataObjects":{"type":"array","title":"Data Objects","description":"The specific data objects stored in the dataset. Each object names a payload and may reference one of the dataset's data profiles for its governing policy.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataObject"}},"recordCount":{"type":"integer","title":"Record Count","description":"Approximate number of records."},"owners":{"type":"array","title":"Owners","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"},"description":"Parties that own the dataset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required."},"placements":{"type":"array","title":"Placements","uniqueItems":true,"items":{"type":"object","title":"Placement","description":"Describes where a dataset physically or logically resides and the storage characteristics at that location.","required":["dataStore"],"additionalProperties":false,"properties":{"dataStore":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the store holding this dataset."},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the dataset is encrypted at this location."},"retention":{"type":"string","title":"Retention","description":"Retention policy for this placement."},"replicated":{"type":"boolean","title":"Replicated","description":"Indicates if this placement is a replica."}}},"description":"Where the dataset resides."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface."},"type":{"title":"Type","description":"The type of interface. Use the custom option for types not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Interface Type","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"]},{"type":"object","title":"Custom Interface Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom interface type."},"description":{"type":"string","title":"Description","description":"A description of the custom interface type."}}}]},"description":{"type":"string","description":"Description of the interface."},"specification":{"type":"string","description":"Link or reference to interface specification."},"protocol":{"type":"string","description":"Communication protocol used."},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)."},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed."}}},"zone":{"type":"object","title":"Zone","description":"A grouping of assets that share a common characteristic, security posture, or administrative control, so they can be reasoned about as a unit. A zone may be logical, physical, network, trust, or another kind, may nest within a parent zone, and is connected to or separated from other zones by boundaries.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the zone."},"description":{"type":"string","title":"Description","description":"Description of the zone's characteristics."},"type":{"title":"Type","description":"The type of zone. Use the custom option for types not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Zone Type","enum":["availability","compliance","data","deployment","functional","geographic","logical","network","organizational","physical","process","tenant","trust"],"meta:enum":{"availability":"An availability or fault-isolation zone, such as a cloud availability zone, used to bound the blast radius of failures and reason about redundancy and resilience.","compliance":"A compliance scope zone whose assets fall under a specific regulatory regime, such as PCI DSS, HIPAA, or FedRAMP, delineating what is in scope and the controls applied.","data":"A data classification zone grouping assets by the sensitivity of the data they hold or process, such as public, internal, confidential, or restricted.","deployment":"A deployment environment grouping assets by lifecycle stage, such as development, staging, or production.","functional":"A functional grouping of assets that serve a common purpose or capability, independent of where or how they are deployed.","geographic":"A geographic or data-residency zone bounding assets to a region, country, or jurisdiction, used to reason about sovereignty and cross-border data flows.","logical":"A logical grouping of assets defined by architecture or design rather than physical placement.","network":"A network segmentation zone, such as a subnet, VLAN, or security group, within which assets share network-level reachability and controls.","organizational":"An organizational or administrative zone grouping assets under a common owner, team, or authority.","physical":"A physical zone bounding assets to a tangible location, such as a data centre, building, or device enclosure.","process":"A process or execution isolation zone, such as a sandbox, container runtime, or trusted execution environment, within which code runs with a defined level of isolation.","tenant":"A tenancy isolation zone separating the assets and data of one tenant from another in a multi-tenant system.","trust":"A security trust zone whose assets share a common level of trust, so that movement between trust zones is where authentication, authorization, and validation are enforced."}},{"type":"object","title":"Custom Zone Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom zone type."},"description":{"type":"string","title":"Description","description":"A description of the custom zone type."}}}]},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the parent zone if this is a sub-zone."},"characteristics":{"type":"array","title":"Characteristics","uniqueItems":true,"items":{"type":"string"},"description":"Key characteristics of this zone."},"constraints":{"type":"array","title":"Constraints","uniqueItems":true,"items":{"type":"string"},"description":"Constraints or limitations of this zone."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","title":"Boundary","description":"An edge that separates or connects two or more zones, marking a point where security controls, policies, or trust levels change. The controls expected when data or actors cross it are captured in crossingRequirements, and the threat model's trust boundary extends a boundary with trust semantics.","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the boundary."},"type":{"title":"Type","description":"The type of boundary. Use the custom option for types not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Boundary Type","enum":["data","functional","network","organizational","physical","process","trust"],"meta:enum":{"data":"A data classification boundary, crossed when data moves between zones of differing sensitivity, where reclassification, masking, or validation may apply.","functional":"A functional boundary between areas of differing responsibility or capability.","network":"A network boundary, such as a firewall, gateway, or security group, controlling reachability between network zones.","organizational":"An organizational or administrative boundary between assets under different ownership or authority.","physical":"A physical security boundary, such as a facility perimeter or device enclosure, between physical zones.","process":"A process or execution boundary between isolation contexts, such as between a sandbox and its host.","trust":"A trust boundary between zones of differing trust, the primary point at which authentication, authorization, and input validation are enforced and a key trigger for threat analysis."}},{"type":"object","title":"Custom Boundary Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom boundary type."},"description":{"type":"string","title":"Description","description":"A description of the custom boundary type."}}}]},"zones":{"type":"array","title":"Zones","uniqueItems":true,"minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the zones this boundary connects or separates."},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"sessionManagement":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/sessionManagement"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","title":"Crossing Requirements","description":"The security controls, policies, and constraints applied when data or actors cross a boundary between zones, such as the authentication and authorization enforced, the protocols permitted, and the validation, logging, and monitoring performed at the crossing.","additionalProperties":false,"properties":{"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced at this boundary."},"dataValidation":{"type":"boolean","title":"Data Validation","description":"Whether data is validated when crossing this boundary."},"dataTransformation":{"type":"boolean","title":"Data Transformation","description":"Whether data is transformed when crossing this boundary."},"logging":{"type":"boolean","title":"Logging","description":"Whether crossings are logged."},"monitoring":{"type":"boolean","title":"Monitoring","description":"Whether crossings are monitored."},"rateLimit":{"type":"string","title":"Rate Limit","description":"Rate limiting policy."},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Allowed protocols for crossing."}}},"sessionManagement":{"type":"object","title":"Session Management","description":"The lifecycle of the authenticated session established at this boundary, covering session timeouts, access and refresh token validity, and logout behaviour. These properties characterize the session that results from authenticating, independently of the authentication method used.","additionalProperties":false,"properties":{"accessTokenExpires":{"type":"boolean","title":"Access Token Expires","description":"Whether access tokens issued for this boundary expire."},"accessTokenTtl":{"type":"integer","title":"Access Token Time To Live","minimum":0,"description":"Validity period of an access token, in seconds."},"refreshToken":{"type":"boolean","title":"Refresh Token","description":"Whether refresh tokens are issued for this boundary."},"refreshTokenExpires":{"type":"boolean","title":"Refresh Token Expires","description":"Whether refresh tokens expire."},"refreshTokenTtl":{"type":"integer","title":"Refresh Token Time To Live","minimum":0,"description":"Validity period of a refresh token, in seconds."},"idleTimeout":{"type":"integer","title":"Idle Timeout","minimum":0,"description":"Period of inactivity after which the session ends, in seconds."},"absoluteTimeout":{"type":"integer","title":"Absolute Timeout","minimum":0,"description":"Period after session creation after which the session ends regardless of activity, in seconds."},"userLogout":{"type":"boolean","title":"User Logout","description":"Whether a user can explicitly end the session."},"systemLogout":{"type":"boolean","title":"System Logout","description":"Whether the system can end the session without user action."}}},"relationship":{"type":"object","title":"Relationship","description":"A typed structural relationship from one element to one or more others, complementing the runtime exchanges captured by flows. The subject is `ref`, and the kind of relationship is expressed as a single typed property whose value lists the targets, mirroring the dependency graph for readability.","additionalProperties":false,"required":["ref"],"oneOf":[{"required":["aggregates"]},{"required":["associates"]},{"required":["composes"]},{"required":["contains"]},{"required":["dependsOn"]},{"required":["generalizes"]},{"required":["realizes"]},{"required":["serves"]},{"required":["custom"]}],"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference using bom-link or bom-ref to the subject element of the relationship."},"aggregates":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Aggregates","description":"The subject is the whole in a whole-part relationship in which each target part may exist independently of the whole."},"associates":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Associates","description":"The subject has a general association with each target."},"composes":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Composes","description":"The subject is the whole in a whole-part relationship in which each target part cannot exist without the whole."},"contains":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Contains","description":"The subject contains or nests each target."},"dependsOn":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Depends On","description":"The subject depends on each target."},"generalizes":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Generalizes","description":"The subject is a generalisation of each target, as in inheritance."},"realizes":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Realizes","description":"The subject realises or implements each target."},"serves":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Serves","description":"The subject provides a service to each target."},"custom":{"type":"array","title":"Custom Relationships","description":"Relationships whose kind is not covered by the predefined properties. Each entry names the kind and lists its targets.","uniqueItems":true,"items":{"type":"object","title":"Custom Relationship","additionalProperties":false,"required":["type","targets"],"properties":{"type":{"type":"string","title":"Type","minLength":1,"description":"The name of the custom relationship kind."},"targets":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Targets","description":"The targets of the custom relationship."},"description":{"type":"string","title":"Description","description":"A description of the custom relationship kind."}}}}}},"relationshipTargets":{"type":"array","title":"Relationship Targets","description":"References using bom-link or bom-ref to the target elements of a relationship.","minItems":1,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"flow":{"type":"object","title":"Flow","description":"Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or description of the flow."},"description":{"type":"string","title":"Description","description":"Detailed description of what flows and why."},"type":{"title":"Type","description":"The type of flow. Use the custom option for types not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Flow Type","enum":["control","data","energy","event","financial","message","physical","process","signal"],"meta:enum":{"control":"Control or command flow.","data":"Data or information flow.","energy":"Power or energy flow.","event":"Event or notification flow.","financial":"Financial, value, or payment flow.","message":"Message or communication flow.","physical":"Physical movement of goods or materials.","process":"Business process flow.","signal":"Hardware or system signal."}},{"type":"object","title":"Custom Flow Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom flow type."},"description":{"type":"string","title":"Description","description":"A description of the custom flow type."}}}]},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the source of the flow. The source may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that originates the exchange."},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the destination of the flow. The destination may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that receives the exchange."},"bidirectional":{"type":"boolean","title":"Bidirectional","default":false,"description":"Whether flow occurs in both directions."},"synchronous":{"type":"boolean","title":"Synchronous","description":"Whether the flow is synchronous or asynchronous."},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the data carried by this flow is encrypted in transit."},"volume":{"type":"string","title":"Volume","description":"Expected volume or frequency of flow."},"timing":{"type":"string","title":"Timing","description":"Timing characteristics (real-time, batch, scheduled)."},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Communication protocols used by this flow."},"dataProfiles":{"type":"array","title":"Data Profiles","description":"Data profiles that govern the data carried by this flow. A flow may carry data governed by multiple profiles, for example a payment submission carrying both payment card data and customer personally identifiable information. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice"}},"dataObjects":{"type":"array","title":"Data Objects","description":"The specific data objects carried by this flow. Each object names a payload and may reference one of the flow's data profiles for its governing policy.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataObject"}},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required for this flow."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced on this flow."},"sequence":{"type":"integer","title":"Sequence","minimum":0,"description":"Ordering hint so flows can be assembled into sequence diagrams."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"actor":{"type":"object","title":"Actor","description":"An actor is a contextual binding between a party and the modelled system. The party identifies who or what is acting (an organisation, person, system, or persona). The actor layer adds properties that are meaningful only within the blueprint, such as the permissions the actor holds in this system and the trust zone in which the actor operates. Identity, roles, archetype, and inter-party relations such as delegation are carried by the wrapped party and shall not be duplicated on the actor.","required":["bom-ref","party"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this actor binding. References to actors from other parts of the blueprint, such as use cases or flows, use this identifier."},"party":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","title":"Party","description":"The party that this actor binds to the modelled system. May be an inline party object declaring identity and roles in place, or a bom-link or bom-ref to a party declared elsewhere in the document."},"description":{"type":"string","title":"Description","description":"A narrative describing this actor's role within the modelled system, distinct from the party's identity-level description. Use to record context-specific framing such as why this actor is in scope or how it interacts with the assets in this blueprint."},"permissions":{"type":"array","title":"Permissions","uniqueItems":true,"items":{"type":"string"},"description":"The permissions, capabilities, or duties this actor holds within the modelled system. Distinct from any innate party-level capabilities; these are scoped to the blueprint."},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Zone","description":"Reference using bom-link or bom-ref to the trust zone in which the actor operates."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","title":"Assumption","description":"A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies."},"topic":{"title":"Topic","description":"The topic of the assumption. Use the custom option for topics not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Assumption Topic","enum":["availability","business","compliance","operational","performance","security","technical"],"meta:enum":{"availability":"Assumption about system uptime, redundancy, or failover capabilities.","business":"Assumption about business requirements, constraints, or organizational context.","compliance":"Assumption about regulatory, legal, or policy compliance obligations.","operational":"Assumption about operational procedures, staffing, or maintenance practices.","performance":"Assumption about throughput, latency, capacity, or scalability characteristics.","security":"Assumption about threat landscape, trust boundaries, or security controls.","technical":"Assumption about technology choices, capabilities, or technical constraints."}},{"type":"object","title":"Custom Assumption Topic","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom assumption topic."},"description":{"type":"string","title":"Description","description":"A description of the custom assumption topic."}}}]},"relatedAssets":{"type":"array","title":"Related Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes."},"validity":{"type":"string","title":"Validity","enum":["invalid","unknown","unverified","verified"],"meta:enum":{"invalid":"The assumption has been disproven or is no longer applicable.","unknown":"The validity of the assumption has not yet been assessed.","unverified":"The assumption has been identified but not yet validated.","verified":"The assumption has been confirmed as true through validation."},"default":"unknown","description":"The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound."},"impact":{"type":"string","title":"Impact","description":"A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components."},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`."},"validationMethod":{"type":"string","title":"Validation Method","description":"The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement."},"validationDate":{"type":"string","title":"Validation Date","format":"date-time","description":"The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation."}}},"visualization":{"type":"object","title":"Visualization","description":"A visual representation of the model or a subset of its elements, capturing the diagram type, its content, and the elements depicted.","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the visualization."},"description":{"type":"string","title":"Description","description":"Description of what the visualization shows."},"type":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType"},"attachment":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL to the diagram if stored externally."},"level":{"type":"string","title":"Level","enum":["detailed","high","medium","overview"],"meta:enum":{"detailed":"Fine-grained view showing implementation-level specifics.","high":"High-level view showing major components and relationships.","medium":"Intermediate view balancing breadth and depth.","overview":"Top-level summary providing a broad perspective of the system."},"description":"Level of detail in the visualization."},"elements":{"type":"array","title":"Elements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to elements shown in this visualization."},"interactive":{"type":"boolean","title":"Interactive","description":"Whether the visualization is interactive."},"layers":{"type":"array","title":"Layers","uniqueItems":true,"items":{"type":"string"},"description":"Layers or views available in the visualization."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"visualizationType":{"type":"object","title":"Visualization Type","description":"The type of diagram or visual representation.","oneOf":[{"title":"Predefined Visualization Type","description":"A visualization type selected from a predefined set of well-known diagram types.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","enum":["activity","architecture","attack-tree","block","class","code","communication","component","container","context","data-flow","deployment","entity","flowchart","matrix","mind-map","network","process","sequence","state","timing","use-case"],"meta:enum":{"activity":"Activity or workflow diagram.","architecture":"System architecture diagram.","attack-tree":"Attack tree diagram showing alternative paths to a goal.","block":"Block diagram, including SysML block definition and internal block diagrams.","class":"Class or object diagram.","code":"Code structure diagram.","communication":"Communication diagram, formerly known as the collaboration diagram.","component":"Component diagram.","container":"Container diagram, as in C4.","context":"Context diagram.","data-flow":"Data flow diagram, or DFD.","deployment":"Deployment or infrastructure diagram.","entity":"Entity relationship diagram.","flowchart":"Flowchart depicting steps or decision logic.","matrix":"Matrix diagram, such as a dependency structure or traceability matrix.","mind-map":"Mind map diagram for decomposition or brainstorming.","network":"Network topology diagram.","process":"Business process diagram.","sequence":"Sequence or interaction diagram.","state":"State machine diagram.","timing":"Timing diagram showing state changes over time.","use-case":"Use case diagram."}}}},{"title":"Custom Visualization Type","description":"A custom visualization type not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization type."},"description":{"type":"string","title":"Description","description":"A description of the custom visualization type."}}}]},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories."},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search."}}},"ownership":{"type":"array","title":"Ownership","description":"Parties responsible for the asset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the relationship (`owner`, `steward`, `custodian`, `end-user`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"}},"authenticationType":{"title":"Authentication Type","description":"The authentication method or protocol used to verify identity, either a predefined value from the enumeration or a custom object describing a method not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Authentication Type","description":"A predefined authentication method from the enumeration.","enum":["api-key","basic","bearer","biometric","certificate","digest","eap","fido2","form","hmac","jwt","kerberos","ldap","magic-link","mtls","none","ntlm","oauth1","oauth2","oidc","pin","psk","push","radius","saml","scram","session-cookie","ssh","totp"],"meta:enum":{"api-key":"API key authentication.","basic":"HTTP Basic authentication (RFC 7617), where the browser presents a native credential dialog and the username and password are sent on each request.","bearer":"Bearer token authentication.","biometric":"Biometric authentication, such as fingerprint or face recognition.","certificate":"Certificate-based authentication.","digest":"Digest authentication.","eap":"Extensible Authentication Protocol, commonly used with IEEE 802.1X.","fido2":"FIDO2 or WebAuthn passwordless authentication.","form":"Form-based authentication, where credentials such as a username and password are submitted through an application login form rather than the browser-native HTTP Basic dialog.","hmac":"HMAC request signing using a shared secret key.","jwt":"JSON Web Token authentication.","kerberos":"Kerberos authentication.","ldap":"LDAP directory authentication.","magic-link":"Passwordless authentication using a single-use link.","mtls":"Mutual TLS authentication.","none":"No authentication required.","ntlm":"NTLM authentication.","oauth1":"OAuth 1.0 authentication.","oauth2":"OAuth 2.0 authentication.","oidc":"OpenID Connect authentication.","pin":"Personal identification number, a short secret used as a knowledge factor, such as a device or application unlock PIN.","psk":"Pre-shared key authentication.","push":"Out-of-band push approval, where a prompt is sent to a registered device or application for the user to approve or deny, optionally confirmed by matching a displayed number.","radius":"RADIUS authentication.","saml":"SAML authentication.","scram":"Salted Challenge Response Authentication Mechanism.","session-cookie":"Session authentication using a server-side session identified by a cookie.","ssh":"SSH key authentication.","totp":"Time-based one-time password authentication."}},{"type":"object","title":"Custom Authentication Type","description":"A custom authentication method not covered by the predefined enumeration, allowing organisations to describe proprietary, emerging, or composite authentication approaches.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom authentication method."},"description":{"type":"string","title":"Description","description":"A description of the custom authentication method, including how identity is verified and any relevant constraints."}}}]},"authorizationType":{"title":"Authorization Type","description":"The authorization model used to determine and enforce access permissions, either a predefined value from the enumeration or a custom object describing a model not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Authorization Type","description":"A predefined authorization model from the enumeration.","enum":["abac","acl","capability","dac","mac","none","pbac","radac","rbac","rebac"],"meta:enum":{"abac":"Attribute-Based Access Control.","acl":"Access Control Lists.","capability":"Capability-Based Access Control.","dac":"Discretionary Access Control.","mac":"Mandatory Access Control.","none":"No authorization controls.","pbac":"Policy-Based Access Control.","radac":"Risk-Adaptive Access Control.","rbac":"Role-Based Access Control.","rebac":"Relationship-Based Access Control."}},{"type":"object","title":"Custom Authorization Type","description":"A custom authorization model not covered by the predefined enumeration, allowing organisations to describe proprietary, domain-specific, or composite access control models.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom authorization model."},"description":{"type":"string","title":"Description","description":"A description of the custom authorization model, including how access decisions are made and any relevant constraints."}}}]}}},"cyclonedx-business-objective-2.0":{"type":"null","title":"CycloneDX Business Objective Model","$defs":{"businessObjectives":{"type":"array","title":"Business Objectives","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-business-objective-2.0/$defs/businessObjective"},"description":"A collection of reusable business objectives that other elements may reference."},"businessObjective":{"type":"object","title":"Business Objective","description":"A business goal that a subject supports and that threats, risks, use cases, and requirements can be traced back to. Business objectives anchor risk-centric analysis, such as the first stage of PASTA, where threats and risks are evaluated against what the organization is trying to achieve.","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the business objective."},"description":{"type":"string","title":"Description","description":"A description of the business objective."},"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality","description":"The business criticality of the objective."},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for this objective. May be an inline party object or a reference to a previously declared party."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm","title":"Hash Algorithm","description":"The standard, well-known algorithm used to compute the hash."},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue","title":"Hash Value","description":"The value of the hash computed using the standard, well-known algorithm."}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","perspective","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","swid-tag","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","perspective":"A CycloneDX perspective defines a domain-specific view, enabling different audiences to interpret and navigate the data through their own conceptual lens.","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","swid-tag":"A Software Identification (SWID) tag document conforming to ISO/IEC 19770-2. The reference resolves to the XML SoftwareIdentity document itself, including all of its metadata (entities, evidence, payload, links, and meta elements). This is distinct from the `swid` identifier scheme, which carries only the tagId of a SWID tag.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signatures":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatures","title":"Signatures","description":"Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"parties":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/parties"},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"componentOrChoice":{"title":"Component or Component Choice","description":"An entry in a components array. May be a concrete component, or a component-choice wrapper that expresses a conditional or alternate relationship between two or more components. The discriminator is the `type` property: when `type` is `component-choice`, the entry shall conform to the `componentChoice` schema; otherwise it shall conform to the `component` schema.","oneOf":[{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentChoice"}]},"componentChoice":{"type":"object","title":"Component Choice","description":"A wrapper that expresses a conditional or alternate relationship between two or more components. Use to model approved alternates, multi-sourced parts, build variants, and required component groups in physical device bills of materials.","required":["type","operator","components"],"additionalProperties":false,"properties":{"type":{"type":"string","const":"component-choice","title":"Type","description":"Discriminator for a component-choice entry. The value shall be the literal string `component-choice`."},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component-choice elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"A display name for the choice. Typically corresponds to a reference designator, a design intent name, or a description of the role the chosen component fulfils.","examples":["2N2222 or PN2222A Transistor","U1 5V LDO Regulator"]},"description":{"type":"string","title":"Description","description":"A description of the choice and the rationale behind the alternates."},"operator":{"type":"string","enum":["OR","XOR","AND"],"meta:enum":{"OR":"Any non-empty subset of the contained components may be installed. Use for approved alternates where more than one may legitimately appear in a given instance.","XOR":"Exactly one of the contained components is installed in any single instance. Use for approved alternates that are mutually exclusive per instance, while the population of units may include multiple alternates across sourcing.","AND":"All of the contained components are installed together as a group. Use for tightly coupled component sets such as a transceiver and its required matching balun."},"title":"Operator","description":"The logical relationship between the contained components."},"components":{"type":"array","minItems":2,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"title":"Components","description":"Two or more alternate or grouped entries. Each entry may itself be a component-choice to express nested alternates, such as a choice between kits."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."},"accountInfo":{"type":"string","title":"Account Information","description":"The account or user information associated with the occurrence."},"systemOwner":{"type":"string","title":"System Owner","description":"The owner of the system where the component was found."},"startTime":{"type":"string","format":"date-time","title":"Start Time","description":"The date and time when the process detecting the occurrence started."},"endTime":{"type":"string","format":"date-time","title":"End Time","description":"The date and time when the process detecting the occurrence ended."},"usageCount":{"type":"integer","minimum":0,"title":"Usage Count","description":"The number of times the component occurred in the detecting process."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["scheme"],"additionalProperties":false,"properties":{"scheme":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityScheme"},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the scheme that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}},"identifiers":{"type":"array","title":"Identifiers","description":"Identifiers asserted by one or more parties to identify this component. Each entry groups one or more identity claims by the party asserting them. Identifiers carry positive claims of identity. For unverified or inferred identity data, use evidence.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identifier"},"uniqueItems":true},"identifier":{"type":"object","title":"Identifier","description":"A set of identifiers attributed to a single asserting party.","required":["party","identities"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"party":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Asserting Party","description":"Reference using bom-link or bom-ref to the party making the identity assertion."},"identities":{"type":"array","title":"Identities","description":"The discrete identity claims asserted by the party.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identity"},"minItems":1,"uniqueItems":true}}},"identity":{"type":"object","title":"Identity","description":"A single identity claim, pairing a typed identifier scheme with the value asserted under that scheme.","required":["scheme","value"],"additionalProperties":false,"properties":{"scheme":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityScheme"},"value":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityValue"}}},"identityScheme":{"title":"Identifier Scheme","description":"The scheme under which an identifier is asserted. Either a predefined value or a custom scheme described by name and description.","oneOf":[{"type":"string","enum":["purl","cpe","swid","swhid","omniborid","epc-rfid","giai","gln","gmn","gtin-8","gtin-12","gtin-13","gtin-14","mpn","part-number","model-number","sku","serial-number","asset-tag","udi-di","udi-pi","fcc-id","imei","mac-address","tei"],"meta:enum":{"purl":"Package-URL identifier, conforming to the Package-URL specification.","cpe":"Common Platform Enumeration name, conforming to NIST Interagency Report 7695.","swid":"Software Identification tag identifier, conforming to ISO/IEC 19770-2.","swhid":"Software Heritage persistent identifier.","omniborid":"OmniBOR Artifact Identifier, also known as a gitoid.","epc-rfid":"Electronic Product Code - RFID (EPC Tag Data Standard)","giai":"Global Individual Asset Identifier (GIAI)","gln":"Global Location Number (GLN)","gmn":"Global Model Number (GMN)","gtin-8":"Global Trade Identification Number (GTIN-8 / EAN/UCC-8)","gtin-12":"Global Trade Identification Number (GTIN-12 / UPC-A)","gtin-13":"Global Trade Identification Number (GTIN-13 / EAN/UCC-13)","gtin-14":"Global Trade Identification Number (GTIN / EAN/UCC-14 or ITF-14)","mpn":"Manufacturer Part Number, assigned by the original manufacturer.","part-number":"Part number assigned by a distributor, integrator, or operator.","model-number":"Product model number assigned by the manufacturer.","sku":"Stock Keeping Unit, assigned by a seller or distributor.","serial-number":"Unique identifier for an individual instance of a product.","asset-tag":"Asset tag assigned by the owning or operating organization.","udi-di":"Unique Device Identifier, Device Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.","udi-pi":"Unique Device Identifier, Production Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.","fcc-id":"United States Federal Communications Commission equipment identifier.","imei":"International Mobile Equipment Identity, conforming to 3GPP TS 23.003.","mac-address":"IEEE 802 Media Access Control address.","tei":"Transparency Exchange Identifier conforming to the Transparency Exchange API specification."}},{"type":"object","title":"Custom Identifier Scheme","description":"A custom identifier scheme not represented in the predefined taxonomy.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom identifier scheme."},"description":{"type":"string","title":"Description","description":"A description of the custom identifier scheme."}}}]},"identityValue":{"type":"string","minLength":1,"title":"Identifier Value","description":"The value of an identifier."}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-control-2.0":{"type":"null","title":"CycloneDX Control Model","$defs":{"controls":{"type":"array","title":"Controls","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-control-2.0/$defs/control"},"description":"The safeguards and countermeasures that are recommended or in place. Controls may be declared on their own for governance, risk, and compliance use cases, or referenced from threats, trust boundaries, and risk responses."},"control":{"type":"object","title":"Control","description":"A safeguard or countermeasure that protects systems, data, or operations. A control binds the elements that implement it to the requirements it satisfies, and records its implementation status and assessed effectiveness.","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the control elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the control."},"description":{"type":"string","title":"Description","description":"A description of the control."},"category":{"title":"Category","description":"The category of the control. Use the custom option for a category specific to an organization's taxonomy.","oneOf":[{"title":"Predefined Control Category","type":"string","enum":["preventive","detective","corrective","compensating","deterrent","recovery"],"meta:enum":{"preventive":"Prevents an unwanted event from occurring.","detective":"Identifies and records that an unwanted event has occurred or is occurring.","corrective":"Remedies the condition that allowed an unwanted event.","compensating":"Provides an alternative safeguard where a primary control is not feasible.","deterrent":"Discourages an actor from attempting an unwanted action.","recovery":"Restores operations after an unwanted event."}},{"title":"Custom Control Category","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom category."},"description":{"type":"string","title":"Description","description":"A description of the custom category."}}}]},"status":{"title":"Status","description":"The implementation status of the control.","$ref":"#/$defs/cyclonedx-control-2.0/$defs/implementationStatus"},"appliesTo":{"type":"array","title":"Applies To","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the elements the control protects, such as components, services, zones, or boundaries. A control without this property applies to the organization or system as a whole."},"implementedBy":{"type":"array","title":"Implemented By","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the components, services, formulation workflows, or parties that implement the control."},"satisfies":{"type":"array","title":"Satisfies","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements the control satisfies, including requirements defined within standards."},"effectiveness":{"title":"Effectiveness","description":"The assessed effectiveness of the control.","$ref":"#/$defs/cyclonedx-control-2.0/$defs/effectiveness"},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for the control. May be an inline party object or a reference to a previously declared party."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"implementationStatus":{"title":"Implementation Status","description":"The implementation status of a control or response. Use the custom option for a status specific to an organization's process.","oneOf":[{"title":"Predefined Implementation Status","type":"string","enum":["recommended","proposed","approved","rejected","planned","in-progress","implemented","verified","decommissioned"],"meta:enum":{"recommended":"Suggested by a producer, standard, or assessor. Not yet entered into the adopting organization's decision process.","proposed":"Entered into the adopting organization's decision process but not yet approved.","approved":"Approved for implementation.","rejected":"Considered and declined, with no intent to implement.","planned":"Implementation is planned.","in-progress":"Implementation is in progress.","implemented":"Implemented and in effect.","verified":"Implemented and verified as effective.","decommissioned":"Removed from service."}},{"title":"Custom Implementation Status","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom status."},"description":{"type":"string","title":"Description","description":"A description of the custom status."}}}]},"effectiveness":{"type":"object","title":"Effectiveness","description":"The measured or assessed effectiveness of a control or response.","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":1,"title":"Percentage","description":"Effectiveness as a decimal from 0 to 1."},"rating":{"type":"string","title":"Rating","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk.","marginal":"Slightly reduces risk.","adequate":"Adequately reduces risk.","good":"Significantly reduces risk.","excellent":"Nearly eliminates risk."},"description":"Effectiveness as a qualitative rating."}}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"array","title":"Implementation platforms","description":"The target platforms for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","items":{"type":"string","title":"Platform","description":"The target platform for the implementation.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","riscv32","riscv64","other","unknown"],"meta:enum":{"generic":"Platform-independent implementation.","x86_32":"Intel/AMD 32-bit x86 architecture.","x86_64":"Intel/AMD 64-bit x86-64 architecture.","armv7-a":"ARM 32-bit application profile (Cortex-A).","armv7-m":"ARM 32-bit microcontroller profile (Cortex-M).","armv8-a":"ARM 64-bit application profile (AArch64).","armv8-m":"ARM 32-bit microcontroller with TrustZone.","armv9-a":"ARM 64-bit with enhanced security features.","armv9-m":"ARM microcontroller with advanced security.","s390x":"IBM Z series mainframe 64-bit.","ppc64":"IBM PowerPC 64-bit big-endian.","ppc64le":"IBM PowerPC 64-bit little-endian.","riscv32":"RISC-V 32-bit open standard architecture.","riscv64":"RISC-V 64-bit open standard architecture.","other":"Another platform.","unknown":"The platform is not known."}}},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","cavp","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","cavp":"Cryptographic Algorithm Validation Program","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","siv","gcm-siv","ocb","eax","kw","kwp","cts","xts","gmac","cmac","xpn","ff1","ff3-1","other","unknown"],"meta:enum":{"cbc":"Cipher Block Chaining mode.","ecb":"Electronic Codebook mode.","ccm":"Counter with CBC-MAC (AEAD).","gcm":"Galois/Counter Mode (AEAD).","cfb":"Cipher Feedback mode.","ofb":"Output Feedback mode.","ctr":"Counter mode.","siv":"Synthetic Initialization Vector mode.","gcm-siv":"GCM with Synthetic IV (nonce-misuse resistant).","ocb":"Offset Codebook Mode (AEAD).","eax":"Encrypt-then-Authenticate-then-Translate mode.","kw":"AES Key Wrap (RFC 3394).","kwp":"AES Key Wrap with Padding (RFC 5649).","cts":"Ciphertext Stealing mode.","xts":"XEX Tweaked-codebook with Stealing (disk encryption).","gmac":"Galois Message Authentication Code","cmac":"Cipher-based Message Authentication Code","xpn":"Extended Packet Numbering mode.","ff1":"Format-preserving encryption mode 1.","ff3-1":"Format-preserving encryption mode 3, update 1.","other":"Another mode of operation.","unknown":"The mode is not known."}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","pss","x931","other","unknown"],"meta:enum":{"pkcs5":"PKCS#5 padding for password-based cryptography.","pkcs7":"PKCS#7 padding with length-indicating bytes.","pkcs1v15":"PKCS#1 v1.5 padding for RSA.","oaep":"Optimal Asymmetric Encryption Padding for RSA.","raw":"No padding applied.","pss":"Probabilistic Signature Scheme for RSA signatures.","x931":"ANSI X9.31 padding for RSA.","other":"Another padding scheme.","unknown":"The padding scheme is not known."}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction"}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6},"secProperties":{"type":"array","title":"Security Properties","description":"Formal guarantees about an algorithm's resistance to specific adversarial capabilities under a defined threat model. Example: Key Encapsulation Mechanisms (KEMs) may target IND-CPA or IND-CCA security; choosing IND-CCA impacts safe use in settings with active/chosen-ciphertext attacks.","items":{"type":"string","title":"Security Property","examples":["IND-CPA","IND-CCA","IND-CCA2","SUF-CMA","EUF-CMA","collision-resistant","preimage-resistant","second-preimage-resistant"]}}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint"},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"},"keyUsage":{"type":"array","title":"Key Usage","description":"Defines the permitted cryptographic usage for the asset.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction","title":"Usage","description":"A permitted cryptographic usage."}}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"cryptographicFunction":{"type":"string","title":"Cryptographic Function","description":"A cryptographic function or usage.","enum":["generate","paramgen","paramver","keygen","keyver","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","keyagree","wrap","unwrap","other","unknown"],"meta:enum":{"generate":"Generates random data, IVs, or nonces.","paramgen":"Generates cryptographic domain parameters.","paramver":"Verifies cryptographic domain parameters.","keygen":"Generates cryptographic keys.","keyver":"Verifies cryptographic keys.","encrypt":"Transforms plaintext into ciphertext.","decrypt":"Transforms ciphertext into plaintext.","digest":"Computes a hash value from input data.","tag":"Generates an authentication tag for data integrity.","keyderive":"Derives keys from another key or shared secret.","sign":"Creates a digital signature using a private key.","verify":"Verifies a digital signature using a public key.","encapsulate":"Encapsulates a secret using a public key (KEM).","decapsulate":"Decapsulates a secret using a private key (KEM).","keyagree":"Derives a shared secret between parties.","wrap":"Encrypts a key for secure storage or transport.","unwrap":"Decrypts a wrapped key to recover the original key.","other":"Another cryptographic function.","unknown":"The cryptographic function is not known."}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"fingerprint":{"type":"object","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset.","oneOf":[{"title":"Standard Hash","description":"A fingerprint computed using a standard, well-known hash algorithm.","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},{"title":"Custom Fingerprint","description":"A fingerprint computed with a custom or non-standard algorithm not covered by the standard hash algorithms.","required":["customAlg","customContent"],"additionalProperties":false,"properties":{"customAlg":{"type":"string","title":"Custom Fingerprint Algorithm","description":"The name of the custom algorithm used to compute the fingerprint."},"customContent":{"type":"string","title":"Custom Fingerprint Content","description":"The value of the fingerprint computed using the custom algorithm."}}}]},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"type":"array","title":"References","description":"The bom-refs to the assets securing this asset (e.g., algorithms, hardware, keys).","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataProfiles":{"type":"array","title":"Data Profiles","description":"A catalogue of reusable data profile definitions. Each entry is a complete inline data profile carrying its own bom-ref so other objects may reference it.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"}},"dataProfile":{"type":"object","title":"Data Profile","description":"Captures the classification, information types, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data profile."},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or label that identifies this data profile, such as the name of the dataset, information asset, or data domain it describes.","examples":["Customer PII Dataset","Transaction Logs","Employee Health Records"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification","description":"The classification of the data, indicating the level of protection required. A data profile carries a single classification reflecting the highest applicable level for the data it describes."},"informationTypes":{"type":"array","title":"Information Types","description":"The types of information contained in the data. A data profile may contain multiple information types, for example a profile may carry both personally identifiable information and financial data. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/informationType"},"examples":[["pii","financial"],["phi","biometric",{"name":"minor-health-data","description":"Health information for individuals under 18, subject to COPPA and HIPAA."}]]},"subjects":{"type":"array","title":"Subjects","description":"The entities, groups, categories, or things that the data is about or pertains to. Identifying data subjects is essential for determining applicable privacy regulations, handling requirements, and protected class obligations.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/subject"},"examples":[[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR","IT"],"regulations":["GDPR"]},{"name":"Pediatric Patients","type":"group","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]}]]},"purposes":{"type":"array","title":"Purposes","description":"The stated purposes for which this data is collected, processed, or retained. Under the principle of purpose limitation, data must only be used for purposes compatible with those originally specified. Capturing purposes explicitly enables automated compliance checking and compatibility analysis across the data lifecycle.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/purpose"},"examples":[[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"}]]},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply to this data based on its nature, classification, or how it is processed and stored. See also subject.jurisdictions for jurisdictions that apply because of who the data is about."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply to this data based on its nature, classification, or processing context. See also subject.regulations for regulations that apply because of who the data is about."},"dataFormats":{"type":"array","title":"Data Formats","uniqueItems":true,"items":{"type":"string"},"description":"The formats in which the data is stored or transmitted.","examples":[["JSON","CSV","Parquet"]]},"schema":{"type":"array","title":"Schema","uniqueItems":true,"items":{"type":"string","format":"uri"},"description":"References to schema contracts or documents describing the data structure.","examples":[["https://example.com/schemas/customer-v2.json"]]},"access":{"type":"array","title":"Access","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures."},"collection":{"type":"array","title":"Collection","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations."},"disposal":{"type":"array","title":"Disposal","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction."},"handling":{"type":"array","title":"Handling","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations."},"processing":{"type":"array","title":"Processing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions."},"retention":{"type":"array","title":"Retention","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation."},"ttl":{"type":"integer","title":"Time to Live","minimum":1,"description":"The time-to-live in seconds for transient data that is not persisted, such as protected health information carried inside a short-lived JSON Web Token or sensitive material held in memory for the duration of a single request. Distinct from retention, which applies to persisted data and is governed by requirement objects.","examples":[300,3600]},"sharing":{"type":"array","title":"Sharing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataProfileChoice":{"title":"Data Profile Choice","description":"A data profile represented either as a complete inline object or as a reference to a previously declared profile. References use bom-link or bom-ref to point at a profile declared in the root profiles catalogue or elsewhere in the document.","oneOf":[{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference using bom-link or bom-ref to a previously declared data profile."}]},"dataObject":{"type":"object","title":"Data Object","description":"A specific data payload such as a message, record, or document. Distinct from a data profile, which is a policy template; a data object is an instance whose name, schema, format, and field-level attributes describe a concrete payload. The governing policy is supplied by an optional reference to a data profile. A single profile may govern many data objects; each data object refers to at most one profile.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data object."},"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the data object, such as the name of the message, record, document, or table row it represents.","examples":["user_registration","payment_request","audit_event"]},"description":{"type":"string","title":"Description","description":"A narrative explanation of the data object, including its purpose, origin, and any context relevant to interpreting its attributes."},"profile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice","title":"Profile","description":"The data profile that governs this object's classification, information types, and lifecycle requirements. May be an inline profile object or a reference using bom-link or bom-ref to a previously declared profile."},"informationTypes":{"type":"array","title":"Information Types","description":"The types of information contained in this object. May refine or extend the information types declared on the referenced profile. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/informationType"}},"schema":{"type":"object","title":"Schema","description":"The structural contract describing this object's shape, such as a JSON Schema, XSD, Avro schema, or Protobuf descriptor.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL or URN pointing to the schema document."},"mediaType":{"type":"string","title":"Media Type","description":"Media type of the schema, for example application/schema+json, application/xml, or application/vnd.apache.avro+json.","examples":["application/schema+json","application/xml","application/vnd.apache.avro+json"]},"comment":{"type":"string","title":"Comment","description":"Additional notes about the schema, such as its version or compatibility expectations."}}},"format":{"type":"object","title":"Format","description":"The serialisation or encoding format of this object, such as application/json, text/csv, or application/hl7-v2.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL or URN pointing to the format specification."},"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"comment":{"type":"string","title":"Comment","description":"Additional notes about the format."}}},"attributes":{"type":"array","title":"Attributes","description":"The fields, columns, or properties contained in this object. Each attribute may carry a typed information type to support field-level classification and compliance analysis.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataAttribute"}},"relationships":{"type":"array","title":"Relationships","description":"Relationships from this data object to other data objects, such as the associations between entities in a logical or conceptual data model.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataRelationship"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataAttribute":{"type":"object","title":"Data Attribute","description":"A single field, column, or property within a data object. Carries an optional information type so that producers and consumers can classify and reason about data at field granularity rather than only at the object level.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this attribute, enabling it to be referenced as a key target."},"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the attribute as it appears in the data object, such as a field name, column name, or property key.","examples":["email","dateOfBirth","panToken","amount"]},"description":{"type":"string","title":"Description","description":"A narrative explanation of the attribute, such as its semantics, expected values, or constraints."},"informationType":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/informationType","title":"Information Type","description":"The information type carried by this attribute. Field-level typing enables compliance analysis at finer granularity than the object-level information types."},"required":{"type":"boolean","title":"Required","description":"Indicates whether the attribute is required for the data object to be valid."},"sensitive":{"type":"boolean","title":"Sensitive","description":"Indicates whether the attribute carries sensitive content that warrants extra protection beyond the object-level classification, such as masking in logs or stricter access controls."},"key":{"type":"string","title":"Key","enum":["primary","foreign","unique"],"meta:enum":{"primary":"The attribute is part of the primary key that uniquely identifies the data object.","foreign":"The attribute is a foreign key referencing another data object.","unique":"The attribute carries a uniqueness constraint."},"description":"The key role of the attribute within the data object."},"references":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"References","description":"For a foreign key, a reference using bom-link or bom-ref to the data object or attribute it refers to."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataRelationship":{"type":"object","title":"Data Relationship","description":"A relationship from one data object to another, such as an association between entities in a logical or conceptual data model, carrying its cardinality and optionally the attributes that participate.","additionalProperties":false,"required":["target","cardinality"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the relationship, such as the role or verb that describes it."},"description":{"type":"string","title":"Description","description":"A description of the relationship."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"Reference using bom-link or bom-ref to the related data object."},"cardinality":{"type":"string","title":"Cardinality","enum":["one-to-one","one-to-many","many-to-one","many-to-many"],"meta:enum":{"one-to-one":"Each record of the source relates to at most one record of the target, and the reverse.","one-to-many":"Each record of the source relates to many records of the target.","many-to-one":"Many records of the source relate to one record of the target.","many-to-many":"Many records of the source relate to many records of the target."},"description":"The cardinality of the relationship."},"sourceAttributes":{"type":"array","title":"Source Attributes","description":"References using bom-link or bom-ref to the attributes on this data object that participate in the relationship, such as the foreign key columns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"targetAttributes":{"type":"array","title":"Target Attributes","description":"References using bom-link or bom-ref to the attributes on the target data object that the relationship refers to, such as the primary key columns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"subject":{"type":"object","title":"Subject","description":"An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. A subject is identified in one of three ways: inline by `name` and `type`, by an inline `party` object, or by `ref` pointing at any bom-ref'd element declared elsewhere in the document (a party, component, service, asset, dataset, or other element). At least one of these forms shall be supplied. Subject-context attributes such as protected-class status, applicable jurisdictions, and applicable regulations are carried here regardless of which identification form is used.","additionalProperties":false,"anyOf":[{"required":["name","type"]},{"required":["party"]},{"required":["ref"]}],"examples":[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR"],"regulations":["GDPR"]},{"ref":"party-pediatric-patients","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]},{"party":{"roles":[{"role":"data-subject"}],"persona":{"archetype":"customer","scope":"external","description":"Fleet vehicle owners enrolled in the connected-services platform."}},"protectedClass":false}],"properties":{"name":{"type":"string","title":"Name","description":"The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor. Optional when `party` or `ref` is supplied.","minLength":1,"examples":["EU Residents","Pediatric Patients","Fleet Vehicles"]},"type":{"type":"string","title":"Type","description":"A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices. Optional when `party` or `ref` is supplied.","minLength":1,"examples":["individual","group","technology"]},"party":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/party","title":"Party","description":"An inline party object identifying the subject. Use this when the subject is best modelled as a party (organization, person, system, or persona) and has not been declared elsewhere in the document. The party's `roles` should include `data-subject`."},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference using bom-link or bom-ref to any element declared elsewhere in the document that identifies the subject, such as a party, component, service, asset, dataset, or other bom-ref'd element. Use this when the subject is already represented elsewhere and you want to point at it rather than redeclare it."},"protectedClass":{"type":"boolean","title":"Protected Class","description":"Indicates whether this subject represents or includes a legally protected class under applicable regulations. Protected classes are groups defined by characteristics such as race, ethnicity, religion, gender, age, disability, sexual orientation, national origin, or genetic information. When true, additional regulatory obligations may apply to the collection, processing, and sharing of data about this subject, including GDPR special category data provisions, US civil rights protections, COPPA requirements for children, and HIPAA protections for health information."},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply specifically because of this subject. See also dataProfile.jurisdictions for jurisdictions that apply to the data itself."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply specifically because of this subject. See also dataProfile.regulations for regulations that apply to the data itself."},"description":{"type":"string","title":"Description","description":"A narrative explanation of the subject, its relationship to the data, and any special handling considerations. This may include why the subject is relevant, what aspects of the subject the data captures, and any known sensitivities or regulatory implications."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"jurisdictions":{"type":"array","title":"Jurisdictions","description":"The geographic or political jurisdictions whose laws and regulations apply. Values should use ISO 3166-1 alpha-2 country codes or ISO 3166-2 subdivision codes for subnational jurisdictions.","uniqueItems":true,"items":{"type":"string","minLength":2,"examples":["US","GB","US-CA"]},"examples":[["US","GB","DE"]]},"regulations":{"type":"array","title":"Regulations","description":"The specific laws, regulations, or compliance frameworks that apply.","uniqueItems":true,"items":{"type":"string","minLength":1,"examples":["GDPR","HIPAA","PCI-DSS"]},"examples":[["GDPR","CCPA","PCI-DSS"]]},"purpose":{"type":"object","title":"Purpose","description":"The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.","required":["name"],"additionalProperties":false,"examples":[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"},{"name":"Marketing Analytics","legalBasis":"consent"}],"properties":{"name":{"type":"string","title":"Name","description":"The name of the purpose for which data is collected or processed.","minLength":1,"examples":["Service Delivery","Fraud Prevention","Marketing Analytics"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the purpose, how the data serves it, and any constraints on use. This narrative should be specific enough to evaluate whether subsequent processing activities are compatible with the original stated purpose."},"legalBasis":{"type":"string","title":"Legal Basis","description":"The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.","minLength":1,"examples":["consent","contract","legitimate interest"]},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataClassification":{"title":"Data Classification","description":"Classifies data by the level of protection it requires, either using a predefined classification level or a custom level not covered by the enumeration. Classification drives protection requirements such as access control, encryption, disclosure restrictions, and statutory handling obligations.","oneOf":[{"type":"string","title":"Predefined Classification","description":"A predefined classification level from the enumeration.","enum":["confidential","internal","public","restricted","classified"],"meta:enum":{"confidential":"Confidential information requiring protection.","internal":"Internal use only within the organisation.","public":"Public information that can be freely shared.","restricted":"Highly restricted information with limited access and special protection measures.","classified":"Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations."}},{"type":"object","title":"Custom Classification","description":"A custom classification level not covered by the predefined enumeration.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom classification level."},"description":{"type":"string","title":"Description","description":"A description of what this custom classification level means and the protections it implies."}}}]},"informationType":{"title":"Information Type","description":"Identifies a type of information contained in the data, either using a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. A single dataset can contain multiple information types and is captured as an array on the data profile.","oneOf":[{"type":"string","title":"Predefined Information Type","description":"A predefined information type from the enumeration.","enum":["authentication","behavioral","biometric","communication","credentials","device","financial","genetic","intellectual-property","location","logs","operational","pci","phi","pii","safety","telemetry"],"meta:enum":{"authentication":"Authentication data such as passwords, PINs, or security questions.","behavioral":"Behavioural data such as browsing history, usage patterns, or profiling data.","biometric":"Biometric data such as fingerprints, facial recognition, or voice patterns.","communication":"Communication content such as messages, emails, or call records.","credentials":"Secrets, tokens, or credentials.","device":"Device identifiers or hardware-level data.","financial":"Financial statements or transaction data.","genetic":"Genetic or genomic data.","intellectual-property":"Intellectual property or trade secrets.","location":"Precise or inferred geographic location data.","logs":"Operational or security log data.","operational":"Operational or process data.","pci":"Payment card industry data.","phi":"Protected health information.","pii":"Personally identifiable information.","safety":"Safety critical data or signals.","telemetry":"System or product telemetry data."}},{"type":"object","title":"Custom Information Type","description":"A custom information type not covered by the predefined enumeration.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom information type."},"description":{"type":"string","title":"Description","description":"A description of the custom information type and any handling implications it carries."}}}]},"dataGovernance":{"type":"array","title":"Data Governance","description":"Parties responsible for the data throughout its lifecycle. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the governance relationship (`owner` for ownership and risk accountability, `steward` for content and business rules, `custodian` for safe custody, transport, and storage, `data-controller`, `data-processor`, `data-recipient`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"}},"dataFlowDirection":{"type":"string","title":"Data Flow Direction","description":"Specifies the flow direction of the data. Direction is relative to the service.","enum":["bi-directional","inbound","outbound","unknown"],"meta:enum":{"bi-directional":"Data flows in and out of the service.","inbound":"Data that enters a service.","outbound":"Data that exits a service.","unknown":"The directional flow of data is not known."}}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"References using bom-link or bom-ref to the controls that mitigate identified gaps in conformance with the requirement. Each mitigation strategy should be substantiated by evidence.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"Reference using bom-link or bom-ref to the target of the claim, such as a control, system, application, module, team, person, process, or business unit."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"References using bom-link or bom-ref to the controls that mitigate identified weaknesses in the evidence supporting the claim. Each mitigation strategy should be substantiated by evidence.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"},"useCases":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCases"},"requirements":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirements"},"businessObjectives":{"$ref":"#/$defs/cyclonedx-business-objective-2.0/$defs/businessObjectives"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-jss_X590_2023_10-2.0":{"type":"null","title":"CycloneDX Model for JSON Signature Scheme (JSS)","description":"JSON Schema implementing ITU-T X.590 (10/2023) – JSON Signature Scheme (JSS). Defines the structure for digitally signing JSON objects while keeping the payload in JSON format. Supports single signatures, multiple independent signatures, and chained counter-signatures. Intended for use as a $defs import in CycloneDX 2.0.","$defs":{"timestamp":{"title":"Timestamp","description":"An RFC 3339 timestamp in the UTC+0 time zone. Must use the 'Z' suffix. Sub-second precision, when present, MUST be exactly three digits (millisecond precision). If no sub-second digits are included, the decimal point MUST NOT be present. Matches the pattern: yyyy-mm-ddThh:mm:ss[.sss]Z","type":"string","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](?:\\.[0-9]+)?Z$","examples":["2023-10-29T13:56:08Z","2023-10-29T13:56:08.000Z","2023-11-15T08:30:00.123Z"]},"identifier":{"title":"Identifier","description":"A Universally Unique Identifier (UUID) conformant with RFC 4122. Used to uniquely identify a signature object. Signatures sharing the same 'id' are treated as versions of the same logical signature, differentiated by their 'modified' timestamp.","type":"string","format":"uuid","pattern":"^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$","examples":["f47ac10b-58cc-4372-a567-0e02b2c3d479"]},"hashAlgorithm":{"title":"Hash Algorithm","description":"This property identifies the hashing algorithm, as defined by the Internet Assigned Numbers Authority (IANA)…, that was used to hash the JCS version of the full JSON object (JSON Object + JSS Signature) and is a case-sensitive ASCII string. Implementations MAY use any current and widely accepted hashing algorithm (e.g., sha-256, sha-512) that is defined in the IANA registry. The actual signing process, defined in the algorithm property, sometimes uses an internal hashing algorithm inside the signing process itself, this property MAY identify the same hashing algorithm as the signing process or MAY identify a different hashing algorithm.","type":"string","pattern":"^[a-z0-9-]+$","examples":["sha-256","sha-384","sha-512","sha3-256","sha3-512"]},"algorithmVocabulary":{"title":"Signature Algorithm Type Vocabulary (signature-algorithm-type-ov)","description":"NOTE – At the time of this writing quantum safe algorithms could come from those defined in XMSS [IETF RFC 8391] section 5.3 or LMS [IETF RFC 8554] section 5.1 and other algorithms could come from those defined in JWA [IETF RFC 7518] section 3.1 or [IETF RFC 8037] section 3.1 (see the table below for a list of values from those RFCs). While JWA [IETF RFC 7518] section 3.1 defines the following symmetric algorithms: HS256, HS384, and HS512, these algorithms SHOULD NOT be used. If one of these three symmetric algorithms is used, the sharing and transmission of those keys is out of scope for this Recommendation.","type":"string","enum":["XMSS-SHA2_10_256","XMSS-SHA2_16_256","XMSS-SHA2_20_256","LMS_SHA256_M32_H5","LMS_SHA256_M32_H10","LMS_SHA256_M32_H15","LMS_SHA256_M32_H20","LMS_SHA256_M32_H25","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512","Ed25519","Ed448"]},"algorithm":{"title":"Signing Algorithm","description":"This property identifies the algorithm that was used to sign the JSON data and is a case-sensitive ASCII string. The value for this property SHOULD come from the signature-algorithm-type-ov vocabulary (see clause 6.2.2) and SHOULD be a current and widely accepted quantum safe algorithm, but MAY use any currently accepted safe algorithm.","type":"string","anyOf":[{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithmVocabulary"},{"type":"string","title":"Other algorithm identifier","description":"Any other current, widely accepted, safe algorithm identifier not present in the signature-algorithm-type-ov vocabulary (X.590 clause 6.2.2 makes that vocabulary a SHOULD, not a MUST)."}],"examples":["Ed25519","ES256","XMSS-SHA2_10_256","LMS_SHA256_M32_H5","PS512"]},"publicKey":{"title":"Public Key (PEM, header-stripped)","description":"This property contains a privacy enhanced mail (PEM) encoded public key without the header and footer for the algorithm selected in the algorithm property.","type":"string","pattern":"^[A-Za-z0-9+/]+={0,2}$","examples":["MCowBQYDK2VwAyEAubMonBfU9pvIbj5RCiWQLD45Jvu6mKr+kQXjvjW8ZkU="]},"publicCertChain":{"title":"Public Certificate Chain","description":"This property contains a public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.7 of [IETF RFC 7517] as quoted here. This property \"contains a chain (X.509 certificate chain) of one or more PKIX certificates [IETF RFC 5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (section 4 of [IETF RFC 4648] – not base64URL.encoded) DER [b-ITU-T X.690] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key.\" This property is called \"x5c\" in section 4.7 of [IETF RFC 7517].","type":"array","items":{"type":"string","description":"Base64-encoded (standard, not base64URL) DER-encoded PKIX certificate value (RFC 5280)."},"minItems":1},"certUrl":{"title":"Certificate URL","description":"This property contains a uniform resource identifier (URI) [IETF RFC 3986] that refers to a resource for an X.509 public key certificate or certificate chain [IETF RFC 5280] for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.6 of [IETF RFC 7517] as quoted here. \"The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [IETF RFC 5280] in PEM-encoded form, with each certificate delimited as specified in section 6.1 of RFC 4945 [IETF RFC 4945]. The key in the first certificate MUST match the public key. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [IETF RFC 2818] [IETF RFC 5246]; the identity of the server MUST be validated, as per section 6 of RFC 6125 [IETF RFC 6125].\" This property is called \"x5u\" in section 4.6 of [IETF RFC 7517].","type":"string","format":"uri","pattern":"^https://","examples":["https://pki.example.com/certs/signing-cert.pem"]},"thumbprint":{"title":"Certificate Thumbprint","description":"This property contains a fingerprint of a public key or public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.9 of [IETF RFC 7517] as quoted here. This property \"is a base64URL.encoded SHA-256 thumbprint (a.k.a. digest, X.509 certificate SHA-256 thumbprint) of the DER encoding of an X.509 certificate [IETF RFC 5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key.\" This property is called \"x5t#S256\" in section 4.9 of [IETF RFC 7517].","type":"string","pattern":"^[A-Za-z0-9_-]{43}$","examples":["NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"]},"signatureObject":{"title":"Signature Object","description":"A JSS signature object as defined in ITU-T X.590 clause 6.2. Captures the hashing algorithm, signing algorithm, public key material (in one of four forms), the base64URL-encoded digital signature value, and optional metadata. May nest a child 'signature' property to form a counter-signature chain.","type":"object","properties":{"hash_algorithm":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/hashAlgorithm"},"algorithm":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithm"},"public_key":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicKey"},"public_cert_chain":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicCertChain"},"cert_url":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/certUrl"},"thumbprint":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/thumbprint"},"value":{"title":"Signature Value","description":"A base64URL.encoded signature that was created using the signature algorithm defined in the algorithm property and a key. In pseudo code it is defined as: base64URL.encode(sign(algorithm, key, hash(jcs()))).","type":"string","pattern":"^[A-Za-z0-9_-]+={0,2}$"},"signature":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject","title":"Counter-Signature","description":"This property enables a signature to be countersigned, meaning a signature can be signed by another signature."},"type":{"title":"Type Indicator","description":"The value of this property MUST be jss.","type":"string","const":"jss"},"id":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/identifier","title":"Signature Identifier","description":"A value that uniquely identifies the signature. All signatures with the same ID are considered different versions of the same signature and the version of the signature is identified by its modified property."},"related_to":{"title":"Related Object Reference","description":"A value that can identify the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.","type":"string"},"related_version":{"title":"Related Object Version","description":"A value that can identify the version of the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.","type":"string"},"created":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Created Timestamp","description":"The time at which this signature was originally created. The creator can use any time it deems most appropriate as the time the signature was created, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The created property MUST NOT be changed when creating a new version of the signature.","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$"},"modified":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Modified Timestamp","description":"The time that this particular version of the signature was last modified. The creator can use any time it deems most appropriate as the time that this version of the signature was modified, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The modified property MUST be later than or equal to the value of the created property. If the created and modified properties are the same, then this is the first version of the signature.","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$"},"revoked":{"title":"Revoked Flag","description":"A boolean that identifies if the signature creator deems that this signature is no longer valid. The default value is false.","type":"boolean","default":false},"signee":{"title":"Signee","description":"An unstructured string value for the name of the entity or organization that produced this signature.","type":"string"},"valid_from":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Valid From","description":"The time from which this signature is considered valid. If omitted, the signature is valid at all times or until the timestamp defined by valid_until. If the revoked property is true then this property MUST be ignored."},"valid_until":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Valid Until","description":"The time at which this signature is no longer considered valid. If the valid_until property is omitted, then there is no constraint on the latest time for which the signature is valid. This property MUST be greater than the timestamp in the valid_from property if the valid_from property is defined. If the revoked property is true then this property MUST be ignored."}},"required":["hash_algorithm","algorithm","value"],"anyOf":[{"required":["public_key"],"description":"Public key material provided as PEM-encoded public key (header/footer stripped)."},{"required":["public_cert_chain"],"description":"Public key material provided as a base64-encoded DER X.509 certificate chain."},{"required":["cert_url"],"description":"Public key material provided by reference to a TLS-accessible certificate URI."},{"required":["thumbprint"],"description":"Public key material referenced by a base64URL-encoded SHA-256 certificate thumbprint."}],"unevaluatedProperties":true},"signatures":{"title":"Signatures Array","description":"A JSON array of one or more signature objects. MUST be located at the top-level of the signed JSON object. The property name used to hold this array SHOULD be 'signatures', but implementations MAY use a different name provided it does not conflict with any other top-level property name in the host JSON object. All signature objects in this array are independent parallel signatures over the same JSON object; for chained counter-signatures, use the nested 'signature' property within an individual signature object.","type":"array","items":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject"},"minItems":1}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-party-2.0":{"type":"null","title":"CycloneDX Party Model","$defs":{"party":{"type":"object","title":"Party","description":"Identifies an organization, individual, system, or abstract archetype that participates in supplying, producing, attesting, operating, owning, regulating, or otherwise relating to the subject. Each party plays one or more named roles. Roles may carry preference order (`role.order`) to express primary, alternate, and secondary rankings among parties sharing the same role.\n\nExactly one identity sub-shape (`organization`, `person`, `system`, or `persona`) shall be present. Optional sub-objects layer inter-party relationships and standard extension data.","required":["roles"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"roles":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/role"},"title":"Roles","description":"One or more roles the party fulfils. Each role may carry an `order` indicating preference among parties sharing the same role (for example, primary versus alternate supplier)."},"organization":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/organization","description":"Identity attributes valid when the party is an organization, company, government body, or other collective."},"person":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/person","description":"Identity attributes valid when the party is an individual person."},"system":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/system","title":"System","description":"Identity attributes valid when the party is a software system, hardware system, service account, automation, or autonomous agent."},"persona":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/persona","title":"Persona","description":"Identity attributes valid when the party is an abstract archetype rather than a specific named instance."},"relations":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyRelations","title":"Relations","description":"Links from this party to other parties."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"required":["organization"]},{"required":["person"]},{"required":["system"]},{"required":["persona"]}]},"parties":{"type":"array","title":"Parties","description":"Parties associated with the subject. Each item identifies an organization, individual, system, or abstract archetype playing one or more named roles such as manufacturer, supplier, author, integrator, quality-control, or any custom role. The same party can hold multiple roles, each independently ranked via `role.order` to express preference (for example, primary supplier with order 1 and alternate supplier with order 2). Items may be inline party objects or references to parties declared elsewhere.","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"}},"partyChoice":{"title":"Party Choice","description":"A party represented either as a complete object or as a reference to a previously declared party.","oneOf":[{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/party"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A refLinkType pointing to a previously declared party."}]},"role":{"title":"Role","description":"A role that a party fulfils. May be a predefined role from the CycloneDX role taxonomy or a custom role definition. The optional `order` property ranks parties that share the same role, supporting use cases such as primary versus alternate suppliers in hardware manufacturing supply chains.","oneOf":[{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/preDefinedRole"},{"title":"Custom Role","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom role.","examples":["Chief Executive Officer","Data Protection Officer","Release Manager"]},"description":{"type":"string","title":"Description","description":"A description of the custom role, including its responsibilities and scope."},"order":{"type":"integer","minimum":1,"title":"Order","description":"Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked."}}}]},"preDefinedRole":{"title":"Pre-Defined Role","type":"object","required":["role"],"additionalProperties":false,"properties":{"role":{"type":"string","title":"Role","description":"A predefined role from the CycloneDX role taxonomy.","enum":["agent","assembler","asserter","attacker","auditor","author","broker","carrier","certificate-authority","committer","competitor","consignee","consignor","contributor","customer","custodian","customs-broker","data-controller","data-processor","data-recipient","data-subject","delegate","developer","distributor","end-user","engineer","exporter","freight-forwarder","holder","importer","insider-threat","inspector","insurer","integrator","issuer","key-escrow-agent","legal-contact","licensee","licensor","maintainer","manufacturer","operator","owner","packager","partner","principal","publisher","purchaser","quality-control","regulator","relying-party","repackager","researcher","reviewer","security-contact","signatory","steward","subject","supplier","support-contact","third-party-logistics","timestamp-authority","validation-authority","verifier","warehouse-operator"],"meta:enum":{"agent":"Software or AI agent acting autonomously or semi-autonomously, typically on behalf of a principal.","assembler":"The party that assembles or integrates constituent parts into the subject. Common in hardware manufacturing and software build pipelines.","asserter":"The party making assertions about the subject, such as patent ownership or compliance claims.","attacker":"A hostile party targeting the subject.","auditor":"The party that conducted an audit or assessment of the subject.","author":"The party that created the subject. Common when the subject is created through manual processes.","broker":"The party that acts as an intermediary in commercial transactions.","carrier":"The party that physically transports goods, such as shipping lines, airlines, or trucking companies.","certificate-authority":"The party that issues, signs, and manages digital certificates within a public key infrastructure.","committer":"The party who committed or pushed changes to a version control system.","competitor":"A competing party in the same market or domain as the subject's organization.","consignee":"The party designated to receive a shipment of goods.","consignor":"The party that sends or ships goods to a consignee.","contributor":"A party that contributed to the development of the subject without being the primary author.","customer":"Customer of the organization that owns the subject.","custodian":"The party responsible for the safe custody, transport, and storage of the subject.","customs-broker":"The party that facilitates the clearance of goods through customs barriers.","data-controller":"The party that determines the purposes and means of processing personal data.","data-processor":"The party that processes personal data on behalf of a data controller.","data-recipient":"The party to which personal data is disclosed.","data-subject":"The natural person whose personal data is processed.","delegate":"A party exercising authority on behalf of another party identified via relations.delegatedBy.","developer":"Software developer or platform engineer.","distributor":"The party that distributes the subject to downstream consumers or customers.","end-user":"The end user of a system, service, or product.","engineer":"Engineer responsible for designing, implementing, or operating a system.","exporter":"The party that sends goods to another country for trade or sale.","freight-forwarder":"The party that arranges the shipment and logistics of goods on behalf of shippers.","holder":"The party that holds a verifiable credential, claim, or asset.","importer":"The party that brings goods into a country from abroad for trade or sale.","insider-threat":"A hostile or negligent party with legitimate access.","inspector":"The party that inspects goods for quality, safety, or regulatory compliance.","insurer":"The party that provides insurance coverage.","integrator":"The party that integrates the subject into a larger system or product.","issuer":"The party that issues a credential, claim, identifier, or asset.","key-escrow-agent":"The party that holds copies of cryptographic keys in escrow.","legal-contact":"The designated party to contact for legal matters.","licensee":"The party to which a license for the subject has been granted.","licensor":"The party that grants a license for the subject.","maintainer":"The party responsible for ongoing maintenance, including updates, patches, and security fixes.","manufacturer":"The party that manufactured or produced the subject. Common when the subject is produced through automated processes.","operator":"The party responsible for operating or running the subject in a production environment.","owner":"The party that holds ownership rights over the subject.","packager":"The party that packages goods for storage, shipment, or retail sale.","partner":"Business partner with a defined relationship.","principal":"The party on whose behalf another party acts, paired with delegate.","publisher":"The party that published the subject, making it available for consumption.","purchaser":"The party that purchased the subject or a license for its use.","quality-control":"The party responsible for quality control activities, including inspection, testing, and verification.","regulator":"Government or industry regulator with administrative authority over the subject.","relying-party":"The party that relies on credentials, claims, or attestations issued by another party.","repackager":"The party that repackages the subject, potentially combining it with other components.","researcher":"Security researcher, bug bounty hunter, or academic conducting authorized study.","reviewer":"The party that reviewed the subject or its associated evidence.","security-contact":"The designated party to contact in the event of a security incident.","signatory":"The party authorized to sign on behalf of an organization, affirming the validity or accuracy of statements or attestations.","steward":"The party responsible for the content, context, and associated business rules of the subject.","subject":"The party to whom an issued credential, claim, or identifier is bound.","supplier":"The party that supplied the subject. The supplier may often be the manufacturer, but may also be a distributor or repackager.","support-contact":"The designated party to contact for technical support.","third-party-logistics":"The party that provides outsourced logistics services.","timestamp-authority":"The party that issues trusted timestamps.","validation-authority":"The party that provides certificate validation services.","verifier":"The party that verifies credentials, claims, or attestations.","warehouse-operator":"The party responsible for storing, handling, and managing inventory within a warehouse or distribution centre."}},"order":{"type":"integer","minimum":1,"title":"Order","description":"Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked. For example, a primary supplier may have `order: 1` while an alternate supplier has `order: 2`.","examples":[1,2,3]}}},"organization":{"type":"object","title":"Organization Identity","description":"Identity attributes for a party that is an organization, company, government body, or other collective.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The common display or trading name of the organization. Use when the registered legal name is unknown or when the everyday name differs from the legal one.","examples":["Acme","Globex"]},"legalName":{"type":"string","title":"Legal Name","description":"The registered legal name of the organization, including any suffix such as Inc., S.r.l., GmbH, or LLC.","examples":["Acme Microcontrollers S.r.l.","Acme Holdings, Inc."]},"description":{"type":"string","title":"Description","description":"A description of the organization itself, distinct from any role-specific or contextual description applied at the party wrapper level."},"logo":{"type":"string","format":"iri-reference","title":"Logo","description":"URL to an image representing the organization. Useful for catalog, datasheet, and user interface views."},"foundingDate":{"type":"string","format":"date","title":"Founding Date","description":"The date the organization was founded. Supports supplier due diligence and age-of-organization signals."},"dissolutionDate":{"type":"string","format":"date","title":"Dissolution Date","description":"The date the organization was dissolved or wound down. When present, the organization is no longer active."},"jurisdiction":{"type":"string","title":"Jurisdiction","description":"Country of registration as an ISO 3166-1 alpha-2 or alpha-3 code, optionally followed by an ISO 3166-2 subdivision separated by a hyphen.","examples":["US-DE","IT-BO","CHE"]},"identifiers":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/identifier"},"title":"Identifiers","description":"Identifiers issued to or associated with the organization. May include legal and registration identifiers (LEI, DUNS, CAGE, NCAGE, EORI, VAT, tax identifiers) and non-legal identifiers such as workload or machine identities."},"formerNames":{"type":"array","items":{"type":"string"},"title":"Former Names","description":"Prior names of the organization. Use when the entity has been renamed, merged, or acquired. Distinct from `aliases`, which captures concurrent alternate designations.","examples":[["Atmel Corporation"]]},"aliases":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Aliases","description":"Concurrent alternate designations for the organization. Distinct from `formerNames`, which captures historical names. Common when modeling tracked threat-actor groups that are known by different designations across threat-intelligence vendors.","examples":[["Fancy Bear","STRONTIUM","Sofacy","Sednit","Pawn Storm"]]},"url":{"type":"array","title":"URLs","description":"URLs associated with the organization. Each entry carries a `name` label and a `url` value so producers can describe homepage, support portal, press, status, code repository, and similar without ambiguity.","items":{"type":"object","required":["url"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the URL, such as `homepage`, `support`, `press`, `status`, or `repository`.","examples":["homepage","support","press","status","repository"]},"url":{"type":"string","format":"iri-reference","title":"URL"}}}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/postalAddress"},"title":"Addresses","description":"Physical addresses associated with the organization."}}},"person":{"type":"object","title":"Person Identity","description":"Identity attributes for a party that is an individual person. The name model is intentionally unstructured: a single freeform `name` captures the full name as the person wishes to be known, accommodating the wide variation of naming conventions across cultures. See https://www.w3.org/International/questions/qa-personal-names for background.","additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The person's full name as they wish to be known. A single freeform string. No assumption is made about given-versus-family ordering, mononym versus multi-component names, patronymics, or honorific embedding. Producers should use the form the person uses themselves.","examples":["Ada Lovelace","Suharto","Maria del Carmen García López","Nguyá»…n Văn An"]},"sortName":{"type":"string","title":"Sort Name","description":"Optional sortable form of the name for catalog and index views. Use when the natural form of `name` does not sort intuitively, for example a comma-separated last-name-first form.","examples":["Lovelace, Ada","García López, Maria del Carmen"]},"honorificPrefix":{"type":"string","title":"Honorific Prefix","description":"Honorific or title preceding the name, used in forms of address. Distinct from the name itself.","examples":["Dr.","Prof."]},"honorificSuffix":{"type":"string","title":"Honorific Suffix","description":"Honorific or post-nominal letters following the name, used in forms of address. Distinct from the name itself.","examples":["PhD","Esq."]},"jobTitle":{"type":"string","title":"Job Title","description":"The person's job title. Useful for credit lines and attribution.","examples":["Chief Information Security Officer","Data Protection Officer","Senior Software Engineer"]},"description":{"type":"string","title":"Description","description":"A description of the person, distinct from any role-specific or contextual description applied at the party wrapper level."},"email":{"type":"array","title":"Email","description":"Email addresses associated with the person. Each entry carries a `name` label and an `address` value so producers can describe work, personal, support, and similar contexts without ambiguity.","items":{"type":"object","required":["address"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the email, such as `work`, `personal`, `support`, or `security`.","examples":["work","personal","support","security"]},"address":{"type":"string","format":"idn-email","title":"Address"}}}},"phone":{"type":"array","title":"Phone","description":"Phone numbers associated with the person. Each entry carries a `name` label and a `number` value. Numbers should be expressed in E.164 form where possible.","items":{"type":"object","required":["number"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the phone, such as `office`, `mobile`, `fax`, or `pager`.","examples":["office","mobile","fax","pager"]},"number":{"type":"string","title":"Number","examples":["+1-555-0100","+44 20 7946 0958"]}}}},"url":{"type":"array","title":"URLs","description":"URLs associated with the person. Each entry carries a `name` label and a `url` value so producers can describe homepage, social profiles, code repositories, and similar without ambiguity.","items":{"type":"object","required":["url"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the URL, such as `homepage`, `github`, `linkedin`, `mastodon`, or `orcid`.","examples":["homepage","github","linkedin","orcid"]},"url":{"type":"string","format":"iri-reference","title":"URL"}}}},"address":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/postalAddress","title":"Address"},"affiliation":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Affiliation","description":"Reference using bom-link or bom-ref to an organization party with which the person is affiliated."}}},"system":{"type":"object","title":"System Identity","description":"Identity attributes for a party that is a software system, hardware system, service account, automation, or autonomous agent.","additionalProperties":false,"properties":{"kind":{"title":"Kind","description":"The kind of system the party represents. May be a predefined kind from the CycloneDX system-kind taxonomy expressed as a plain string, or a custom kind expressed as an object with `name` and optional `description`.","oneOf":[{"title":"Pre-Defined Kind","type":"string","enum":["software-system","hardware-system","service-account","machine-identity","automation","agent","bot","oracle","smart-contract","device","robot"],"meta:enum":{"software-system":"Application, service, or platform that performs actions as itself.","hardware-system":"Physical device or appliance that performs actions. Includes vehicles, drones, satellites, medical devices, network equipment, and industrial controllers unless a more specific kind applies.","service-account":"Non-human identity used by automation to authenticate.","machine-identity":"Cryptographic identity such as a certificate principal or workload identity.","automation":"Pipeline, job, or scheduled task that performs actions deterministically.","agent":"Autonomous or semi-autonomous agent that can plan and execute. Includes AI agents.","bot":"Scripted automation that interacts with an interface. Includes chatbots, robotic process automation bots, and scraping bots.","oracle":"External data feed or oracle, including blockchain oracles that bridge off-chain data into on-chain systems.","smart-contract":"On-chain program that executes deterministically.","device":"Physical end user device such as a phone or IoT device acting as a party in its own right.","robot":"Physical robot or autonomous mechanical system. For software-only counterparts, see `bot`, `agent`, or `automation`."}},{"title":"Custom Kind","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom kind."},"description":{"type":"string","title":"Description","description":"A description of the custom kind."}}}]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference to any bom-ref'd object that represents this system. The referenced object provides the underlying identity (component, service, blueprint asset, or other object type). Use to associate the party with its concrete representation declared elsewhere."},"identifiers":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/identifier"},"title":"Identifiers","description":"Machine identifiers for the system, such as service principal, workload identity, certificate subject, or device serial."},"permissions":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Permissions","description":"Capabilities or duties the system possesses."}}},"persona":{"type":"object","title":"Persona Identity","description":"Identity attributes for a party that is an abstract archetype rather than a specific named instance. Use for generic users, generic suppliers, or hypothesized attackers when a specific party is intentionally not named. When the specific instance is known (for example a tracked APT group), use `organization` instead.","additionalProperties":false,"properties":{"description":{"type":"string","title":"Description","description":"Free-text description of the persona instance. Use to refine the archetype with details relevant to the threat model, such as the persona's assumed context, history, or behavioral pattern.","examples":["Disgruntled administrator with elevated access to the payment gateway and motive driven by recent performance review."]},"archetype":{"title":"Archetype","description":"The persona archetype. May be a predefined archetype from the CycloneDX persona-archetype taxonomy expressed as a plain string, or a custom archetype expressed as an object with `name` and optional `description`.","oneOf":[{"title":"Pre-Defined Archetype","type":"string","enum":["end-user","power-user","administrator","developer","operator","internal","external","anonymous","guest","customer","partner","supplier","vendor","contractor","third-party","auditor","researcher","regulator","law-enforcement","attacker","insider-threat","hacktivist","nation-state","organized-crime","competitor","public"],"meta:enum":{"end-user":"Typical end user of the system.","power-user":"Advanced user with higher than average privileges.","administrator":"Administrative or privileged user.","developer":"Application developer or platform engineer.","operator":"Operational staff running the system.","internal":"Generic internal party.","external":"Generic external party without an account or operational relationship.","anonymous":"Unauthenticated visitor interacting with the system.","guest":"Semi-authenticated user with restricted privileges.","customer":"Customer of the organization that owns the subject.","partner":"Business partner with a defined relationship.","supplier":"Generic supplier providing goods or services on a transactional basis.","vendor":"Vendor delivering and operating goods or services with operational access to the subject.","contractor":"Third party with operational access under contract.","third-party":"Generic third party that does not fit partner, supplier, vendor, or contractor.","auditor":"External auditor or assessor.","researcher":"Security researcher, bug bounty hunter, or academic. Authorized probing party.","regulator":"Government or industry regulator with administrative authority over the subject.","law-enforcement":"Law enforcement entity with investigative authority.","attacker":"Generic hostile external party.","insider-threat":"Hostile or negligent party with legitimate access.","hacktivist":"Hostile party motivated by ideology or activism.","nation-state":"Hostile party sponsored or directed by a national government.","organized-crime":"Hostile party operating as part of an organized criminal enterprise.","competitor":"Generic competitor.","public":"General public not in direct interaction with the subject."}},{"title":"Custom Archetype","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name"},"description":{"type":"string","title":"Description"}}}]},"scope":{"type":"string","title":"Scope","enum":["internal","external","mixed"],"meta:enum":{"internal":"Persona is internal to the organization that owns the subject.","external":"Persona is external to the organization that owns the subject.","mixed":"Persona may appear in either internal or external contexts."}},"permissions":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Permissions","description":"Capabilities the persona is assumed to hold."},"assumedPosture":{"type":"string","title":"Assumed Security Posture","description":"Assumed security posture of the persona in this context.","examples":["authenticated","unauthenticated","authorized","privileged"]}}},"partyRelations":{"type":"object","title":"Party Relations","description":"Links from this party to other parties. Captures hierarchical, organizational, and delegation relationships. Order ranking is on the role itself (`role.order`), not here.","additionalProperties":false,"properties":{"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent","description":"Reference to a parent party. Models organizational hierarchy, group membership, and corporate parent or subsidiary relationships."},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Delegated By","description":"Reference to another party that delegated authority to this one. Models situations such as an autonomous agent acting on behalf of a human user, a contractor acting on behalf of a principal, or a service account assuming a role."}}},"identifier":{"type":"object","title":"Identifier","description":"An identifier issued by a recognized authority. Includes legal and registration identifiers as well as machine and workload identities.","required":["scheme","value"],"additionalProperties":false,"properties":{"scheme":{"title":"Scheme","description":"The identifier scheme. May be a predefined scheme from the CycloneDX identifier-scheme taxonomy expressed as a plain string, or a custom scheme expressed as an object with `name` and optional `description` and `url`.","oneOf":[{"title":"Pre-Defined Scheme","type":"string","enum":["lei","duns","ncage","cage","eori","vat","gst","ein","tin","ruc","bvd","swift-bic","sec-cik","isin","figi","opencorporates","gln","gtin","iso6523","ofac-sdn","un-lm","oidc-sub","spiffe","did","vc-id"],"meta:enum":{"lei":"Legal Entity Identifier per ISO 17442.","duns":"Dun and Bradstreet D-U-N-S Number.","ncage":"NATO Commercial and Government Entity code.","cage":"United States Commercial and Government Entity code.","eori":"Economic Operator Registration and Identification number used in European Union customs.","vat":"Value Added Tax registration number.","gst":"Goods and Services Tax registration number.","ein":"United States Employer Identification Number.","tin":"Generic Taxpayer Identification Number.","ruc":"Registro Unico de Contribuyentes used in several Latin American countries.","bvd":"Bureau van Dijk identifier.","swift-bic":"Business Identifier Code per ISO 9362.","sec-cik":"United States Securities and Exchange Commission Central Index Key.","isin":"International Securities Identification Number per ISO 6166.","figi":"Financial Instrument Global Identifier.","opencorporates":"OpenCorporates company identifier.","gln":"GS1 Global Location Number.","gtin":"GS1 Global Trade Item Number when the party is also a registered trade entity.","iso6523":"ISO 6523 organization identifier. The value should encode the four-digit International Code Designator (ICD) followed by the organization identifier per the registry referenced by the ICD.","ofac-sdn":"United States Office of Foreign Assets Control Specially Designated Nationals list identifier.","un-lm":"United Nations Locode for a specific facility or jurisdiction.","oidc-sub":"OpenID Connect subject identifier for a machine or service identity.","spiffe":"SPIFFE ID for a workload identity.","did":"W3C Decentralized Identifier (DID) per https://www.w3.org/TR/did-core/. Common for autonomous agents, federated services, and verifiable-credential subjects.","vc-id":"W3C Verifiable Credential identifier per https://www.w3.org/TR/vc-data-model/."}},{"title":"Custom Scheme","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name"},"description":{"type":"string","title":"Description"},"url":{"type":"string","format":"iri-reference","title":"URL","description":"URL of the scheme registry or specification."}}}]},"schemeVersion":{"type":"string","title":"Scheme Version","description":"The version of the scheme that issued this identifier, if applicable."},"value":{"type":"string","title":"Value","description":"The value of the identifier."},"issuedDate":{"type":"string","format":"date","title":"Issued Date"},"expirationDate":{"type":"string","format":"date","title":"Expiration Date"},"issuer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Issuer","description":"Reference using bom-link or bom-ref to the party that issued the identifier."}}},"postalAddress":{"type":"object","title":"Postal Address","description":"An address used to identify a contactable or operational location.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference Identifier","description":"An optional identifier that can be used to reference the address from elsewhere. Every bom-ref shall be unique within the containing instance. The value should not start with the prefix 'urn:cdx:' to avoid conflicts with BOM-Link identifiers."},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code. When the isoCode property is present, the value of isoCode is authoritative."},"region":{"type":"string","title":"Region","description":"The region or state in the country. When the isoCode property carries an ISO 3166-2 subdivision, the value of isoCode is authoritative.","examples":["Texas"]},"isoCode":{"type":"string","pattern":"^[A-Z]{2}(-[A-Z0-9]{1,3})?$","title":"ISO Code","description":"An ISO 3166-1 alpha-2 country code, optionally followed by an ISO 3166-2 subdivision code separated by a hyphen. When present, this property is authoritative over the free-text country and region properties.","examples":["IT-BO","US-CA","DE-BY"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address. Multi-line addresses are expressed as a single string with line breaks (`\\n`) between lines. Implementations and serialization formats are not required to preserve the order of elements in an array, so a multi-line address shall not be modeled as an array.","examples":["100 Main Street","Acme Tower\nSuite 1200\n100 Main Street"]},"coordinates":{"type":"object","title":"Geographic Coordinates","description":"Geographic coordinates of the address.","additionalProperties":false,"required":["latitude","longitude"],"properties":{"latitude":{"type":"number","minimum":-90,"maximum":90,"title":"Latitude","description":"Latitude in decimal degrees. Four or more decimal places are recommended for facility-level precision."},"longitude":{"type":"number","minimum":-180,"maximum":180,"title":"Longitude","description":"Longitude in decimal degrees. Four or more decimal places are recommended for facility-level precision."},"altitude":{"type":"number","title":"Altitude","description":"Altitude in meters above the reference ellipsoid identified by the datum property."},"datum":{"type":"string","title":"Datum","description":"The geodetic datum used for the coordinates. WGS84 is assumed when omitted.","default":"WGS84","examples":["WGS84","NAD83","ETRS89"]}}}}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-perspective-2.0":{"type":"null","title":"CycloneDX Perspective Model","$defs":{"perspectives":{"type":"array","title":"Perspectives","description":"Defines domain-specific views into the document, enabling different audiences to interpret and navigate the data through their own conceptual lens. Each perspective identifies relevant data types and may provide domain-specific terminology mappings.","items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspective"}},"perspective":{"type":"object","title":"Perspective","description":"A domain-specific view that identifies the types of data relevant to a particular audience and provides optional terminology mappings to facilitate interpretation. Perspectives enable tooling to generate filtered views, translate terminology, and validate document completeness against audience-specific requirements.","additionalProperties":false,"required":["name","mappings"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Perspective Name","description":"The name of the perspective, typically indicating the target audience or domain.","examples":["AI/ML Transparency","Device Manufacturing Regulatory Compliance","Minimum Elements of an SBOM"]},"description":{"type":"string","title":"Description","description":"A description of the perspective, its intended audience, and the use cases it supports."},"domains":{"type":"array","title":"Domains","description":"The domains or disciplines to which this perspective applies. Allows selection of multiple pre-defined domains, custom domains, or a combination of both.","items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveDomainChoice"}},"mappings":{"type":"array","title":"Data Type Mappings","description":"An array of mappings that identify the types of data relevant to this perspective using JSON path expressions. Each mapping may include domain-specific terminology.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveMapping"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"perspectiveMapping":{"type":"object","title":"Perspective Mapping","description":"Maps a JSON path expression to domain-specific terminology, enabling audiences to interpret CycloneDX data using familiar nomenclature. Each mapping identifies a data type within the document structure and may provide alternative names and descriptions used by the target audience.","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"Path Expression","description":"A [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression that identifies the types of data relevant to this perspective.","examples":["$.components[*].pedigree","$.components[?(@.type=='machine-learning-model')].modelCard","$.components[?(@.type=='cryptographic-asset')]","$.vulnerabilities"]},"nativeName":{"type":"string","title":"Native Name","description":"The domain-specific term used by the target audience to describe the data identified by the expression.","examples":["Foundation Models","Training Corpus","Cryptographic Inventory","Component Provenance"]},"nativeDescription":{"type":"string","title":"Native Description","description":"A domain-specific description of the data type, explaining its significance within the context of the perspective."},"relevance":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveRelevance"},"weight":{"type":"number","title":"Weight","description":"Describes the importance of a field in relation to other fields. Values shall be between 0.0 and 1.0. This allows for relative ranking of mappings, where higher values indicate greater importance.","minimum":0,"maximum":1},"rationale":{"type":"string","title":"Rationale","description":"Explains why this data type is relevant to the perspective and how it should be interpreted or used."}}},"perspectiveRelevance":{"type":"string","title":"Perspective Relevance","description":"Indicates the importance of a data type to a perspective.","enum":["required","recommended","optional","informative"],"meta:enum":{"required":"This data type is essential for the perspective and should always be present.","recommended":"This data type is highly relevant and should be included when available.","optional":"This data type provides supplementary information that may be useful.","informative":"This data type provides background context but is not directly actionable."}},"perspectiveDomainChoice":{"title":"Perspective Domain Choice","description":"Allows selection of a pre-defined domain or specification of a custom domain.","oneOf":[{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/preDefinedPerspectiveDomain"},{"type":"object","title":"Custom Domain","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Domain Name","description":"The name of the custom domain."},"description":{"type":"string","title":"Domain Description","description":"A description of the custom domain, its scope, and the concerns it addresses."}}}]},"preDefinedPerspectiveDomain":{"type":"string","title":"Pre-Defined Perspective Domain","description":"A pre-defined domain or discipline to which a perspective applies. Domains span security disciplines, safety engineering, industry verticals, technology areas, compliance frameworks, and cross-cutting concerns.","enum":["application-security","cloud-security","container-security","cryptographic-security","cyber-security","data-security","endpoint-security","firmware-security","hardware-security","identity-access-management","network-security","operational-security","physical-security","supply-chain-security","web-security","automotive-safety","aviation-safety","environmental-safety","functional-safety","machinery-safety","maritime-safety","nuclear-safety","patient-safety","process-safety","railway-safety","aerospace-defense","automotive","building-automation","consumer-electronics","critical-infrastructure","education","energy-utilities","financial-services","government","healthcare","insurance","legal","manufacturing","media-entertainment","pharmaceuticals","retail","telecommunications","transportation","artificial-intelligence","edge-computing","embedded-systems","industrial-control-systems","industrial-iot","internet-of-things","machine-learning","medical-devices","mobile","operational-technology","robotics","scada","smart-grid","data-protection","export-control","intellectual-property","legal-compliance","licensing","privacy","regulatory-compliance","maintainability","performance","quality-assurance","reliability","testability","incident-response","penetration-testing","red-team","risk-management","threat-intelligence","threat-modeling","vulnerability-management","accessibility","ethics","human-factors","interoperability","resilience","sustainability","transparency"],"meta:enum":{"application-security":"Security concerns related to software applications, including vulnerabilities, secure coding practices, input validation, and dependency management.","cloud-security":"Security concerns specific to cloud computing environments, including configuration, identity management, data protection, and shared responsibility models.","container-security":"Security concerns related to containerised applications, including image provenance, runtime protection, orchestration security, and supply chain integrity.","cryptographic-security":"Concerns related to cryptographic implementations, algorithm selection, key management, certificate handling, and post-quantum cryptography readiness.","cyber-security":"Broad security concerns encompassing threat detection, incident response, security operations, and defence-in-depth strategies.","data-security":"Concerns related to protecting data at rest, in transit, and in use, including encryption, access controls, and data loss prevention.","endpoint-security":"Security concerns for end-user devices including workstations, mobile devices, and peripherals, encompassing malware protection and device management.","firmware-security":"Security concerns specific to firmware, including secure boot, firmware updates, integrity verification, and protection against persistent threats.","hardware-security":"Security concerns related to physical hardware, including trusted platform modules, hardware security modules, side-channel attacks, and tamper resistance.","identity-access-management":"Concerns related to authentication, authorisation, identity lifecycle management, privileged access, and zero-trust architectures.","network-security":"Security concerns related to network infrastructure, including firewalls, intrusion detection, segmentation, and secure communications.","operational-security":"Security concerns related to the deployment, configuration, and day-to-day operation of systems in production environments.","physical-security":"Security concerns related to physical access controls, environmental protections, surveillance, and tamper evidence.","supply-chain-security":"Concerns related to the security, integrity, and trustworthiness of components, vendors, and processes throughout the supply chain.","web-security":"Security concerns specific to web applications and services, including OWASP Top 10 vulnerabilities, API security, and client-side protections.","automotive-safety":"Safety concerns for automotive systems aligned with ISO 26262, including hazard analysis, functional safety requirements, and ASIL classifications.","aviation-safety":"Safety concerns for aviation systems aligned with DO-178C, DO-254, and DO-326A, including design assurance levels and airworthiness requirements.","environmental-safety":"Concerns related to environmental protection, hazardous materials handling, emissions, and ecological impact assessment.","functional-safety":"Safety concerns aligned with IEC 61508 and derivative standards, focusing on systematic failures, safety integrity levels, and risk reduction.","machinery-safety":"Safety concerns for industrial machinery aligned with ISO 12100 and IEC 62443, including safeguarding, emergency stops, and risk assessment.","maritime-safety":"Safety concerns for maritime and offshore systems, including vessel automation, navigation systems, and compliance with maritime regulations.","nuclear-safety":"Safety concerns for nuclear facilities and systems, including defence-in-depth, safety classification, and regulatory compliance with nuclear standards.","patient-safety":"Safety concerns for medical devices and healthcare systems focusing on preventing harm to patients, including adverse event prevention and clinical risk management.","process-safety":"Safety concerns for industrial processes involving hazardous materials, including process hazard analysis, safety instrumented systems, and layers of protection.","railway-safety":"Safety concerns for railway systems aligned with EN 50126, EN 50128, and EN 50129, including signalling, train control, and safety cases.","aerospace-defense":"Concerns specific to aerospace and defence industries, including mission-critical systems, military standards, and classified information handling.","automotive":"Industry-specific concerns for automotive manufacturers and suppliers, including ISO/SAE 21434 cyber security and vehicle type approval.","building-automation":"Concerns related to building management systems, HVAC controls, access systems, and smart building infrastructure.","consumer-electronics":"Concerns specific to consumer electronic devices, including product safety, electromagnetic compatibility, and consumer protection regulations.","critical-infrastructure":"Concerns related to systems designated as critical infrastructure, including sector-specific requirements and national security considerations.","education":"Concerns specific to educational institutions and EdTech, including student data protection, FERPA compliance, and academic integrity.","energy-utilities":"Concerns specific to energy and utility sectors, including NERC CIP compliance, grid security, and operational continuity.","financial-services":"Concerns specific to financial institutions, including PCI DSS, SOX compliance, fraud prevention, and transaction integrity.","government":"Concerns specific to government agencies and contractors, including FedRAMP, FISMA, and public sector procurement requirements.","healthcare":"Concerns specific to healthcare organisations, including HIPAA compliance, electronic health records, and healthcare interoperability.","insurance":"Concerns specific to insurance industry, including actuarial data integrity, claims processing security, and regulatory compliance.","legal":"Concerns specific to legal industry, including attorney-client privilege, e-discovery, and legal hold requirements.","manufacturing":"Concerns specific to manufacturing environments, including production systems, quality management, and shop floor security.","media-entertainment":"Concerns specific to media and entertainment, including digital rights management, content protection, and broadcast systems.","pharmaceuticals":"Concerns specific to pharmaceutical industry, including FDA 21 CFR Part 11, GxP compliance, and drug safety systems.","retail":"Concerns specific to retail industry, including point-of-sale security, e-commerce platforms, and customer data protection.","telecommunications":"Concerns specific to telecommunications providers, including network infrastructure, subscriber data, and regulatory compliance.","transportation":"Concerns related to transportation systems beyond automotive and rail, including logistics, fleet management, and traffic control systems.","artificial-intelligence":"Concerns related to AI systems, including model transparency, algorithmic bias, explainability, and ethical considerations.","edge-computing":"Concerns specific to edge computing deployments, including distributed processing, local data handling, and remote device management.","embedded-systems":"Concerns specific to embedded systems development, including real-time constraints, resource limitations, and hardware-software integration.","industrial-control-systems":"Concerns specific to ICS environments, including PLCs, DCS, and industrial automation security aligned with IEC 62443.","industrial-iot":"Concerns specific to Industrial Internet of Things deployments, combining IT security with OT requirements and industrial protocols.","internet-of-things":"Concerns related to IoT devices and ecosystems, including device security, communication protocols, and fleet management.","machine-learning":"Concerns specific to ML models, including training data provenance, model lineage, performance metrics, and reproducibility.","medical-devices":"Concerns specific to medical device development aligned with IEC 62304, FDA guidance, and MDR/IVDR requirements.","mobile":"Concerns specific to mobile applications and devices, including app store requirements, mobile-specific vulnerabilities, and device management.","operational-technology":"Concerns specific to OT environments, bridging IT and industrial systems with focus on availability, safety, and legacy system integration.","robotics":"Concerns specific to robotic systems, including autonomous operation, human-robot interaction safety, and motion control security.","scada":"Concerns specific to Supervisory Control and Data Acquisition systems, including remote monitoring, control system security, and protocol vulnerabilities.","smart-grid":"Concerns specific to smart grid infrastructure, including advanced metering, grid automation, and distributed energy resource management.","data-protection":"Concerns related to data protection regulations such as GDPR, CCPA, and cross-border data transfer requirements.","export-control":"Concerns related to export control regulations, including EAR, ITAR, and dual-use technology restrictions.","intellectual-property":"Concerns related to patents, trade secrets, copyright, and other intellectual property rights and protections.","legal-compliance":"Regulatory and legal requirements, including contractual obligations, liability considerations, and legal holds.","licensing":"Concerns related to software licensing, licence compatibility, open source obligations, and commercial licensing terms.","privacy":"Concerns related to personal data protection, privacy by design, consent management, and individual rights.","regulatory-compliance":"Concerns related to compliance with industry-specific regulations, standards, and certification requirements.","maintainability":"Concerns related to the ease of maintaining, updating, and supporting software and systems over their lifecycle.","performance":"Concerns related to system performance, scalability, response times, and resource utilisation.","quality-assurance":"Concerns related to testing, validation, verification, and overall quality metrics and processes.","reliability":"Concerns related to system reliability, fault tolerance, mean time between failures, and degradation modes.","testability":"Concerns related to the ability to test components and systems, including test coverage, test automation, and test data management.","incident-response":"Concerns related to detecting, responding to, and recovering from security incidents and breaches.","penetration-testing":"Concerns related to authorised security testing, vulnerability assessment, and security validation activities.","red-team":"Concerns related to adversarial simulation, attack path analysis, and security control effectiveness testing.","risk-management":"Concerns related to risk identification, assessment, treatment, and ongoing risk monitoring.","threat-intelligence":"Concerns related to threat actor analysis, indicators of compromise, and proactive threat hunting.","threat-modeling":"Concerns related to identifying weaknesses, threats, countermeasures, attack surfaces, and trust boundaries.","vulnerability-management":"Concerns related to vulnerability identification, prioritisation, remediation tracking, and disclosure processes.","accessibility":"Concerns related to ensuring systems are usable by people with disabilities, including WCAG compliance.","ethics":"Concerns related to ethical considerations in technology development, including algorithmic fairness and responsible innovation.","human-factors":"Concerns related to human-system interaction, usability, operator error prevention, and ergonomic design.","interoperability":"Concerns related to the ability of systems to exchange and use information effectively across boundaries.","resilience":"Concerns related to system resilience, business continuity, disaster recovery, and graceful degradation.","sustainability":"Concerns related to environmental sustainability, energy efficiency, and responsible resource consumption.","transparency":"Concerns related to openness, auditability, and the ability for stakeholders to understand system behaviour and composition."}}}},"cyclonedx-profile-2.0":{"type":"null","title":"CycloneDX Profile Model","$defs":{"profiles":{"type":"object","title":"Profiles","description":"A registry of reusable, named characterizations of how a subject behaves or is governed within a domain. Profiles separate characterization from identity: identity describes who or what the subject is; the profile describes the durable attributes that characterize it. A profile is referenced by its bom-ref from the elements it characterizes, so a single profile can be reused by many subjects.","additionalProperties":false,"properties":{"dataProfiles":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfiles"},"threatProfiles":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatProfiles"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"A collection of requirements representing specific needs, constraints, or capabilities that must be met."},"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"},"uniqueItems":true},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"},"uniqueItems":true},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"},"uniqueItems":true},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"Optional reference using bom-link or bom-ref to a parent requirement. Establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}},"requirementAssertions":{"type":"array","title":"Requirement Assertions","description":"A list of assertions describing how a component relates to specific requirements.","uniqueItems":true,"items":{"type":"object","title":"Requirement Assertion","description":"An assertion linking one or more requirements to a component, specifying the nature of the relationship.","required":["assertionType","requirementRefs"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the relationship between the component and the requirement.","enum":["conflicts","not-applicable","not-assessed","other","partially-satisfies","satisfies","violates"],"meta:enum":{"conflicts":"The component is in tension with the requirement but a definitive determination of violation has not been made. This may indicate partial incompatibility, competing constraints, or an unresolved evaluation.","not-applicable":"The requirement does not pertain to this component. The evaluator has reviewed the requirement and determined it is irrelevant.","not-assessed":"The relationship between the component and the requirement has not yet been evaluated.","other":"A relationship that does not fit into the other predefined assertion types.","partially-satisfies":"The component partially meets the requirement but does not fully satisfy all of its conditions or acceptance criteria.","satisfies":"The component fully satisfies the requirement, meeting all of its conditions and acceptance criteria.","violates":"The component has been evaluated and conclusively determined to not meet the requirement, breaching one or more of its conditions or acceptance criteria."}},"requirementRefs":{"type":"array","title":"Requirement References","description":"A list of BOM references linking to requirement objects defined in the BOM.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"description":{"type":"string","title":"Description","description":"Additional context or clarification regarding the assertion."}}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","$defs":{"risks":{"type":"object","title":"Risks","description":"A collection of risks identified through risk analysis, together with the assessments that evaluate them. The model is framework-neutral and can document risk regardless of the risk management framework in use, including [ISO 31000](https://www.iso.org/iso-31000-risk-management.html), [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final), the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework), [COSO ERM](https://www.coso.org/), [ISO/IEC 27005](https://www.iso.org/standard/80585.html), and OCTAVE. It accommodates qualitative, semi-quantitative, and quantitative assessment, and each rating records the scoring methodology used, such as [FAIR](https://www.fairinstitute.org/), [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), DREAD, [FMEA](https://asq.org/quality-resources/fmea), NIST SP 800-30, or OCTAVE Allegro. Each risk separates inherent, residual, and target ratings so risk reduction is explicit.","additionalProperties":false,"properties":{"risks":{"type":"array","title":"Risks","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risk"},"description":"The documented risks identified through risk analysis."},"assessments":{"type":"array","title":"Assessments","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Point-in-time risk assessment events, each evaluating one or more of the documented risks."},"riskAppetites":{"type":"array","title":"Risk Appetites","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAppetite"},"description":"The risk appetites that apply to this collection. Multiple entries support a document covering more than one party."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"The domain or category of risk. Use the custom option for domains specific to an organization's risk taxonomy.","oneOf":[{"title":"Predefined Risk Domain","type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply-chain","technical","project","ethical","societal","human-rights","health","legal"],"meta:enum":{"security":"Information security and cybersecurity risks.","privacy":"Data protection and privacy risks.","operational":"Business operations and continuity risks.","financial":"Financial loss and economic impact risks.","compliance":"Regulatory and legal compliance risks.","strategic":"Strategic business and market risks.","reputational":"Brand and reputation damage risks.","safety":"Human safety and physical security risks.","environmental":"Environmental impact and sustainability risks.","supply-chain":"Supply chain and third-party risks.","technical":"Technical and technology risks.","project":"Project delivery and execution risks.","ethical":"Ethical risks, including the responsible use of automated decision-making and artificial intelligence.","societal":"Risks to society, communities, or democratic and civic processes.","human-rights":"Risks to fundamental human rights, including discrimination and loss of autonomy.","health":"Risks to physical or mental health and wellbeing.","legal":"Legal exposure, including liability and contractual risks."}},{"title":"Custom Risk Domain","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom risk domain."},"description":{"type":"string","title":"Description","description":"A description of the custom risk domain."}}}]},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain."}}},"riskAttribute":{"title":"Risk Attribute","description":"A security or privacy attribute representing a potential impact area when a risk is realized. Use the custom option for attributes specific to an organization's risk taxonomy.","oneOf":[{"title":"Predefined Risk Attribute","type":"string","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data-subject-rights","integrity","minimization","non-repudiation","possession","privacy","purpose-limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities.","authentication":"Verifying the identity of users, devices, or systems before granting access.","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources.","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified.","availability":"Ensuring systems, data, and services are accessible and operational when needed.","compliance":"Adherence to applicable laws, regulations, policies, and standards.","confidentiality":"Preventing unauthorized access to or disclosure of information.","connectivity":"Maintaining secure and reliable communication between systems or components.","control":"Enabling individuals to manage how their personal data is used and shared.","data-subject-rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorized actors.","minimization":"Limiting data collection and retention to what is strictly necessary for the intended purpose.","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications.","possession":"Ensuring control or custody over data or assets, regardless of ownership.","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards.","purpose-limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection.","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing.","utility":"Ensuring data is usable and in a format suitable for the intended purpose."}},{"title":"Custom Risk Attribute","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom risk attribute."},"description":{"type":"string","title":"Description","description":"A description of the custom risk attribute."}}}]},"risk":{"type":"object","required":["bom-ref","name","statement"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"A human-readable name for the risk."},"statement":{"type":"string","description":"Structured risk statement describing source, event, and impact."},"description":{"type":"string","description":"Additional narrative about the risk."},"domains":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"description":"The risk domains this risk affects."},"affects":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the subjects this risk concerns. A subject may be a component, service, dataset, or model, or a party such as a person, persona, or organization, including a group at risk of being systematically disadvantaged."},"relatedThreats":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats or threat scenarios from a threat model that inform this risk. A reference may point to a discrete threat or to a threat scenario."},"relatedVulnerabilities":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the vulnerabilities that inform this risk."},"relatedWeaknesses":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the weaknesses that inform this risk."},"relatedRequirements":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements whose absence or non-conformance gives rise to this risk, such as a requirement that is unmet or only partially met."},"relatedStandards":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the standards whose non-conformance gives rise to this risk."},"relatedClaims":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the conformance claims that give rise to this risk, such as a [CycloneDX Attestations](https://cyclonedx.org/capabilities/attestations/) claim recording that a requirement is unmet or only partially met. The degree of conformance is carried by the claim, not by the risk."},"relatedBusinessObjectives":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the business objectives this risk threatens."},"inherentRisk":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/rating","description":"The assessed risk before any responses are applied."},"residualRisk":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/rating","description":"The assessed risk remaining after responses are applied."},"targetRisk":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/rating","description":"The risk level the organization aims to reach for this risk. The overall risk appetite is recorded separately on the risks collection or assessment."},"responses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskResponse"},"description":"The responses applied to this risk."},"status":{"title":"Status","description":"The lifecycle status of the risk. Use the custom option for a status specific to an organization's risk process.","oneOf":[{"title":"Predefined Risk Status","type":"string","enum":["identified","assessed","mitigated","accepted","transferred","retired"],"meta:enum":{"identified":"Risk has been identified but not yet evaluated.","assessed":"Risk has been assessed and prioritized.","mitigated":"Responses are in place reducing this risk.","accepted":"Risk has been formally accepted.","transferred":"Risk has been transferred to another party.","retired":"Risk no longer applies."}},{"title":"Custom Risk Status","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom status."},"description":{"type":"string","title":"Description","description":"A description of the custom status."}}}]},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for this risk. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"rating":{"type":"object","title":"Rating","description":"A methodology-neutral assessment of risk along likelihood and impact, with an overall score. The same shape expresses inherent, residual, and target risk so reductions can be compared. A rating can be qualitative (a `level`), semi-quantitative (a numeric `score` on a bounded scale), or quantitative (for example a probable monetary loss under [FAIR](https://www.fairinstitute.org/)). For a catalogue of assessment techniques, see [IEC 31010](https://www.iso.org/standard/72140.html).","additionalProperties":false,"properties":{"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"detectability":{"type":"object","title":"Detectability","additionalProperties":false,"description":"The ease or likelihood of detecting the event before or as it is realized, used as a third axis by methodologies such as [FMEA](https://asq.org/quality-resources/fmea), whose risk priority number multiplies severity, occurrence, and detection.","properties":{"score":{"type":"number","minimum":0,"description":"The detection value on the scale defined by the methodology. For FMEA, a higher value indicates that the event is harder to detect and therefore riskier."},"description":{"type":"string","description":"A narrative explanation of the detectability assessment."}}},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"Confidence in this rating, expressed as a decimal from 0 to 1, where 1 is full confidence. Supports quantitative methods that reason over uncertainty."},"rationale":{"type":"string","title":"Rationale","description":"The justification for this rating, including the method and the evidence considered."}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.","enum":["very-low","low","medium","high","very-high","certain"],"meta:enum":{"very-low":"Very unlikely to occur (less than 10% probability).","low":"Unlikely to occur (10 to 30% probability).","medium":"Possible to occur (30 to 60% probability).","high":"Likely to occur (60 to 85% probability).","very-high":"Very likely to occur (85 to 99% probability).","certain":"Almost certain to occur (greater than 99% probability)."}},"score":{"type":"number","minimum":0,"description":"Numeric likelihood score on the scale defined by the methodology."},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal from 0 to 1."},"frequency":{"type":"number","minimum":0,"title":"Frequency","description":"The expected number of events within the timeframe, for frequency-based methods such as the [FAIR](https://www.fairinstitute.org/) loss event frequency. Unlike a probability, a frequency may exceed 1."},"timeframe":{"type":"string","title":"Timeframe","description":"The period over which the probability or frequency is assessed, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year."},"range":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/estimateRange","description":"A range for the probability or frequency, supporting quantitative methods that reason over distributions."},"factors":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor"},"description":"The factors considered when determining the likelihood level."},"rationale":{"type":"string","description":"The justification for the likelihood rating."}}},"likelihoodFactor":{"type":"object","title":"Likelihood Factor","description":"An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment. It is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.","minLength":1},"type":{"title":"Type","description":"The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","oneOf":[{"title":"Predefined Likelihood Factor Type","description":"A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","type":"string","enum":["attack-vector","contact-frequency","control-effectiveness","detectability","discoverability","exploit-maturity","exposure","motivation","opportunity","targeting","threat-capability","vulnerability"],"meta:enum":{"attack-vector":"Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.","contact-frequency":"How often the threat actor comes into contact with the target asset, independent of any intent to act. Aligns with the FAIR contact frequency factor.","control-effectiveness":"Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation. Corresponds to resistance strength in FAIR.","detectability":"Likelihood that the activity is detected before the risk is realized. Lower detectability increases the chance of a successful action. Aligns with the OWASP Risk Rating intrusion detection factor and the FMEA detection axis.","discoverability":"Ease with which the weakness or opportunity can be found by a potential actor. Aligns with the OWASP Risk Rating ease of discovery factor.","exploit-maturity":"Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.","exposure":"Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.","motivation":"Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.","opportunity":"Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.","targeting":"Degree to which the threat actor specifically selects this asset or organization rather than acting opportunistically. Aligns with the NIST SP 800-30 targeting factor.","threat-capability":"Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.","vulnerability":"Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor."}},{"title":"Custom Likelihood Factor Type","description":"A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the custom likelihood factor type.","minLength":1},"description":{"type":"string","title":"Description","description":"A description of the custom likelihood factor type and how it contributes to likelihood assessment."}}}]},"level":{"type":"string","title":"Level","description":"The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.","enum":["very-low","low","medium","high","very-high","certain"],"meta:enum":{"very-low":"This factor has minimal contribution to risk realization (less than 10% influence).","low":"This factor has limited contribution to risk realization (10 to 30% influence).","medium":"This factor moderately contributes to risk realization (30 to 60% influence).","high":"This factor strongly contributes to risk realization (60 to 85% influence).","very-high":"This factor very strongly contributes to risk realization (85 to 99% influence).","certain":"This factor almost certainly contributes to risk realization (greater than 99% influence)."}},"score":{"type":"number","title":"Score","description":"A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to likelihood.","minimum":0},"weight":{"type":"number","title":"Weight","description":"The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.","minimum":0,"maximum":1},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","major","catastrophic"],"description":"The qualitative impact severity level.","meta:enum":{"negligible":"Minimal impact with no significant consequences.","low":"Minor impact with limited consequences.","moderate":"Moderate impact affecting some operations.","major":"Significant impact with serious consequences.","catastrophic":"Catastrophic impact with existential consequences."}},"polarity":{"type":"string","title":"Polarity","description":"Whether the impact represents a harm or a benefit. Benefits support modeling opportunities and positive risk.","enum":["harm","benefit"],"meta:enum":{"harm":"A negative impact or downside.","benefit":"A positive impact or upside."}},"score":{"type":"number","minimum":0,"description":"Numeric impact score on the scale defined by the methodology."},"categories":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactCategory"},"description":"The categories of impact, including harms relevant to AI and societal risk."},"factors":{"type":"array","title":"Factors","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactFactor"},"description":"The factors considered when determining the impact, allowing methodologies that derive impact from multiple weighted dimensions to record the breakdown."},"range":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/estimateRange","description":"A range for the impact score, supporting quantitative methods that reason over distributions."},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"The risk attributes affected."},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"A description of the potential impact."}}},"impactCategory":{"title":"Impact Category","description":"A category of impact, including harms relevant to AI and societal risk. Use the custom option for categories specific to an organization's risk taxonomy.","oneOf":[{"title":"Predefined Impact Category","type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic","bias","discrimination","fairness","human-rights","environmental","societal","psychological","physical","health"],"meta:enum":{"confidentiality":"Impact on data confidentiality.","integrity":"Impact on data or system integrity.","availability":"Impact on service availability.","financial":"Financial loss or impact.","reputation":"Reputational damage.","regulatory":"Regulatory compliance impact.","safety":"Human safety impact.","privacy":"Privacy violation impact.","operational":"Operational disruption.","strategic":"Strategic business impact.","bias":"Systematic bias in automated outputs or decisions.","discrimination":"Unfair treatment of individuals or groups, including on the basis of protected attributes.","fairness":"Impact on the fair and equitable treatment of affected groups.","human-rights":"Impact on fundamental human rights, including autonomy and dignity.","environmental":"Environmental impact, including energy use and carbon emissions.","societal":"Impact on society, communities, or civic processes.","psychological":"Psychological or emotional harm.","physical":"Physical harm to people or property.","health":"Impact on physical or mental health."}},{"title":"Custom Impact Category","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom impact category."},"description":{"type":"string","title":"Description","description":"A description of the custom impact category."}}}]},"impactFactor":{"type":"object","title":"Impact Factor","description":"An individual contributing factor used to determine the overall impact of a risk or scenario. Methodologies such as OWASP Risk Rating, DREAD, and OCTAVE Allegro derive impact from several weighted dimensions, and each factor captures one dimension with its own rating.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the impact factor being evaluated, such as 'Financial damage' or 'Reputation damage'."},"category":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactCategory","description":"The impact dimension this factor measures."},"score":{"type":"number","minimum":0,"title":"Score","description":"A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to impact."},"weight":{"type":"number","minimum":0,"maximum":1,"title":"Weight","description":"The relative importance of this factor in the overall impact calculation, expressed as a decimal from 0 to 1. OCTAVE Allegro, for example, ranks impact areas and multiplies the ranking by the factor value."},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated and how it contributes to the overall impact assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"estimateRange":{"type":"object","title":"Estimate Range","description":"A three-point estimate, supporting quantitative methods such as FAIR that reason over distributions rather than single values.","additionalProperties":false,"properties":{"minimum":{"type":"number","description":"The minimum, or lower bound, estimate."},"mostLikely":{"type":"number","description":"The most likely estimate."},"maximum":{"type":"number","description":"The maximum, or upper bound, estimate."}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"The estimated financial loss, in the units given by currency."},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"The currency of the financial values, as an [ISO 4217](https://www.iso.org/iso-4217-currency-codes.html) code."},"affectedUsers":{"type":"integer","description":"The number of affected users."},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"The expected downtime, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration."},"dataRecords":{"type":"integer","description":"The number of data records affected."},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"The recovery time, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration."},"financialLossRange":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/estimateRange","description":"A distribution of estimated financial loss, supporting quantitative methods such as FAIR that reason over ranges."},"affectedGroups":{"type":"integer","minimum":0,"description":"The number of distinct groups or populations affected."}}},"riskScore":{"type":"object","title":"Risk Score","description":"The overall risk score, expressed as a qualitative `level`, a numeric `score`, or both, with `vector` and `methodology` recording how it was derived. The scale of `score` is defined by the methodology, since rating systems differ. For example, [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) averages factors from 0 to 9, [DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) averages five 1 to 10 ratings, [FMEA](https://asq.org/quality-resources/fmea) multiplies three 1 to 10 axes into a 1 to 1000 risk priority number, and [FAIR](https://www.fairinstitute.org/) expresses probable loss in monetary terms.","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"The overall qualitative risk level.","meta:enum":{"info":"Informational.","low":"Low risk.","medium":"Medium risk.","high":"High risk.","critical":"Critical risk."}},"score":{"type":"number","minimum":0,"description":"Numeric risk score on the scale defined by the methodology."},"vector":{"type":"string","description":"A textual representation of the metric values used to derive the score, in the format defined by the methodology."},"methodology":{"title":"Methodology","description":"The risk rating methodology used to derive this score. Only methodologies that define a scoring calculation are listed; governance frameworks such as [ISO 31000](https://www.iso.org/iso-31000-risk-management.html) are recorded as standards rather than as a score methodology. Use the custom option for methodologies not listed.","oneOf":[{"title":"Predefined Risk Methodology","type":"string","enum":["dread","fair","fmea","nist-sp-800-30","octave","owasp-risk-rating","qualitative-matrix"],"meta:enum":{"dread":"[DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) risk rating model, the average of five ratings (damage, reproducibility, exploitability, affected users, discoverability) each scored 1 to 10.","fair":"[Factor Analysis of Information Risk (FAIR)](https://www.fairinstitute.org/), a quantitative methodology expressing risk as loss event frequency multiplied by loss magnitude.","fmea":"[Failure Mode and Effects Analysis (FMEA)](https://asq.org/quality-resources/fmea), using a risk priority number of severity multiplied by occurrence multiplied by detection.","nist-sp-800-30":"[NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final) guide for conducting risk assessments, using its exemplary likelihood and impact scales.","octave":"[OCTAVE Allegro](https://www.sei.cmu.edu/documents/786/2007_005_001_14885.pdf), using its relative risk score.","owasp-risk-rating":"[OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), averaging likelihood and impact factors each scored 0 to 9.","qualitative-matrix":"A qualitative risk matrix that derives a risk level by plotting a likelihood band against an impact band, such as a five by five matrix producing a score from 1 to 25."}},{"title":"Custom Risk Methodology","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom risk methodology."},"description":{"type":"string","title":"Description","description":"A description of the custom risk methodology."}}}]}}},"riskResponse":{"type":"object","title":"Risk Response","description":"An action taken to modify a risk, pairing the chosen strategy with the controls that implement it. Covers the full set of dispositions, from avoiding or reducing a risk to accepting it or, for a positive risk, pursuing it.","required":["bom-ref","strategy"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference this response elsewhere using a bom-ref or bom-link."},"strategy":{"type":"string","title":"Strategy","description":"The disposition chosen for the risk.","enum":["avoid","reduce","transfer","accept","exploit","enhance"],"meta:enum":{"avoid":"Eliminate the risk by removing its source or not proceeding with the activity.","reduce":"Lower the likelihood or impact of the risk through controls.","transfer":"Shift the risk to another party, for example through insurance or contract.","accept":"Take no further action and retain the risk.","exploit":"Pursue an opportunity so that a positive risk occurs.","enhance":"Increase the likelihood or benefit of a positive risk."}},"description":{"type":"string","title":"Description","description":"A description of the response."},"controls":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that implement this response."},"status":{"title":"Status","description":"The implementation status of the response.","$ref":"#/$defs/cyclonedx-control-2.0/$defs/implementationStatus"},"effectiveness":{"$ref":"#/$defs/cyclonedx-control-2.0/$defs/effectiveness"},"cost":{"type":"string","title":"Cost","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort.","low":"Low cost and effort.","medium":"Moderate cost and effort.","high":"High cost and significant effort.","extreme":"Extreme cost and major effort."}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for this response. May be an inline party object or a reference to a previously declared party."},"targetDate":{"type":"string","format":"date-time","title":"Target Date","description":"The date by which this response is targeted to be implemented."},"addresses":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the items this response addresses, such as a threat, vulnerability, weakness, or another risk."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assessment":{"type":"object","required":["bom-ref","type","cadence","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"A human-readable name for the assessment."},"type":{"type":"array","title":"Type","minItems":1,"uniqueItems":true,"description":"The kinds of assessment performed, given as one or more named exercises or instruments. The type classifies the assessment exercise; the domains of risk evaluated are carried by the referenced risks rather than restated here. Use the custom option for kinds specific to an organization's process.","items":{"oneOf":[{"title":"Predefined Assessment Type","type":"string","enum":["security","privacy","operational","safety","financial","environmental","supply-chain","compliance","data-protection-impact","fundamental-rights-impact","ai-impact","business-impact","third-party","threat","vulnerability","model-risk","fraud"],"meta:enum":{"security":"Security risk assessment, evaluating threats to the confidentiality, integrity, and availability of a subject.","privacy":"Privacy risk assessment, evaluating risks to individuals arising from the processing of personal data.","operational":"Operational risk assessment, evaluating risks to ongoing operations and continuity.","safety":"Safety risk assessment, evaluating risks of harm to people or property.","financial":"Financial risk assessment, evaluating exposure to financial loss, such as credit, market, or liquidity risk.","environmental":"Environmental risk assessment, evaluating the effect of an activity on the natural environment, including energy use and emissions.","supply-chain":"Supply chain risk assessment, evaluating risks across the chain that delivers a product or service, including software and hardware provenance, for example following [NIST SP 800-161](https://csrc.nist.gov/pubs/sp/800/161/r1/final).","compliance":"Compliance assessment, evaluating conformance with applicable laws, regulations, policies, or standards.","data-protection-impact":"Data protection impact assessment (DPIA), assessing high-risk processing of personal data, for example as described under Article 35 of the [GDPR](https://gdpr-info.eu/art-35-gdpr/).","fundamental-rights-impact":"Fundamental rights impact assessment (FRIA), evaluating the effect of a system on fundamental rights, for example as introduced for certain high-risk AI systems by the [EU AI Act](https://artificialintelligenceact.eu/).","ai-impact":"Artificial intelligence impact assessment, evaluating the risks and impacts of an AI system, for example following the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework).","business-impact":"Business impact analysis (BIA), evaluating the operational and financial consequences of disruption to a business function.","third-party":"Third-party risk assessment, evaluating the risk arising from a specific external party relationship, such as a vendor, supplier, or service provider, as distinct from the broader supply chain.","threat":"Threat assessment, evaluating the threats and threat actors relevant to a subject.","vulnerability":"Vulnerability assessment, evaluating weaknesses that could be exploited.","model-risk":"Model risk assessment, evaluating the risk that a decision or quantitative model is incorrect or misused, including model validation.","fraud":"Fraud risk assessment, evaluating exposure to fraudulent activity and the controls that detect or prevent it."}},{"title":"Custom Assessment Type","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom assessment type."},"description":{"type":"string","title":"Description","description":"A description of the custom assessment type."}}}]}},"cadence":{"title":"Cadence","description":"The temporal cadence or occasion on which the assessment is performed. Use the custom option for patterns specific to an organization's process.","oneOf":[{"title":"Predefined Assessment Cadence","type":"string","enum":["initial","periodic","continuous","triggered","ad-hoc"],"meta:enum":{"initial":"Initial, baseline assessment performed once at the outset.","periodic":"Scheduled, recurring assessment.","continuous":"Continuous, automated monitoring, as in a GRC engineering or continuous controls monitoring practice.","triggered":"Assessment triggered by a specific event, such as a change or an incident.","ad-hoc":"Unplanned, one-off assessment, neither scheduled nor triggered by a defined event."}},{"title":"Custom Assessment Cadence","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom assessment cadence."},"description":{"type":"string","title":"Description","description":"A description of the custom assessment cadence."}}}]},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed."},"scope":{"type":"string","title":"Scope","description":"The scope of the assessment, including the systems, boundaries, and what is in or out of scope."},"status":{"title":"Status","description":"The lifecycle status of the assessment. Use the custom option for a status specific to an organization's process.","oneOf":[{"title":"Predefined Assessment Status","type":"string","enum":["draft","in-progress","completed","approved","superseded"],"meta:enum":{"draft":"The assessment is being prepared.","in-progress":"The assessment is underway.","completed":"The assessment is finished.","approved":"The assessment has been reviewed and approved.","superseded":"The assessment has been replaced by a later one."}},{"title":"Custom Assessment Status","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom status."},"description":{"type":"string","title":"Description","description":"A description of the custom status."}}}]},"assessors":{"type":"array","title":"Assessors","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"},"description":"The parties that performed the assessment. Each may be an inline party or a reference to a previously declared party, and may be a person or an automated system, agent, or tool. Automated assessors support continuous and automated assessment, as in a GRC engineering practice. A party's `roles` should include `auditor` or `assessor`."},"summary":{"type":"string","description":"An executive summary of the assessment."},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to risk entries evaluated in this assessment."},"overallRisk":{"type":"object","required":["method","score"],"additionalProperties":false,"properties":{"method":{"title":"Method","description":"The aggregation method used to derive the overall risk from the assessed risks. Use the custom option for methods not listed, such as a quantitative roll-up of loss distributions under FAIR.","oneOf":[{"title":"Predefined Aggregation Method","type":"string","enum":["maximum","sum","average","weighted-average"],"meta:enum":{"maximum":"The overall risk equals the highest individual risk.","sum":"The overall risk is the sum of the individual risks, representing total exposure.","average":"The overall risk is the mean of the individual risks.","weighted-average":"The overall risk is a weighted mean of the individual risks."}},{"title":"Custom Aggregation Method","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom aggregation method."},"description":{"type":"string","title":"Description","description":"A description of the custom aggregation method."}}}]},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"description":{"type":"string","description":"An optional explanation for custom aggregation approaches."}},"description":"The aggregated risk result for this assessment."},"assumptions":{"type":"array","title":"Assumptions","items":{"type":"string"},"description":"The assumptions, constraints, and limitations under which the assessment was made, to be re-evaluated when they change."},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment."},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur."},"riskAppetites":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the risk appetites, declared under the risks collection, that applied for this assessment."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level.","meta:enum":{"none":"No priority.","low":"Low priority.","medium":"Medium priority.","high":"High priority.","critical":"Critical priority."}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level.","meta:enum":{"minimal":"Minimal impact on business operations.","low":"Low impact with minor inconvenience.","moderate":"Moderate impact affecting some operations.","high":"High impact affecting critical operations.","critical":"Critical impact with severe business consequences."}},"appetiteLevel":{"type":"string","description":"A qualitative risk appetite level, ranging from risk-averse to risk-seeking.","enum":["averse","minimal","cautious","open","hungry"],"meta:enum":{"averse":"Avoidance of risk is the priority, and only the lowest-risk options are acceptable.","minimal":"A preference for very low risk, accepting risk only where it is unavoidable.","cautious":"A preference for safe options, accepting limited and well-understood risk for reward.","open":"A willingness to accept higher risk where the potential reward justifies it.","hungry":"An active willingness to seek risk in pursuit of greater reward, within defined control limits."}},"riskAppetite":{"type":"object","title":"Risk Appetite","description":"The amount and type of risk a party is willing to pursue or retain, stated explicitly so that it is not left implicit in individual target ratings. An appetite may be attributed to a specific party through `party`, so a single document can record the appetites of more than one party, and it may be stated overall and refined per risk domain. Quantitative tolerances for a specific risk are expressed through that risk's target rating, and measurement of actual risk against the appetite is recorded through assessments.","required":["level"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference this risk appetite elsewhere, such as from an assessment."},"party":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party whose risk appetite this is. Set this when a single document captures the appetites of more than one party. May be an inline party object or a reference to a previously declared party."},"level":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/appetiteLevel","description":"The overall risk appetite level."},"statement":{"type":"string","title":"Statement","description":"A narrative statement of the overall risk appetite, including any qualifications or context."},"rationale":{"type":"string","description":"The justification for this appetite, such as the strategic objective or regulatory obligation that informs it."},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for setting and approving this appetite, such as a board or risk committee. May be an inline party object or a reference to a previously declared party."},"horizon":{"type":"string","description":"The time horizon over which this appetite applies, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year."},"nextReview":{"type":"string","format":"date-time","description":"When this appetite is next due for review, since appetite changes with strategy, market conditions, and the threat landscape."},"categories":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["domain","level"],"additionalProperties":false,"properties":{"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain","description":"The risk domain this appetite entry applies to."},"level":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/appetiteLevel","description":"The appetite level for this risk domain."},"statement":{"type":"string","description":"A narrative statement of the appetite for this risk domain."},"rationale":{"type":"string","description":"The justification for the appetite for this risk domain."}}},"description":"Per-domain appetite, refining the overall appetite for specific risk domains such as security, privacy, or financial."}}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threats":{"type":"object","title":"Threats","description":"Threat-modelling content, including the documented threats, the scenarios that realize them, the attack patterns and attack trees that describe how they are carried out, and the trust boundaries they cross.","additionalProperties":false,"properties":{"threats":{"type":"array","title":"Threats","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threat"},"description":"The documented threats. Each describes what can go wrong, independent of any specific actor or occurrence."},"scenarios":{"type":"array","title":"Scenarios","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatScenario"},"description":"The threat scenarios, each realizing one or more documented threats in a specific way."},"attackPatterns":{"type":"array","title":"Attack Patterns","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPattern"},"description":"A library of attack patterns, typically aligned with CAPEC, that threats and scenarios can reference."},"attackTrees":{"type":"array","title":"Attack Trees","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackTree"},"description":"Attack trees that decompose attacker goals into sub-goals and techniques."},"attackPaths":{"type":"array","title":"Attack Paths","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPath"},"description":"Attack paths that describe the ordered progression of an attack across elements and trust boundaries, including lateral movement."},"abuseCases":{"type":"array","title":"Abuse Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/abuseCase"},"description":"Abuse or misuse cases that describe how the system can be exercised by an adversary."},"trustBoundaries":{"type":"array","title":"Trust Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/trustBoundary"},"description":"The trust boundaries of the system, extending the architectural boundaries defined in a blueprint with trust semantics."},"methodologies":{"type":"array","title":"Methodologies","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/methodology"},"description":"The threat modeling methodologies applied to produce this threat model, such as STRIDE, LINDDUN, PASTA, or attack trees."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"methodology":{"title":"Threat Modeling Methodology","description":"A threat modeling methodology applied to produce this threat model. Use the custom option for methodologies not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Threat Modeling Methodology","enum":["STRIDE","LINDDUN","PASTA","MAESTRO","OWASP","TRIKE","VAST","ATFAA","attack-tree"],"meta:enum":{"STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.","PASTA":"Process for Attack Simulation and Threat Analysis.","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome.","OWASP":"OWASP threat modelling methodology.","TRIKE":"Risk-based threat modelling methodology.","VAST":"Visual, Agile, and Simple Threat modelling.","ATFAA":"Advanced Threat Framework for Autonomous AI Agents.","attack-tree":"Attack tree methodology, decomposing attacker goals into sub-goals and techniques."}},{"type":"object","title":"Custom Threat Modeling Methodology","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom threat modeling methodology."},"description":{"type":"string","title":"Description","description":"A description of the custom threat modeling methodology."}}}]},"threat":{"type":"object","title":"Threat","description":"A documented threat, describing what can go wrong independent of any specific actor or occurrence. A threat can be catalogued on its own; a threat scenario references it to describe a specific realization.","additionalProperties":false,"required":["bom-ref","name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the threat elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the threat."},"description":{"type":"string","title":"Description","description":"A description of the threat."},"source":{"type":"string","title":"Source","description":"The source of the threat, such as a threat intelligence feed, a threat catalogue, or an analysis activity."},"origin":{"title":"Origin","description":"The nature of the threat source that gives rise to this threat, following the threat source types of [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final). Use the custom option for an origin not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Origin","enum":["adversarial","accidental","structural","environmental"],"meta:enum":{"adversarial":"An adversary acting with intent, such as an individual, group, organization, or nation state.","accidental":"An erroneous action taken without malicious intent, such as a mistake by a privileged user or administrator.","structural":"A failure of equipment, software, or environmental controls, such as resource exhaustion or expiry of a component.","environmental":"A natural or human-made event outside the control of the organization, such as a fire, flood, or wide-area infrastructure outage."}},{"type":"object","title":"Custom Origin","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom origin."},"description":{"type":"string","title":"Description","description":"A description of the custom origin."}}}]},"categories":{"type":"array","title":"Categories","uniqueItems":true,"description":"The methodology-specific categories that this threat falls under. A threat may be categorized under more than one methodology, for example STRIDE and MAESTRO. The methodology is one of the supported threat-modelling methodologies, and it determines which category values are permitted.","items":{"type":"object","title":"Threat Category","description":"A threat category. The taxonomy determines the permitted category values.","additionalProperties":false,"required":["taxonomy","category"],"properties":{"taxonomy":{"type":"string","title":"Taxonomy","description":"The threat classification taxonomy that the category is drawn from.","enum":["STRIDE","LINDDUN","MAESTRO","MITRE-ATTACK"],"meta:enum":{"STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome, whose categories are its seven architectural layers.","MITRE-ATTACK":"The MITRE ATT&CK framework, whose categories are its Enterprise tactics."}},"category":{"type":"string","minLength":1,"title":"Category","description":"The category within the taxonomy. The permitted values are determined by the taxonomy."}},"allOf":[{"if":{"required":["taxonomy"],"properties":{"taxonomy":{"const":"STRIDE"}}},"then":{"properties":{"category":{"enum":["spoofing","tampering","repudiation","information-disclosure","denial-of-service","elevation-of-privilege"],"meta:enum":{"spoofing":"Impersonating something or someone, violating authenticity.","tampering":"Modifying data or code, violating integrity.","repudiation":"Denying having performed an action, violating non-repudiation.","information-disclosure":"Exposing information to unauthorized parties, violating confidentiality.","denial-of-service":"Denying or degrading service to legitimate users, violating availability.","elevation-of-privilege":"Gaining capabilities without proper authorization, violating authorization."}}}}},{"if":{"required":["taxonomy"],"properties":{"taxonomy":{"const":"LINDDUN"}}},"then":{"properties":{"category":{"enum":["linkability","identifiability","non-repudiation","detectability","disclosure-of-information","unawareness","non-compliance"],"meta:enum":{"linkability":"Linking data items to learn more about an individual.","identifiability":"Identifying an individual from data.","non-repudiation":"Being unable to deny a claim, harming plausible deniability.","detectability":"Detecting that an item of interest exists.","disclosure-of-information":"Revealing personal data, violating confidentiality.","unawareness":"Individuals being unaware of the processing of their data.","non-compliance":"Deviating from policy, regulation, or best practice."}}}}},{"if":{"required":["taxonomy"],"properties":{"taxonomy":{"const":"MAESTRO"}}},"then":{"properties":{"category":{"enum":["foundation-models","data-operations","agent-frameworks","deployment-and-infrastructure","evaluation-and-observability","security-and-compliance","agent-ecosystem"],"meta:enum":{"foundation-models":"Layer 1. The core models that provide the agent's capabilities.","data-operations":"Layer 2. Storage, retrieval, and processing of the agent's data.","agent-frameworks":"Layer 3. The frameworks and tools that build and run agents.","deployment-and-infrastructure":"Layer 4. The infrastructure on which agents are deployed and scaled.","evaluation-and-observability":"Layer 5. Evaluation, monitoring, and observability of agent behaviour.","security-and-compliance":"Layer 6. The cross-cutting security and compliance controls.","agent-ecosystem":"Layer 7. The applications and marketplace where agents deliver value to end-users."}}}}},{"if":{"required":["taxonomy"],"properties":{"taxonomy":{"const":"MITRE-ATTACK"}}},"then":{"properties":{"category":{"enum":["reconnaissance","resource-development","initial-access","execution","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","collection","command-and-control","exfiltration","impact"]}}}}]}},"weaknesses":{"$ref":"#/$defs/cyclonedx-weakness-2.0/$defs/weaknesses","description":"The weaknesses, such as CWE classifications, that this threat exploits."},"relatedVulnerabilities":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the vulnerabilities that this threat exploits or that inform it."},"attackPatterns":{"type":"array","title":"Attack Patterns","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the attack patterns by which this threat is carried out."},"attackTrees":{"type":"array","title":"Attack Trees","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the attack trees that decompose this threat."},"abuseCases":{"type":"array","title":"Abuse Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the abuse cases that illustrate how this threat can be exercised."},"killChainPhase":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/killChainPhase","description":"The phase of the cyber kill chain at which this threat operates."},"behaviors":{"type":"array","title":"Behaviors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the declared behaviors that constitute the intent of this threat, drawn from the behavior taxonomy."},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"affectedAssets":{"type":"array","title":"Affected Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the kinds of assets this threat affects."},"relatedBusinessObjectives":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the business objectives this threat endangers."},"mitigations":{"type":"array","title":"Mitigations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that mitigate this threat."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"threatScenario":{"type":"object","title":"Threat Scenario","description":"A specific realization of a threat, in which an actor seeks to cause harm. The scenario references the threat it realizes, supplies the actor by reference to a party, and carries the scenario-specific traits and risk assessment, such as motivation, intent, access level, likelihood, and impact.","additionalProperties":false,"required":["bom-ref","name","threats"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the threat scenario elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the threat scenario."},"description":{"type":"string","title":"Description","description":"A description of the threat scenario."},"threats":{"type":"array","title":"Threats","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats that this scenario realizes. A scenario realizes one or more threats."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the party that is the actor in this scenario. Named adversary groups are organizations and abstract attacker classes are personas."},"threatProfile":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to a reusable threat profile that describes the durable capabilities of the actor."},"motivation":{"type":"array","title":"Motivation","uniqueItems":true,"description":"The motivations of the actor in this scenario.","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"],"meta:enum":{"financial":"Motivated by financial gain.","political":"Motivated by political objectives.","personal":"Motivated by personal reasons.","ideological":"Motivated by ideology or belief.","espionage":"Motivated by intelligence gathering.","destruction":"Motivated by the desire to destroy.","disruption":"Motivated by the desire to disrupt operations.","reputation":"Motivated by reputational gain or harm.","curiosity":"Motivated by curiosity.","competitive":"Motivated by competitive advantage.","revenge":"Motivated by revenge.","activism":"Motivated by activism."}}},"intent":{"type":"string","title":"Intent","description":"The intent of the actor in this scenario.","enum":["accidental","opportunistic","targeted","persistent"],"meta:enum":{"accidental":"The harm is caused without intent.","opportunistic":"The actor takes advantage of an opportunity as it arises.","targeted":"The actor deliberately targets the subject.","persistent":"The actor pursues the target persistently over time."}},"accessLevel":{"type":"string","title":"Access Level","description":"The level of access the actor is assumed to have in this scenario.","enum":["none","external","internal","privileged","physical"],"meta:enum":{"none":"No access.","external":"External access only.","internal":"Internal access, such as that of an ordinary user.","privileged":"Privileged or administrative access.","physical":"Physical access to the target."}},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","title":"Risk Attributes","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"The security and privacy attributes that this threat would compromise if realized."},"affectedAssets":{"type":"array","title":"Affected Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the assets affected in this scenario."},"relatedRisks":{"type":"array","title":"Related Risks","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the risks that this scenario contributes to."},"relatedVulnerabilities":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the vulnerabilities exploited in this scenario."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"threatProfiles":{"type":"array","title":"Threat Profiles","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatProfile"},"description":"Reusable threat profiles, each describing the durable characteristics of an actor that may pose a threat."},"threatProfile":{"type":"object","title":"Threat Profile","description":"A durable, actor-level characterization of the capability to pose a threat, capturing attributes that persist across scenarios. Scenario-specific attributes, such as motivation, intent, and access level, belong on a threat scenario rather than on this profile.","additionalProperties":false,"required":["bom-ref"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference this threat profile elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the threat profile."},"description":{"type":"string","title":"Description","description":"A description of the threat profile."},"sophistication":{"type":"string","title":"Sophistication","description":"The level of technical sophistication an actor characterized by this profile is assumed to possess.","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication.","minimal":"Minimal sophistication, relying on readily available tools and techniques.","intermediate":"Intermediate technical skills.","advanced":"Advanced skills consistent with a persistent and well-resourced actor.","expert":"Expert skills consistent with the most capable actors."}},"resources":{"type":"string","title":"Resources","description":"The level of resources an actor characterized by this profile is assumed to have available.","enum":["minimal","limited","moderate","substantial","unlimited"],"meta:enum":{"minimal":"Minimal resources.","limited":"Limited resources.","moderate":"Moderate resources.","substantial":"Substantial resources.","unlimited":"Effectively unlimited resources."}},"skillSet":{"type":"array","title":"Skill Set","uniqueItems":true,"items":{"type":"string"},"description":"The specific skills an actor characterized by this profile is assumed to possess."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"attackVector":{"type":"object","title":"Attack Vector","description":"The conditions under which an attack is possible, following the convention of common vulnerability scoring systems.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The context by which an attack is possible.","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via a network.","adjacent":"Exploitable from an adjacent network.","local":"Requires local access.","physical":"Requires physical access."}},"complexity":{"type":"string","title":"Complexity","description":"The complexity of the attack.","enum":["low","high"],"meta:enum":{"low":"The attack has low complexity.","high":"The attack has high complexity."}},"privileges":{"type":"string","title":"Privileges","description":"The level of privileges required to carry out the attack.","enum":["none","low","high"],"meta:enum":{"none":"No privileges are required.","low":"Low privileges are required.","high":"High privileges are required."}},"userInteraction":{"type":"string","title":"User Interaction","description":"Whether the attack requires interaction from a user other than the attacker.","enum":["none","required"],"meta:enum":{"none":"No user interaction is required.","required":"User interaction is required."}},"scope":{"type":"string","title":"Scope","description":"Whether a successful attack affects resources beyond the vulnerable component.","enum":["unchanged","changed"],"meta:enum":{"unchanged":"The attack affects only the vulnerable component.","changed":"The attack affects resources beyond the vulnerable component."}}}},"attackPattern":{"type":"object","title":"Attack Pattern","description":"A description of the common attributes and approach of an attack, typically aligned with CAPEC. Techniques are aligned with MITRE ATT&CK.","additionalProperties":false,"required":["bom-ref","name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the attack pattern elsewhere using a bom-ref or bom-link."},"capecId":{"type":"integer","minimum":1,"title":"CAPEC Identifier","description":"The Common Attack Pattern Enumeration and Classification (CAPEC) identifier for this attack pattern."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the attack pattern."},"description":{"type":"string","title":"Description","description":"A description of the attack pattern."},"prerequisites":{"type":"array","title":"Prerequisites","uniqueItems":true,"items":{"type":"string"},"description":"The conditions that must hold for the attack to be possible."},"techniques":{"type":"array","title":"Techniques","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"The techniques used to carry out the attack, typically aligned with MITRE ATT&CK."},"mitigations":{"type":"array","title":"Mitigations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that mitigate this attack pattern."},"examples":{"type":"array","title":"Examples","uniqueItems":true,"items":{"type":"string"},"description":"Real-world examples of the attack pattern."}}},"technique":{"type":"object","title":"Technique","description":"A specific technique used to carry out an attack, typically aligned with MITRE ATT&CK.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"The identifier of the technique, such as a MITRE ATT&CK technique identifier."},"name":{"type":"string","title":"Name","description":"The name of the technique."},"tactic":{"type":"string","title":"Tactic","description":"The tactic that the technique supports, such as a MITRE ATT&CK tactic."},"procedure":{"type":"string","title":"Procedure","description":"The specific procedure by which the technique is carried out."}}},"attackTree":{"type":"object","title":"Attack Tree","description":"A decomposition of an attacker goal into sub-goals and techniques, expressed as a flat collection of nodes. Each node lists its child nodes by reference together with an operator that says how those children combine, so the tree is expressed without nesting. One node is the root, representing the attacker goal.","additionalProperties":false,"required":["bom-ref","nodes"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the attack tree elsewhere using a bom-ref or bom-link."},"name":{"type":"string","title":"Name","description":"The name of the attack tree."},"description":{"type":"string","title":"Description","description":"A description of the attack tree."},"root":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Root BOM Reference","description":"Optional reference using bom-link or bom-ref to the root node within nodes, representing the attacker goal. When omitted, the root is the node that no other node lists as a child."},"nodes":{"type":"array","title":"Nodes","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackTreeNode"},"description":"The nodes of the attack tree. Each node references its child nodes, which are themselves entries in this array, forming the hierarchy without nesting."}}},"attackTreeNode":{"type":"object","title":"Attack Tree Node","description":"A node in an attack tree, representing an attacker goal, sub-goal, or technique. A node references its child nodes and carries an operator that says how those children combine. The hierarchy is expressed by these references rather than by nesting.","additionalProperties":false,"required":["bom-ref","name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the node elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The goal, sub-goal, or technique that the node represents."},"description":{"type":"string","title":"Description","description":"A description of the node."},"operator":{"type":"string","title":"Operator","description":"Specifies how the nodes listed in 'children' combine to achieve this node. A value of 'and' requires every child node; a value of 'or' requires any single child node. For example, a node whose children are a phishing node and a credential-stuffing node uses 'or' when either alone achieves it, or 'and' when both are needed together. A node with no children is a leaf and omits this property.","enum":["and","or"],"meta:enum":{"and":"All child nodes are required to achieve this node.","or":"Any one child node is sufficient to achieve this node."}},"children":{"type":"array","title":"Children","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the child nodes that decompose this node. Each child node is a separate entry in the same nodes array, so the hierarchy is expressed without nesting. A child node may be shared by more than one parent."},"attackPattern":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the attack pattern that this node represents."},"weakness":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the weakness that this node exploits."},"cost":{"type":"string","title":"Cost","description":"The relative cost to an attacker of achieving this node.","enum":["negligible","low","moderate","high","prohibitive"],"meta:enum":{"negligible":"Negligible cost.","low":"Low cost.","moderate":"Moderate cost.","high":"High cost.","prohibitive":"Prohibitive cost."}},"skill":{"type":"string","title":"Skill","description":"The skill level required to achieve this node.","enum":["none","basic","intermediate","advanced","expert"],"meta:enum":{"none":"No special skill is required.","basic":"Basic skill is required.","intermediate":"Intermediate skill is required.","advanced":"Advanced skill is required.","expert":"Expert skill is required."}},"detectability":{"type":"string","title":"Detectability","description":"How readily an attempt to achieve this node can be detected.","enum":["undetectable","low","moderate","high"],"meta:enum":{"undetectable":"The attempt is effectively undetectable.","low":"The attempt is difficult to detect.","moderate":"The attempt is moderately detectable.","high":"The attempt is readily detectable."}},"mitigations":{"type":"array","title":"Mitigations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that mitigate this node."}}},"abuseCase":{"type":"object","title":"Abuse Case","description":"A description of how an adversary can misuse the system to achieve a malicious goal. An abuse case is the security counterpart of a use case and reuses its flow structure.","additionalProperties":false,"required":["bom-ref","name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the abuse case elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the abuse case, typically expressed as a malicious goal."},"description":{"type":"string","title":"Description","description":"A narrative describing how the system can be misused or abused."},"abuser":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the party that abuses the system, typically an attacker persona."},"realizes":{"type":"array","title":"Realizes","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats that this abuse case realizes."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"The conditions that must hold before the abuse case can begin."},"mainFlow":{"type":"array","title":"Main Flow","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered steps the abuser follows."},"targets":{"type":"array","title":"Targets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the assets or flows targeted in this abuse case."},"detectionOpportunities":{"type":"array","title":"Detection Opportunities","uniqueItems":true,"items":{"type":"string"},"description":"The signals, logs, or controls that present an opportunity to detect the abuse."},"mitigations":{"type":"array","title":"Mitigations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that mitigate this abuse case."}}},"exploitability":{"type":"object","title":"Exploitability","description":"The degree to which a threat can be exploited in practice.","additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The maturity of available exploitation capability.","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Exploitation is theoretically possible but has not been demonstrated.","proof-of-concept":"A proof of concept exists.","functional":"A functional exploit exists.","weaponized":"A weaponized exploit is in use."}},"complexity":{"type":"string","title":"Complexity","description":"The complexity of exploitation.","enum":["trivial","low","medium","high","very-high"],"meta:enum":{"trivial":"Exploitation is trivial.","low":"Exploitation has low complexity.","medium":"Exploitation has medium complexity.","high":"Exploitation has high complexity.","very-high":"Exploitation has very high complexity."}},"skillRequired":{"type":"string","title":"Skill Required","description":"The skill level required to exploit the threat.","enum":["none","basic","intermediate","advanced","expert"],"meta:enum":{"none":"No special skill is required.","basic":"Basic skill is required.","intermediate":"Intermediate skill is required.","advanced":"Advanced skill is required.","expert":"Expert skill is required."}},"automatable":{"type":"boolean","title":"Automatable","description":"Whether exploitation can be automated."}}},"indicators":{"type":"object","title":"Indicators","description":"The observable indicators associated with a threat.","additionalProperties":false,"properties":{"compromise":{"type":"array","title":"Indicators of Compromise","uniqueItems":true,"items":{"type":"string"},"description":"The indicators that a compromise has occurred."},"attack":{"type":"array","title":"Indicators of Attack","uniqueItems":true,"items":{"type":"string"},"description":"The indicators that an attack is under way."},"signatures":{"type":"array","title":"Signatures","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"The detection signatures associated with the threat."}}},"signature":{"type":"object","title":"Signature","description":"A detection signature for a threat.","additionalProperties":false,"required":["type","value"],"properties":{"type":{"type":"string","title":"Type","description":"The type of signature.","enum":["yara","snort","regex","hash","behavior"],"meta:enum":{"yara":"A YARA rule.","snort":"A Snort rule.","regex":"A regular expression.","hash":"A cryptographic hash.","behavior":"A behavioural signature."}},"value":{"type":"string","minLength":1,"title":"Value","description":"The signature value or pattern."},"description":{"type":"string","title":"Description","description":"A description of what the signature detects."},"confidence":{"type":"string","title":"Confidence","description":"The confidence level of a detection by this signature.","enum":["low","medium","high"],"meta:enum":{"low":"Low confidence.","medium":"Medium confidence.","high":"High confidence."}}}},"trustBoundary":{"type":"object","title":"Trust Boundary","description":"A security annotation marking an architectural boundary as one across which trust changes. It references a boundary defined in a blueprint, where the zones, type, and crossing requirements already live, and adds only the trust differential and the threats and controls at that boundary.","additionalProperties":false,"required":["bom-ref","boundary"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the trust boundary elsewhere using a bom-ref or bom-link."},"boundary":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the blueprint boundary that this trust boundary annotates."},"name":{"type":"string","title":"Name","description":"The name of the trust boundary."},"description":{"type":"string","title":"Description","description":"A description of the trust boundary."},"trustLevel":{"type":"string","title":"Trust Level","description":"The trust level differential across the boundary.","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"meta:enum":{"untrusted":"The boundary separates an untrusted zone.","semi-trusted":"The boundary separates a semi-trusted zone.","trusted":"The boundary separates a trusted zone.","highly-trusted":"The boundary separates a highly trusted zone."}},"threatsAtBoundary":{"type":"array","title":"Threats At Boundary","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats that could exploit this boundary."},"controlsAtBoundary":{"type":"array","title":"Controls At Boundary","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls in place at this boundary. Intended primarily for referencing externally defined controls. Where the control and boundary are declared together, prefer the control's appliesTo property."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"killChainPhase":{"type":"string","title":"Kill Chain Phase","description":"A phase of the cyber kill chain.","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target.","weaponization":"Creating a malicious payload.","delivery":"Transmitting the payload to the target.","exploitation":"Exploiting a vulnerability or weakness.","installation":"Installing malicious software or establishing a foothold.","command-and-control":"Establishing a command and control channel.","actions-on-objectives":"Achieving the goals of the attack."}},"attackPathStep":{"type":"object","title":"Attack Path Step","description":"A single step in an attack path, describing one action in the progression of an attack.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"A short name for the step."},"description":{"type":"string","minLength":1,"title":"Description","description":"The action the adversary performs in this step."},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique","description":"The technique used in this step, typically aligned with MITRE ATT&CK."},"attackPattern":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the attack pattern applied in this step."},"killChainPhase":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/killChainPhase","description":"The phase of the cyber kill chain at which this step operates."},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the element or zone from which this step originates."},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the element or zone this step reaches."},"boundaryCrossed":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the trust boundary this step crosses."},"exploits":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the weaknesses or vulnerabilities this step exploits."},"mitigations":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that detect or prevent this step."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"attackPath":{"type":"object","title":"Attack Path","description":"An ordered sequence of steps that an adversary follows to progress from initial access toward an objective, crossing elements and trust boundaries. An attack path complements an attack tree: the tree decomposes a goal into alternatives, whereas the path expresses the temporal progression of a single attack, including lateral movement.","required":["bom-ref","name","steps"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","minLength":1,"title":"Name","description":"A human-readable name for the attack path."},"description":{"type":"string","title":"Description","description":"A description of the attack path."},"objective":{"type":"string","title":"Objective","description":"The attacker objective that the path works toward, such as exfiltrating data or achieving code execution."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the adversary that follows this path."},"steps":{"type":"array","title":"Steps","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPathStep"},"description":"The ordered steps of the path, from the initial action to the objective. The order of the array is significant."},"realizes":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats that this path realizes."},"relatedRisks":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the risks that this path contributes to."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","$defs":{"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},"description":"A collection of use cases that describe how actors interact with the system to achieve specific goals."},"useCase":{"type":"object","title":"Use Case","description":"A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')."},"description":{"type":"string","title":"Description","description":"A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases."},"postconditions":{"type":"array","title":"Postconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced."},"mainFlow":{"type":"array","title":"Main Flow","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome."},"alternativeFlows":{"type":"array","title":"Alternative Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"},"description":"Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome."},"exceptions":{"type":"array","title":"Exceptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"},"description":"Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully."},"successCriteria":{"type":"array","title":"Success Criteria","uniqueItems":true,"items":{"type":"string"},"description":"Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off."},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case."},"businessObjectives":{"type":"array","title":"Business Objectives","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the business objectives this use case supports."},"notes":{"type":"array","title":"Notes","uniqueItems":true,"items":{"type":"string"},"description":"Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","title":"Step","description":"A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.","required":["number","description"],"additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","minimum":1,"description":"The sequence number indicating the ordinal position of this step within its flow, starting at 1."},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design."}}},"flow":{"type":"object","title":"Flow","description":"An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')."},"description":{"type":"string","title":"Description","description":"A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path."},"steps":{"type":"array","title":"Steps","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps."}}},"exception":{"type":"object","title":"Exception","description":"An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')."},"description":{"type":"string","title":"Description","description":"A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific error condition, system state, or external event that triggers this exception during the execution of the use case."},"handling":{"type":"string","title":"Handling","description":"The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support."}}},"useCaseAssertions":{"type":"array","title":"Use Case Assertions","description":"A list of assertions describing how a component relates to use cases defined in the BOM.","uniqueItems":true,"items":{"type":"object","title":"Use Case Assertion","description":"An assertion linking one or more use cases to a component, specifying the nature of the relationship.","required":["assertionType","useCaseRefs"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the relationship between the component and the use case.","enum":["extends","implements","inhibits","not-applicable","not-assessed","other","participates-in","supports","triggers","validates"],"meta:enum":{"extends":"The component adds optional or conditional behavior to the use case, augmenting its primary flow with additional capability.","implements":"The component implements or realises the use case, providing the primary capability that makes the use case functional.","inhibits":"The component is known to interfere with or block the correct execution of the use case.","not-applicable":"The use case does not pertain to this component. The evaluator has reviewed the use case and determined it is irrelevant.","not-assessed":"The relationship between the component and the use case has not yet been evaluated.","other":"A relationship that does not fit into the other predefined assertion types.","participates-in":"The component participates in the use case but is not solely responsible for its implementation.","supports":"The component provides enabling infrastructure for the use case without directly implementing or participating in it.","triggers":"The component initiates or kicks off the use case without being responsible for its implementation.","validates":"The component validates, tests, or verifies the correct execution of the use case."}},"useCaseRefs":{"type":"array","title":"Use Case References","description":"A list of BOM references linking to use case objects defined in the BOM.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"description":{"type":"string","title":"Description","description":"Additional context or clarification regarding the assertion."}}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings. Consumers should consider ratings in prioritization decisions; source ratings may differ and aid prioritization.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"weaknesses":{"$ref":"#/$defs/cyclonedx-weakness-2.0/$defs/weaknesses","description":"The weaknesses, such as CWE classifications, that give rise to this vulnerability."},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"mitigatingControls":{"type":"array","title":"Mitigating Controls","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that prevent or reduce the exploitability or impact of the vulnerability. Substantiates justifications such as protected_by_mitigating_control, protected_at_perimeter, and protected_at_runtime."},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventive measures have been implemented that reduce the likelihood or impact of the vulnerability, or both. The controls may be referenced using the mitigatingControls property."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-weakness-2.0":{"type":"null","title":"CycloneDX Weakness Model","$defs":{"weaknesses":{"type":"array","title":"Weaknesses","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-weakness-2.0/$defs/weakness"},"description":"A collection of weaknesses, such as CWE classifications, that classify an underlying flaw."},"weakness":{"title":"Weakness","description":"A classification of an underlying weakness, given either by a Common Weakness Enumeration (CWE) identifier or by a free-text name with an optional description. The exploitability and the affected scope are expressed by the vulnerability or threat that references the weakness, not on the weakness itself.","oneOf":[{"type":"object","title":"CWE Weakness","description":"A weakness identified by its CWE identifier.","additionalProperties":false,"required":["cweId"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link."},"cweId":{"type":"integer","minimum":1,"title":"CWE Identifier","description":"The Common Weakness Enumeration (CWE) identifier that classifies this weakness."}}},{"type":"object","title":"Named Weakness","description":"A weakness identified by a free-text name, used where no CWE classification applies.","additionalProperties":false,"required":["name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the weakness."},"description":{"type":"string","title":"Description","description":"A description of the weakness."}}}]}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value shall be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"threats":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threats"},"risks":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risks"},"controls":{"$ref":"#/$defs/cyclonedx-control-2.0/$defs/controls"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"profiles":{"$ref":"#/$defs/cyclonedx-profile-2.0/$defs/profiles"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"perspectives":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectives"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file diff --git a/schema/2.0/cyclonedx-2.0-bundled.schema.json b/schema/2.0/cyclonedx-2.0-bundled.schema.json index 71ecd0482..21895cc3a 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.schema.json @@ -13,6 +13,9 @@ "$schema": { "type": "string" }, + "$comment": { + "type": "string" + }, "specFormat": { "type": "string", "title": "Specification Format", @@ -64,6 +67,15 @@ "vulnerabilities": { "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities" }, + "threats": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threats" + }, + "risks": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/risks" + }, + "controls": { + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/controls" + }, "annotations": { "$ref": "#/$defs/cyclonedx-annotation-2.0/$defs/annotations" }, @@ -76,6 +88,12 @@ "definitions": { "$ref": "#/$defs/cyclonedx-definition-2.0/$defs/definitions" }, + "blueprints": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints" + }, + "profiles": { + "$ref": "#/$defs/cyclonedx-profile-2.0/$defs/profiles" + }, "citations": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations" }, @@ -778,1808 +796,2377 @@ } } }, - "cyclonedx-citation-2.0": { + "cyclonedx-behavior-2.0": { "type": "null", - "title": "CycloneDX Citation Model", + "title": "CycloneDX Behavior Model", "$defs": { - "citations": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation" - }, - "uniqueItems": true, - "title": "Citations", - "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." - }, - "citation": { + "behaviors": { "type": "object", - "title": "Citation", - "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", + "title": "Behaviors", + "description": "Behaviors performed by objects within the BOM.", "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference" - }, - "pointers": { + "instances": { "type": "array", + "title": "Instances", + "description": "Individual behavior instances.", + "uniqueItems": true, "items": { - "type": "string", - "title": "Field Reference", - "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies." - }, - "minItems": 1, - "title": "Field References", - "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance" + } }, - "expressions": { + "graphs": { "type": "array", + "title": "Graphs", + "description": "Behavior graphs that model behaviour over time as activity flows, state machines, or a mixture of the two.", + "uniqueItems": true, "items": { - "type": "string", - "title": "Path Expression", - "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM." - }, - "minItems": 1, - "title": "Path Expressions", - "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." - }, - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time when the attribution was made or the information was supplied." - }, - "attributedTo": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Attributed To", - "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." - }, - "process": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Process Reference", - "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." - }, - "note": { - "type": "string", - "title": "Note", - "description": "A description or comment about the context or quality of the data attribution." - }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures", - "title": "Signature", - "description": "A digital signature verifying the authenticity or integrity of the attribution." - } - }, - "required": [ - "timestamp" - ], - "anyOf": [ - { - "required": [ - "attributedTo" - ] - }, - { - "required": [ - "process" - ] - } - ], - "oneOf": [ - { - "required": [ - "pointers" - ] - }, - { - "required": [ - "expressions" - ] - } - ] - } - } - }, - "cyclonedx-common-2.0": { - "type": "null", - "title": "CycloneDX Common Model", - "$defs": { - "refType": { - "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "type": "string", - "minLength": 1, - "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" - }, - "refLinkType": { - "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "bomLinkDocumentType": { - "title": "BOM-Link Document", - "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", - "type": "string", - "format": "iri-reference", - "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", - "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" - }, - "bomLinkElementType": { - "title": "BOM-Link Element", - "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", - "type": "string", - "format": "iri-reference", - "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", - "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" - }, - "bomLink": { - "title": "BOM-Link", - "anyOf": [ - { - "title": "BOM-Link Document", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorGraph" + } } - ] + } }, - "hash": { + "behaviorInstance": { "type": "object", - "title": "Hash", + "title": "Behavior Instance", + "description": "A behavior performed by one or more objects within the BOM.", + "additionalProperties": false, "required": [ - "alg", - "content" + "bom-ref", + "behavior" ], - "additionalProperties": false, "properties": { - "alg": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm", - "title": "Hash Algorithm", - "description": "The standard, well-known algorithm used to compute the hash." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "content": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashValue", - "title": "Hash Value", - "description": "The value of the hash computed using the standard, well-known algorithm." + "behavior": { + "$ref": "../behavior-taxonomy.schema.json", + "title": "Behavior", + "description": "The behavior from the taxonomy." + }, + "acknowledgment": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment" + }, + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References using bom-link or bom-ref to objects that perform this behavior.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References using bom-link or bom-ref to objects affected by this behavior.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } } } }, - "hashAlgorithm": { + "trigger": { "type": "string", - "title": "Hash Algorithm", - "description": "The algorithm that generated the hash value.", + "title": "Trigger", + "description": "The condition or event that initiates a behavior.", "enum": [ - "MD5", - "SHA-1", - "SHA-256", - "SHA-384", - "SHA-512", - "SHA3-256", - "SHA3-384", - "SHA3-512", - "BLAKE2b-256", - "BLAKE2b-384", - "BLAKE2b-512", - "BLAKE3", - "Streebog-256", - "Streebog-512" - ] - }, - "hashValue": { - "type": "string", - "title": "Hash Value", - "description": "The value of the hash.", - "examples": [ - "3942447fac867ae5cdb3229b658f4d48" + "startup", + "shutdown", + "scheduled", + "event-driven", + "user-initiated", + "api-call", + "signal", + "condition-based", + "continuous", + "on-demand", + "unknown" ], - "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + "meta:enum": { + "startup": "Triggered during system or component initialisation.", + "shutdown": "Triggered during system or component termination.", + "scheduled": "Triggered at predetermined times or intervals.", + "event-driven": "Triggered in response to a specific event.", + "user-initiated": "Triggered by explicit user action.", + "api-call": "Triggered by an API invocation.", + "signal": "Triggered by a system or inter-process signal.", + "condition-based": "Triggered when specific conditions are met.", + "continuous": "Runs continuously during normal operation.", + "on-demand": "Triggered on demand as needed.", + "unknown": "The trigger mechanism is not known." + } }, - "mediaType": { + "ordering": { "type": "string", - "title": "Media Type", - "description": "The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.", - "examples": [ - "text/plain", - "application/json", - "image/png" + "title": "Ordering", + "description": "Execution semantics for the nodes of a graph when transitions do not fully specify the order.", + "enum": [ + "sequential", + "unordered", + "parallel" ], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + "meta:enum": { + "sequential": "Nodes execute in ordinal order. Each completes before the next begins.", + "unordered": "All nodes execute, but the order is not guaranteed.", + "parallel": "Nodes may execute concurrently." + } }, - "attachment": { + "acknowledgment": { + "type": "array", + "title": "Acknowledgment", + "description": "Indicates how the behavior or graph was identified. Multiple values indicate the behavior was both declared and observed.", + "uniqueItems": true, + "items": { + "type": "string", + "enum": [ + "declared", + "observed" + ], + "meta:enum": { + "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", + "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." + } + } + }, + "behaviorGraph": { "type": "object", - "title": "Attachment", - "description": "Specifies the metadata and content for an attachment.", + "title": "Behavior Graph", + "description": "A graph of nodes joined by transitions that models behaviour over time. A node may be an activity, a state, an event, a gateway, or a start or end point, so the same construct expresses an activity or process flow (where the nodes are activities), a state machine (where the nodes are states), or a mixture of the two.", + "additionalProperties": false, "required": [ - "content" + "bom-ref", + "nodes" ], - "additionalProperties": false, "properties": { - "mediaType": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/mediaType" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "encoding": { + "name": { "type": "string", - "title": "Encoding", - "description": "Specifies the optional encoding the text is represented in.", + "title": "Name", + "description": "The name of the graph." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the graph and the behaviour it models." + }, + "kind": { + "type": "string", + "title": "Kind", + "description": "An optional hint at the intent of the graph.", "enum": [ - "base64" + "activity", + "state-machine", + "mixed" ], "meta:enum": { - "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + "activity": "The graph models a process or activity flow whose nodes are activities.", + "state-machine": "The graph models a state machine whose nodes are states.", + "mixed": "The graph mixes activity and state nodes." } }, - "content": { - "type": "string", - "title": "Attachment Text", - "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." - } - } - }, - "base64": { - "type": "string", - "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", - "description": "A Base64-encoded string." - }, - "externalReferences": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - }, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - }, - "externalReference": { - "type": "object", - "title": "External Reference", - "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", - "required": [ - "url", - "type" - ], - "additionalProperties": false, - "properties": { - "url": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLink" - } - ], - "title": "URL", - "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." + "subject": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Subject", + "description": "Reference using bom-link or bom-ref to the object whose behaviour this graph describes." }, - "comment": { - "type": "string", - "title": "Comment", - "description": "A comment describing the external reference" + "acknowledgment": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment" }, - "type": { - "type": "string", - "title": "Type", - "description": "Specifies the type of external reference.", - "enum": [ - "vcs", - "issue-tracker", - "website", - "advisories", - "bom", - "mailing-list", - "social", - "chat", - "documentation", - "support", - "source-distribution", - "distribution", - "distribution-intake", - "license", - "build-meta", - "build-system", - "release-notes", - "security-contact", - "model-card", - "log", - "configuration", - "evidence", - "formulation", - "attestation", - "threat-model", - "adversary-model", - "risk-assessment", - "vulnerability-assertion", - "exploitability-statement", - "pentest-report", - "static-analysis-report", - "dynamic-analysis-report", - "runtime-analysis-report", - "component-analysis-report", - "maturity-report", - "certification-report", - "codified-infrastructure", - "quality-metrics", - "poam", - "perspective", - "electronic-signature", - "digital-signature", - "rfc-9116", - "patent", - "patent-family", - "patent-assertion", - "citation", - "swid-tag", - "other" - ], - "meta:enum": { - "vcs": "Version Control System", - "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", - "website": "Website", - "advisories": "Security advisories", - "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", - "mailing-list": "Mailing list or discussion group", - "social": "Social media account", - "chat": "Real-time chat platform", - "documentation": "Documentation, guides, or how-to instructions", - "support": "Community or commercial support", - "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", - "distribution": "Direct or repository download location", - "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", - "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", - "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", - "build-system": "Reference to an automated build system", - "release-notes": "Reference to release notes", - "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", - "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", - "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", - "configuration": "Parameters or settings that may be used by other components or services.", - "evidence": "Information used to substantiate a claim.", - "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.", - "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", - "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", - "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", - "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", - "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", - "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", - "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", - "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", - "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", - "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", - "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", - "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", - "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", - "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", - "quality-metrics": "Report or system in which quality metrics can be obtained.", - "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", - "perspective": "A CycloneDX perspective defines a domain-specific view, enabling different audiences to interpret and navigate the data through their own conceptual lens.", - "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", - "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", - "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", - "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", - "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", - "patent-assertion": "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", - "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", - "swid-tag": "A Software Identification (SWID) tag document conforming to ISO/IEC 19770-2. The reference resolves to the XML SoftwareIdentity document itself, including all of its metadata (entities, evidence, payload, links, and meta elements). This is distinct from the `swid` identifier scheme, which carries only the tagId of a SWID tag.", - "other": "Use this if no other types accurately describe the purpose of the external reference." + "ordering": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/ordering" + }, + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + }, + "nodes": { + "type": "array", + "title": "Nodes", + "description": "The nodes of the graph.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorNode" } }, - "hashes": { + "transitions": { "type": "array", + "title": "Transitions", + "description": "The transitions between nodes. Transitions express the ordering of an activity flow and the triggered, guarded moves of a state machine.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash" + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/transition" + } + } + }, + "allOf": [ + { + "if": { + "properties": { + "ordering": { + "const": "sequential" + } + }, + "required": [ + "ordering" + ] }, - "title": "Hashes", - "description": "The hashes of the external reference (if applicable)." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "then": { + "properties": { + "nodes": { + "items": { + "required": [ + "ordinal" + ] + } + } + } + } } - } + ] }, - "postalAddress": { + "behaviorNode": { "type": "object", - "title": "Postal address", - "description": "An address used to identify a contactable location.", + "title": "Behavior Node", + "description": "A single node in a behavior graph. The kind determines what the node represents and which additional properties apply.", "additionalProperties": false, + "required": [ + "bom-ref", + "kind" + ], "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "country": { + "kind": { "type": "string", - "title": "Country", - "description": "The country name or the two-letter ISO 3166-1 country code." + "title": "Kind", + "description": "The kind of node.", + "enum": [ + "activity", + "state", + "event", + "gateway", + "initial", + "final" + ], + "meta:enum": { + "activity": "An action that is performed, identified by a behavior, a behavior-instance reference, or a nested graph. The activity-flow counterpart of a step.", + "state": "A durable condition the subject rests in until a transition fires. The state-machine counterpart of a node. A composite state references its nested region through 'graph'.", + "event": "An intermediate event that occurs during the graph.", + "gateway": "A branch or merge point whose outgoing transitions carry the guards.", + "initial": "The starting point of the graph or of a composite node.", + "final": "A completion point of the graph or of a composite node." + } }, - "region": { + "name": { "type": "string", - "title": "Region", - "description": "The region or state in the country.", - "examples": [ - "Texas" - ] + "title": "Name", + "description": "The name of the node." }, - "locality": { + "description": { "type": "string", - "title": "Locality", - "description": "The locality or city within the country.", - "examples": [ - "Austin" - ] + "title": "Description", + "description": "A description of the node." }, - "postOfficeBoxNumber": { - "type": "string", - "title": "Post Office Box Number", - "description": "The post office box number.", - "examples": [ - "901" - ] + "ordinal": { + "type": "integer", + "title": "Ordinal", + "minimum": 1, + "description": "Position within a sequential graph. Required when the graph ordering is 'sequential'. Ignored when transitions define the order." }, - "postalCode": { - "type": "string", - "title": "Postal Code", - "description": "The postal code.", - "examples": [ - "78758" - ] + "behavior": { + "$ref": "../behavior-taxonomy.schema.json", + "title": "Behavior", + "description": "For an activity node, the behavior performed, drawn from the taxonomy. Mutually exclusive with 'ref' and 'graph'." }, - "streetAddress": { - "type": "string", - "title": "Street Address", - "description": "The street address.", - "examples": [ - "100 Main Street" - ] - } - } - }, - "organizationalEntity": { - "type": "object", - "title": "Organizational Entity", - "additionalProperties": false, - "properties": { - "bom-ref": { + "ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "name": { - "type": "string", - "title": "Organization Name", - "description": "The name of the organization", - "examples": [ - "Example Inc." - ] + "title": "Behavior Reference", + "description": "For an activity node, a reference to a behavior instance. Mutually exclusive with 'behavior' and 'graph'." }, - "address": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/postalAddress", - "title": "Organization Address", - "description": "The physical address (location) of the organization" + "graph": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Graph Reference", + "description": "A reference to a nested behavior graph. For an activity node it is the sub-process performed and is mutually exclusive with 'behavior' and 'ref'; for a composite node it is the nested region." }, - "url": { + "actors": { "type": "array", + "title": "Actors", + "description": "References using bom-link or bom-ref to objects that perform this node.", + "uniqueItems": true, "items": { - "type": "string", - "format": "iri-reference" - }, - "title": "Organization URL(s)", - "description": "The URL of the organization. Multiple URLs are allowed.", - "examples": [ - "https://example.com" - ] + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } }, - "contact": { + "targets": { "type": "array", - "title": "Organizational Contact", - "description": "A contact at the organization. Multiple contacts are allowed.", + "title": "Targets", + "description": "References using bom-link or bom-ref to objects affected by this node.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "eventType": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger", + "title": "Event Type", + "description": "For an event node, the nature of the event, reusing the trigger vocabulary, such as signal, scheduled, or event-driven." + }, + "gatewayKind": { + "type": "string", + "title": "Gateway Kind", + "description": "For a gateway node, the branching semantics applied across its outgoing transitions.", + "enum": [ + "exclusive", + "inclusive", + "parallel", + "complex" + ], + "meta:enum": { + "exclusive": "Exactly one outgoing transition is taken, the first whose guard holds.", + "inclusive": "Every outgoing transition whose guard holds is taken.", + "parallel": "All outgoing transitions are taken concurrently, forking and later joining execution.", + "complex": "Branch selection follows a complex condition described in the transition guards." } + }, + "onEntry": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "On Entry", + "description": "For a state node, a reference to a behavior instance performed when the state is entered." + }, + "onExit": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "On Exit", + "description": "For a state node, a reference to a behavior instance performed when the state is exited." + }, + "doActivity": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Do Activity", + "description": "For a state node, a reference to a behavior instance performed while the subject remains in the state." } - } + }, + "allOf": [ + { + "if": { + "properties": { + "kind": { + "const": "activity" + } + }, + "required": [ + "kind" + ] + }, + "then": { + "oneOf": [ + { + "required": [ + "behavior" + ] + }, + { + "required": [ + "ref" + ] + }, + { + "required": [ + "graph" + ] + } + ] + } + } + ] }, - "organizationalContact": { + "transition": { "type": "object", - "title": "Organizational Contact", + "title": "Transition", + "description": "A directed edge from one node to another. In an activity flow it expresses ordering; in a state machine it expresses a triggered, guarded move between states.", "additionalProperties": false, + "required": [ + "source", + "target" + ], "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", "title": "Name", - "description": "The name of a contact", - "examples": [ - "Contact name" - ] + "description": "The name of the transition." }, - "email": { + "description": { "type": "string", - "format": "idn-email", - "title": "Email Address", - "description": "The email address of the contact.", - "examples": [ - "firstname.lastname@example.com" - ] + "title": "Description", + "description": "A description of the transition." }, - "phone": { + "source": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Source", + "description": "Reference to the source node." + }, + "target": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Target", + "description": "Reference to the target node." + }, + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + }, + "guard": { "type": "string", - "title": "Phone", - "description": "The phone number of the contact.", - "examples": [ - "800-555-1212" - ] + "title": "Guard", + "description": "A guard condition; the transition fires only when it evaluates to true." + }, + "default": { + "type": "boolean", + "title": "Default", + "description": "Whether this transition is taken when no other guard from the same source node holds." + }, + "effect": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Effect", + "description": "Reference to a behavior instance performed when the transition fires." } } - }, - "organizationalEntityOrContact": {}, - "properties": { + } + } + }, + "cyclonedx-blueprint-2.0": { + "type": "null", + "title": "CycloneDX Blueprint Model", + "$defs": { + "blueprints": { "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "title": "Blueprints", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint" + }, + "description": "A collection of blueprints, each supporting a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling." }, - "property": { + "blueprint": { "type": "object", - "title": "Lightweight name-value pair", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "title": "Blueprint", + "description": "A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.", "required": [ - "name" + "name", + "modelTypes" ], + "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, "name": { "type": "string", "title": "Name", - "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + "description": "The name of the blueprint, used to identify this model within the BOM and distinguish it from other blueprints.", + "minLength": 1 }, - "value": { + "description": { "type": "string", - "title": "Value", - "description": "The value of the property." - } - }, - "additionalProperties": false - }, - "extensibleProperties": { - "type": "object", - "title": "Extensible Properties", - "patternProperties": { - "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { - "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", - "examples": [ - "ext::", - "ext:example.org:myExtension" - ], - "if": { - "type": [ - "object", - "array" - ] + "title": "Description", + "description": "A detailed explanation of the blueprint, including its scope, the system or subsystem it represents, and any relevant context about the modelling objectives or intended audience." + }, + "metadata": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/metadata" + }, + "modelTypes": { + "type": "array", + "title": "Model Types", + "minItems": 1, + "uniqueItems": true, + "description": "The types of models being represented.", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/modelType" + } + }, + "scope": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/scope" + }, + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/asset" }, - "then": { + "description": "The assets (components, services, data, actors) included in the model." + }, + "behaviors": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviors" + }, + "dataStores": { + "type": "array", + "title": "Data Stores", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore" + }, + "description": "Structured description of data stores used in the model." + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet" + }, + "description": "Datasets handled by the system, including placements and sensitivity." + }, + "zones": { + "type": "array", + "title": "Zones", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics." + }, + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" + }, + "description": "Boundaries between zones." + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/flow" + }, + "description": "Data, control, or process flows between assets." + }, + "relationships": { + "type": "array", + "title": "Relationships", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationship" + }, + "description": "Static, structural relationships between elements of the model, complementing the runtime exchanges captured by flows." + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/actor" + }, + "description": "Human or system actors involved in the model, distinct from assets." + }, + "assumptions": { + "type": "array", + "title": "Assumptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assumption" + }, + "description": "Assumptions made during the modeling process." + }, + "visualizations": { + "type": "array", + "title": "Visualizations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualization" + }, + "description": "Visual representations of the model." + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { "type": "object", - "required": [ - "$schema" - ], "properties": { - "$schema": { - "type": "string", - "format": "uri" + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Use Case Reference", + "description": "A reference to a use case object defined in definitions." + }, + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the blueprint assets that are involved in or exercised by this use case." + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the blueprint flows that are triggered or traversed during the execution of this use case." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case." } } }, - "else": { - "type": [ - "string", - "number", - "boolean", - "null" - ] - } - } - } - }, - "baseObject": { - "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.", - "allOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties" - } - ], - "properties": { - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "description": "Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements." + }, + "requirements": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements, declared in definitions, that are derived from or related to this model." }, "externalReferences": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", - "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." - }, - "lifecycle": { - "type": "object", - "title": "Lifecycle", - "description": "The product lifecycle(s) that this BOM represents.", + "modelType": { + "title": "Model Type", + "description": "The type of model being represented, either a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. Threat, risk, and privacy analyses are represented in their own models, which reference the blueprint, rather than as blueprint model types.", "oneOf": [ { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase" + "type": "string", + "title": "Predefined Model Type", + "description": "A predefined model type from the enumeration.", + "enum": [ + "architecture", + "behavioral", + "conceptual", + "data-flow", + "deployment", + "logical", + "network", + "operational", + "physical", + "process" + ], + "meta:enum": { + "architecture": "An architecture model of the system or software, capturing its major components, their responsibilities, and the interfaces and relationships between them. Broader than a single view, it frames the overall design.", + "behavioral": "A behavioural model, capturing how the system acts over time through its processes, state changes, interactions, and control flow, as opposed to its static structure.", + "conceptual": "A conceptual model at the highest level of abstraction, capturing the key entities, concepts, and relationships in technology-neutral terms without implementation detail. The first level of the conceptual, logical, and physical progression.", + "data-flow": "A data flow model showing how data moves between processes, data stores, and external entities. This is the substrate most commonly used for STRIDE per-element threat analysis.", + "deployment": "A deployment model showing how software is allocated to runtime and infrastructure, including nodes, containers, environments, and the artifacts placed on them.", + "logical": "A logical model detailing the structure and behaviour of the system independent of any specific implementation technology. The middle level of the conceptual, logical, and physical progression.", + "network": "A network model showing topology and connectivity, including segments, links, and the paths over which components communicate.", + "operational": "An operational model describing how the system is run and supported in production, including procedures, responsibilities, and operational dependencies.", + "physical": "A physical model at the implementation level, capturing the tangible realization of the system such as hardware, devices, infrastructure, topology, and physical locations. The most concrete level of the conceptual, logical, and physical progression.", + "process": "A process model describing a business or system process as an ordered set of activities and decisions and the actors that carry them out." + } }, { - "title": "Custom Lifecycle Phase", + "type": "object", + "title": "Custom Model Type", + "description": "A custom model type not covered by the predefined enumeration, allowing organisations to define domain-specific model categories.", + "additionalProperties": false, "required": [ "name" ], - "additionalProperties": false, "properties": { "name": { "type": "string", "title": "Name", - "description": "The name of the lifecycle phase" + "minLength": 1, + "description": "The name of the custom model type." }, "description": { "type": "string", "title": "Description", - "description": "The description of the lifecycle phase" + "description": "A description of the custom model type." } } } ] }, - "lifecycles": { - "type": "array", - "title": "Lifecycles", - "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycle" - } - }, - "preDefinedLifecyclePhase": { - "title": "Pre-Defined Phase", - "required": [ - "phase" - ], + "metadata": { + "type": "object", + "title": "Blueprint Metadata", + "description": "Metadata about the creation, review, and approval of the blueprint.", "additionalProperties": false, "properties": { - "phase": { + "timestamp": { "type": "string", - "title": "Phase", - "description": "A pre-defined phase in the product lifecycle.", - "enum": [ - "design", - "pre-build", - "build", - "post-build", - "operations", - "discovery", - "decommission" - ], - "meta:enum": { - "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", - "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", - "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", - "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", - "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", - "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", - "decommission": "BOM containing inventory that will be, or has been retired from operations." - } + "title": "Timestamp", + "format": "date-time", + "description": "When the blueprint was created or last updated." + }, + "authors": { + "type": "array", + "title": "Authors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" + }, + "description": "The parties that created the blueprint. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `author`." + }, + "reviewer": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party that reviewed the blueprint. The party's `roles` should include `reviewer`." + }, + "reviewDate": { + "type": "string", + "title": "Review Date", + "format": "date-time", + "description": "When the blueprint was reviewed." + }, + "approver": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party that approved the blueprint. The party's `roles` should include `signatory` or a custom role identifying the approving authority." + }, + "approvalDate": { + "type": "string", + "title": "Approval Date", + "format": "date-time", + "description": "When the blueprint was approved." + }, + "ordinalVersion": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion" + }, + "lifecycles": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + }, + "validityPeriod": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod" } } }, - "tags": { - "type": "array", - "items": { - "type": "string" - }, - "title": "Tags", - "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", - "examples": [ - "json-parser", - "object-persistence", - "text-to-image", - "translation", - "object-detection" - ] - }, - "commit": { + "validityPeriod": { "type": "object", - "title": "Commit", - "description": "Specifies an individual commit", + "title": "Validity Period", + "description": "The period during which the blueprint is considered valid.", "additionalProperties": false, "properties": { - "uid": { + "start": { "type": "string", - "title": "UID", - "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + "title": "Start", + "format": "date-time", + "description": "When the blueprint becomes valid." }, - "url": { + "end": { "type": "string", - "title": "URL", - "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", - "format": "iri-reference" - }, - "author": { - "title": "Author", - "description": "The author who created the changes in the commit", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" - }, - "committer": { - "title": "Committer", - "description": "The person who committed or pushed the commit", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + "title": "End", + "format": "date-time", + "description": "When the blueprint expires." }, - "message": { + "reviewFrequency": { "type": "string", - "title": "Message", - "description": "The text description of the contents of the commit" + "title": "Review Frequency", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)." } } }, - "patch": { + "scope": { "type": "object", - "title": "Patch", - "description": "Specifies an individual patch", + "title": "Scope", + "description": "Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.", "required": [ - "type" + "name" ], "additionalProperties": false, "properties": { - "type": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { "type": "string", - "enum": [ - "unofficial", - "monkey", - "backport", - "cherry-pick" - ], - "meta:enum": { - "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", - "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", - "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", - "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + "title": "Name", + "minLength": 1, + "description": "Name of the scope." + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of what is included and excluded from the model." + }, + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1 }, - "title": "Patch Type", - "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + "description": "Explicit boundaries of the model." }, - "diff": { - "title": "Diff", - "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/diff" + "includedComponents": { + "type": "array", + "title": "Included Components", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to components explicitly included." }, - "resolves": { + "excludedComponents": { "type": "array", + "title": "Excluded Components", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "title": "Resolves", - "description": "A collection of issues the patch resolves" - } - } - }, - "diff": { - "type": "object", - "title": "Diff", - "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", - "additionalProperties": false, - "properties": { - "text": { - "title": "Diff text", - "description": "Specifies the optional text of the diff", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "description": "References using bom-link or bom-ref to components explicitly excluded." }, - "url": { - "type": "string", - "title": "URL", - "description": "Specifies the URL to the diff", - "format": "iri-reference" + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "issue": { + "asset": { "type": "object", - "title": "Issue", - "description": "An individual issue that has been resolved.", - "required": [ - "type" - ], + "title": "Asset", + "description": "A component, service, data store, actor, or other element included in the blueprint model. An actor asset references a party, since a party such as a person, persona, system, or organization may itself be an asset, including a person in the intelligence sense of a human source.", "additionalProperties": false, "properties": { - "type": { - "type": "string", - "enum": [ - "defect", - "enhancement", - "security" - ], - "meta:enum": { - "defect": "A fault, flaw, or bug in software.", - "enhancement": "A new feature or behavior in software.", - "security": "A special type of defect which impacts security." - }, - "title": "Issue Type", - "description": "Specifies the type of issue" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for the asset." }, - "id": { - "type": "string", - "title": "Issue ID", - "description": "The identifier of the issue assigned by the source of the issue" + "componentRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the component this asset represents." }, - "name": { - "type": "string", - "title": "Issue Name", - "description": "The name of the issue" + "serviceRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the service this asset represents." }, - "description": { - "type": "string", - "title": "Issue Description", - "description": "A description of the issue" + "partyRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party this asset represents, such as a person, persona, system, or organization. Used when the asset is an actor." }, - "source": { - "type": "object", - "title": "Source", - "description": "The source of the issue where it is documented", - "additionalProperties": false, - "properties": { - "name": { + "type": { + "title": "Asset Type", + "description": "The kind of asset. Use the custom option for kinds not covered by the enumeration.", + "oneOf": [ + { "type": "string", - "title": "Name", - "description": "The name of the source.", - "examples": [ - "National Vulnerability Database", - "NVD", - "Apache" - ] + "title": "Predefined Asset Type", + "enum": [ + "actor", + "agent", + "api", + "broker", + "cache", + "component", + "container", + "data", + "data-store", + "device", + "endpoint", + "function", + "gateway", + "infrastructure", + "interface", + "model", + "module", + "network", + "process", + "queue", + "resource", + "service", + "stream", + "subsystem", + "system", + "tool" + ], + "meta:enum": { + "actor": "An actor that is an asset in its own right, referencing a party via partyRef. A party such as a system or organization is commonly an asset, and a person may be an asset in the intelligence sense of a human source.", + "agent": "Autonomous AI or software agent.", + "api": "API endpoint or interface.", + "broker": "Message broker or event bus infrastructure.", + "cache": "Caching layer or in-memory data store.", + "component": "Software component or application.", + "container": "Container or orchestration unit.", + "data": "Dataset.", + "data-store": "Database, file system, or data repository.", + "device": "Physical or IoT device.", + "endpoint": "Service endpoint or URL.", + "function": "Serverless function or lambda.", + "gateway": "API gateway, load balancer, or proxy.", + "infrastructure": "Infrastructure component.", + "interface": "System interface or contract.", + "model": "AI or machine learning model.", + "module": "Software module or package.", + "network": "Network segment or resource.", + "process": "Business or system process.", + "queue": "Message queue or task queue.", + "resource": "Generic resource or artifact.", + "service": "Service or microservice.", + "stream": "Data stream or event stream.", + "subsystem": "Part of a larger system.", + "system": "Complete system or application.", + "tool": "A tool or capability invoked by an agent, such as a function, API, or service exposed to an AI agent." + } }, - "url": { - "type": "string", - "title": "URL", - "description": "The url of the issue documentation as provided by the source", - "format": "iri-reference" + { + "type": "object", + "title": "Custom Asset Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom asset type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom asset type." + } + } } - } + ] }, - "references": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the asset." + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the asset's role and purpose." + }, + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the zone containing this asset." + }, + "classification": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification" + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags" + }, + "responsibilities": { "type": "array", + "title": "Responsibilities", + "uniqueItems": true, "items": { "type": "string", - "format": "iri-reference" + "minLength": 1 }, - "title": "References", - "description": "A collection of URL's for reference. Multiple URLs are allowed.", - "examples": [ - "https://example.com" + "description": "Responsibilities or functions of this asset." + }, + "interfaces": { + "type": "array", + "title": "Interfaces", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/interface" + }, + "description": "Interfaces exposed by this asset." + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." + }, + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication methods supported/required." + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models supported/required." + }, + "ownership": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/ownership" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + }, + "oneOf": [ + { + "title": "Component Reference Asset", + "description": "An asset defined by reference to a component declared elsewhere in the BOM.", + "required": [ + "bom-ref", + "componentRef" + ] + }, + { + "title": "Service Reference Asset", + "description": "An asset defined by reference to a service declared elsewhere in the BOM.", + "required": [ + "bom-ref", + "serviceRef" + ] + }, + { + "title": "Party Reference Asset", + "description": "An asset defined by reference to a party declared elsewhere in the BOM, such as a person, persona, system, or organization that is itself an asset.", + "required": [ + "bom-ref", + "partyRef" + ] + }, + { + "title": "Inline Asset", + "description": "An asset defined inline within the blueprint with an explicit type and name.", + "required": [ + "bom-ref", + "type", + "name" ] } - } + ] }, - "identifiableAction": { + "dataStore": { "type": "object", - "title": "Identifiable Action", - "description": "Specifies an individual commit", + "title": "Data Store", + "description": "A persistent storage system used within the modelled system to hold, retrieve, or manage data.", + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The timestamp in which the action occurred" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", "title": "Name", - "description": "The name of the individual who performed the action" + "minLength": 1, + "description": "Name of the data store." }, - "email": { + "description": { "type": "string", - "format": "idn-email", - "title": "E-mail", - "description": "The email address of the individual who performed the action" + "title": "Description", + "description": "Purpose and contents of the store." + }, + "type": { + "title": "Type", + "description": "The type of data store. Use the custom option for technologies not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Data Store Type", + "enum": [ + "block", + "blockchain", + "cache", + "column-family", + "data-lake", + "data-warehouse", + "document", + "event-log", + "file", + "graph", + "hierarchical", + "in-memory", + "key-value", + "ledger", + "message-queue", + "multi-model", + "object", + "registry", + "relational", + "search", + "spatial", + "time-series", + "vector" + ], + "meta:enum": { + "block": "Block storage exposing raw volumes.", + "blockchain": "Distributed ledger or blockchain storage.", + "cache": "Caching tier.", + "column-family": "Wide-column or column-family store.", + "data-lake": "Data lake or lakehouse for raw and semi-structured data.", + "data-warehouse": "Analytical data warehouse optimised for OLAP workloads.", + "document": "Document database.", + "event-log": "Event log or append-only streaming store.", + "file": "File system or network-attached storage.", + "graph": "Graph database.", + "hierarchical": "Hierarchical or tree-structured database, such as a directory store.", + "in-memory": "In-memory data store used as a primary store.", + "key-value": "Key-value store.", + "ledger": "Immutable, append-only ledger database.", + "message-queue": "Message queue or broker with persistent storage.", + "multi-model": "A store supporting multiple data models.", + "object": "Object storage.", + "registry": "Configuration or service registry.", + "relational": "Relational database.", + "search": "Search index or full-text search engine.", + "spatial": "Spatial or geospatial database.", + "time-series": "Time-series database.", + "vector": "Vector database for embeddings and similarity search." + } + }, + { + "type": "object", + "title": "Custom Data Store Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom data store type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom data store type." + } + } + } + ] + }, + "vendor": { + "type": "string", + "title": "Vendor", + "description": "The vendor or publisher of the data store product." + }, + "product": { + "type": "string", + "title": "Product", + "description": "The name of the data store product." + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the data store product." + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "Deployment environment (prod, test, etc.)." + }, + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the zone where the asset resides." + }, + "location": { + "type": "string", + "title": "Location", + "description": "Physical or logical hosting location." + }, + "technologies": { + "type": "array", + "title": "Technologies", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Supporting technologies or services." + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to data sets stored here." + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models supported/required." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "locale": { - "type": "string", - "pattern": "^([a-z]{2})(-[A-Z]{2})?$", - "title": "Locale", - "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" - }, - "signatures": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatures", - "title": "Signatures", - "description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)." - } - } - }, - "cyclonedx-component-2.0": { - "type": "null", - "title": "CycloneDX Component Model", - "$defs": { - "components": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice" - }, - "uniqueItems": true, - "title": "Components" - }, - "component": { + "dataSet": { "type": "object", - "title": "Component", + "title": "Data Set", + "description": "A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.", "required": [ - "type", - "name" + "bom-ref", + "name", + "description" ], "additionalProperties": false, "properties": { - "type": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { "type": "string", - "enum": [ - "application", - "framework", - "library", - "container", - "platform", - "operating-system", - "device", - "device-driver", - "firmware", - "file", - "machine-learning-model", - "data", - "cryptographic-asset" - ], - "meta:enum": { - "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", - "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", - "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", - "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", - "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", - "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", - "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", - "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", - "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", - "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", - "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", - "data": "A collection of discrete values that convey information.", - "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." - }, - "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", - "examples": [ - "library" - ] + "title": "Name", + "minLength": 1, + "description": "Name of the dataset." }, - "mime-type": { + "description": { "type": "string", - "title": "Mime-Type", - "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", - "examples": [ - "image/jpeg" - ], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + "title": "Description", + "minLength": 1, + "description": "What information is contained and why it exists." }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "Data profiles that govern the dataset. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile, typically declared in the root profiles catalogue.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice" + } }, - "parties": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/parties" + "dataObjects": { + "type": "array", + "title": "Data Objects", + "description": "The specific data objects stored in the dataset. Each object names a payload and may reference one of the dataset's data profiles for its governing policy.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataObject" + } }, - "group": { - "type": "string", - "title": "Component Group", - "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", - "examples": [ - "com.acme" - ] + "recordCount": { + "type": "integer", + "title": "Record Count", + "description": "Approximate number of records." + }, + "owners": { + "type": "array", + "title": "Owners", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" + }, + "description": "Parties that own the dataset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models supported/required." + }, + "placements": { + "type": "array", + "title": "Placements", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Placement", + "description": "Describes where a dataset physically or logically resides and the storage characteristics at that location.", + "required": [ + "dataStore" + ], + "additionalProperties": false, + "properties": { + "dataStore": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the store holding this dataset." + }, + "encrypted": { + "type": "boolean", + "title": "Encrypted", + "description": "Whether the dataset is encrypted at this location." + }, + "retention": { + "type": "string", + "title": "Retention", + "description": "Retention policy for this placement." + }, + "replicated": { + "type": "boolean", + "title": "Replicated", + "description": "Indicates if this placement is a replica." + } + } + }, + "description": "Where the dataset resides." }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "interface": { + "type": "object", + "required": [ + "name", + "type" + ], + "additionalProperties": false, + "properties": { "name": { "type": "string", - "title": "Component Name", - "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", - "examples": [ - "tomcat-catalina" - ] + "description": "Name of the interface." }, - "version": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", - "title": "Component Version", - "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + "type": { + "title": "Type", + "description": "The type of interface. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Interface Type", + "enum": [ + "rest", + "graphql", + "grpc", + "soap", + "messaging", + "file", + "database", + "cli", + "gui", + "api", + "event", + "stream" + ] + }, + { + "type": "object", + "title": "Custom Interface Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom interface type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom interface type." + } + } + } + ] }, - "versionRange": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/versionRange", - "title": "Component Version Range", - "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/patch" - } - }, - "notes": { - "type": "string", - "title": "Notes", - "description": "Notes, observations, and other non-structured commentary describing the components pedigree." } - } + ] }, - "components": { + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the parent zone if this is a sub-zone." + }, + "characteristics": { "type": "array", + "title": "Characteristics", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice" + "type": "string" }, - "uniqueItems": true, - "title": "Components", - "description": "A list of software and hardware components included in the parent component. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." - }, - "evidence": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentEvidence", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." - }, - "releaseNotes": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", - "title": "Release notes", - "description": "Specifies release notes." + "description": "Key characteristics of this zone." }, - "modelCard": { - "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard", - "title": "AI/ML Model Card" - }, - "data": { + "constraints": { "type": "array", + "title": "Constraints", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentData" + "type": "string" }, - "title": "Data", - "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." - }, - "cryptoProperties": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties", - "title": "Cryptographic Properties" - }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" + "description": "Constraints or limitations of this zone." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" } - }, - "allOf": [ - { - "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", - "not": { - "required": [ - "version", - "versionRange" - ] - } - }, - { - "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", - "if": { - "properties": { - "isExternal": { - "const": false - } - } - }, - "then": { - "not": { - "required": [ - "versionRange" - ] - } - }, - "else": true - } - ] - }, - "componentOrChoice": { - "title": "Component or Component Choice", - "description": "An entry in a components array. May be a concrete component, or a component-choice wrapper that expresses a conditional or alternate relationship between two or more components. The discriminator is the `type` property: when `type` is `component-choice`, the entry shall conform to the `componentChoice` schema; otherwise it shall conform to the `component` schema.", - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentChoice" - } - ] + } }, - "componentChoice": { + "boundary": { "type": "object", - "title": "Component Choice", - "description": "A wrapper that expresses a conditional or alternate relationship between two or more components. Use to model approved alternates, multi-sourced parts, build variants, and required component groups in physical device bills of materials.", + "title": "Boundary", + "description": "An edge that separates or connects two or more zones, marking a point where security controls, policies, or trust levels change. The controls expected when data or actors cross it are captured in crossingRequirements, and the threat model's trust boundary extends a boundary with trust semantics.", "required": [ - "type", - "operator", - "components" + "bom-ref", + "zones" ], "additionalProperties": false, "properties": { - "type": { - "type": "string", - "const": "component-choice", - "title": "Type", - "description": "Discriminator for a component-choice entry. The value shall be the literal string `component-choice`." - }, "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the component-choice elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", "title": "Name", - "description": "A display name for the choice. Typically corresponds to a reference designator, a design intent name, or a description of the role the chosen component fulfils.", - "examples": [ - "2N2222 or PN2222A Transistor", - "U1 5V LDO Regulator" - ] - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the choice and the rationale behind the alternates." + "minLength": 1, + "description": "Name of the boundary." }, - "operator": { - "type": "string", - "enum": [ - "OR", - "XOR", - "AND" - ], - "meta:enum": { - "OR": "Any non-empty subset of the contained components may be installed. Use for approved alternates where more than one may legitimately appear in a given instance.", - "XOR": "Exactly one of the contained components is installed in any single instance. Use for approved alternates that are mutually exclusive per instance, while the population of units may include multiple alternates across sourcing.", - "AND": "All of the contained components are installed together as a group. Use for tightly coupled component sets such as a transceiver and its required matching balun." - }, - "title": "Operator", - "description": "The logical relationship between the contained components." + "type": { + "title": "Type", + "description": "The type of boundary. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Boundary Type", + "enum": [ + "data", + "functional", + "network", + "organizational", + "physical", + "process", + "trust" + ], + "meta:enum": { + "data": "A data classification boundary, crossed when data moves between zones of differing sensitivity, where reclassification, masking, or validation may apply.", + "functional": "A functional boundary between areas of differing responsibility or capability.", + "network": "A network boundary, such as a firewall, gateway, or security group, controlling reachability between network zones.", + "organizational": "An organizational or administrative boundary between assets under different ownership or authority.", + "physical": "A physical security boundary, such as a facility perimeter or device enclosure, between physical zones.", + "process": "A process or execution boundary between isolation contexts, such as between a sandbox and its host.", + "trust": "A trust boundary between zones of differing trust, the primary point at which authentication, authorization, and input validation are enforced and a key trigger for threat analysis." + } + }, + { + "type": "object", + "title": "Custom Boundary Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom boundary type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom boundary type." + } + } + } + ] }, - "components": { + "zones": { "type": "array", - "minItems": 2, + "title": "Zones", "uniqueItems": true, + "minItems": 2, "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "title": "Components", - "description": "Two or more alternate or grouped entries. Each entry may itself be a component-choice to express nested alternates, such as a choice between kits." + "description": "References using bom-link or bom-ref to the zones this boundary connects or separates." + }, + "crossingRequirements": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements" + }, + "sessionManagement": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/sessionManagement" }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - } - } - }, - "version": { - "description": "A single disjunctive version identifier, for a component or service.", - "type": "string", - "maxLength": 1024, - "examples": [ - "9.0.14", - "v1.33.7", - "7.0.0-M1", - "2.0pre1", - "1.0.0-beta1", - "0.8.15" - ] - }, - "versionRange": { - "description": "A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", - "type": "string", - "minLength": 1, - "maxLength": 4096, - "examples": [ - "vers:cargo/9.0.14", - "vers:npm/1.2.3|>=2.0.0|<5.0.0", - "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", - "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", - "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" - ] - }, - "copyrightText": { - "type": "string", - "title": "Component Copyright", - "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "examples": [ - "Acme Inc" - ] - }, - "copyright": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyrightObject" - }, - "title": "Copyright", - "description": "Captures intellectual property assertions, providing evidence of possible ownership and legal protection." - }, - "copyrightObject": { - "type": "object", - "title": "Copyright", - "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "required": [ - "text" - ], - "additionalProperties": false, - "properties": { - "text": { - "type": "string", - "title": "Copyright Text", - "description": "The textual content of the copyright." } } }, - "componentEvidence": { + "crossingRequirements": { "type": "object", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "title": "Crossing Requirements", + "description": "The security controls, policies, and constraints applied when data or actors cross a boundary between zones, such as the authentication and authorization enforced, the protocols permitted, and the validation, logging, and monitoring performed at the crossing.", "additionalProperties": false, "properties": { - "identity": { + "authentication": { "type": "array", - "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", + "title": "Authentication", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence" - } + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication required to cross this boundary." }, - "occurrences": { + "authorization": { "type": "array", - "title": "Occurrences", - "description": "Evidence of individual instances of a component spread across multiple locations.", + "title": "Authorization", + "uniqueItems": true, "items": { - "type": "object", - "required": [ - "location" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "location": { - "type": "string", - "title": "Location", - "description": "The location or path to where the component was found." - }, - "line": { - "type": "integer", - "minimum": 0, - "title": "Line Number", - "description": "The line number where the component was found." - }, - "offset": { - "type": "integer", - "minimum": 0, - "title": "Offset", - "description": "The offset where the component was found." - }, - "symbol": { - "type": "string", - "title": "Symbol", - "description": "The symbol name that was found associated with the component." - }, - "additionalContext": { - "type": "string", - "title": "Additional Context", - "description": "Any additional context of the detected component (e.g. a code snippet)." - }, - "accountInfo": { - "type": "string", - "title": "Account Information", - "description": "The account or user information associated with the occurrence." - }, - "systemOwner": { - "type": "string", - "title": "System Owner", - "description": "The owner of the system where the component was found." - }, - "startTime": { - "type": "string", - "format": "date-time", - "title": "Start Time", - "description": "The date and time when the process detecting the occurrence started." - }, - "endTime": { - "type": "string", - "format": "date-time", - "title": "End Time", - "description": "The date and time when the process detecting the occurrence ended." - }, - "usageCount": { - "type": "integer", - "minimum": 0, - "title": "Usage Count", - "description": "The number of times the component occurred in the detecting process." - } - } - } + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models enforced at this boundary." }, - "callstack": { - "type": "object", - "title": "Call Stack", - "description": "Evidence of the components use through the callstack.", - "additionalProperties": false, - "properties": { - "frames": { - "type": "array", - "title": "Frames", - "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", - "items": { - "type": "object", - "required": [ - "module" - ], - "additionalProperties": false, - "properties": { - "package": { - "title": "Package", - "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", - "type": "string" - }, - "module": { - "title": "Module", - "description": "A module or class that encloses functions/methods and other code.", - "type": "string" - }, - "function": { - "title": "Function", - "description": "A block of code designed to perform a particular task.", - "type": "string" - }, - "parameters": { - "title": "Parameters", - "description": "Arguments that are passed to the module or function.", - "type": "array", - "items": { - "type": "string" - } - }, - "line": { - "title": "Line", - "description": "The line number the code that is called resides on.", - "type": "integer" - }, - "column": { - "title": "Column", - "description": "The column the code that is called resides.", - "type": "integer" - }, - "fullFilename": { - "title": "Full Filename", - "description": "The full path and filename of the module.", - "type": "string" - } - } - } - } - } + "dataValidation": { + "type": "boolean", + "title": "Data Validation", + "description": "Whether data is validated when crossing this boundary." }, - "licenses": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", - "title": "License Evidence" + "dataTransformation": { + "type": "boolean", + "title": "Data Transformation", + "description": "Whether data is transformed when crossing this boundary." }, - "copyright": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyright" + "logging": { + "type": "boolean", + "title": "Logging", + "description": "Whether crossings are logged." + }, + "monitoring": { + "type": "boolean", + "title": "Monitoring", + "description": "Whether crossings are monitored." + }, + "rateLimit": { + "type": "string", + "title": "Rate Limit", + "description": "Rate limiting policy." + }, + "protocols": { + "type": "array", + "title": "Protocols", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Allowed protocols for crossing." } } }, - "componentIdentityEvidence": { + "sessionManagement": { "type": "object", - "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component.", - "required": [ - "scheme" - ], + "title": "Session Management", + "description": "The lifecycle of the authenticated session established at this boundary, covering session timeouts, access and refresh token validity, and logout behaviour. These properties characterize the session that results from authenticating, independently of the authentication method used.", "additionalProperties": false, "properties": { - "scheme": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identityScheme" + "accessTokenExpires": { + "type": "boolean", + "title": "Access Token Expires", + "description": "Whether access tokens issued for this boundary expire." }, - "confidence": { - "type": "number", + "accessTokenTtl": { + "type": "integer", + "title": "Access Token Time To Live", "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + "description": "Validity period of an access token, in seconds." }, - "concludedValue": { - "type": "string", - "title": "Concluded Value", - "description": "The value of the scheme that has been concluded based on the aggregate of all methods (if available)." + "refreshToken": { + "type": "boolean", + "title": "Refresh Token", + "description": "Whether refresh tokens are issued for this boundary." }, - "methods": { - "type": "array", - "title": "Methods", - "description": "The methods used to extract and/or analyze the evidence.", - "items": { - "type": "object", - "required": [ - "technique", - "confidence" - ], - "additionalProperties": false, - "properties": { - "technique": { - "title": "Technique", - "description": "The technique used in this method of analysis.", - "type": "string", - "enum": [ - "source-code-analysis", - "binary-analysis", - "manifest-analysis", - "ast-fingerprint", - "hash-comparison", - "instrumentation", - "dynamic-analysis", - "filename", - "attestation", - "other" - ] - }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The value or contents of the evidence." - } - } - } + "refreshTokenExpires": { + "type": "boolean", + "title": "Refresh Token Expires", + "description": "Whether refresh tokens expire." }, - "tools": { - "type": "array", - "uniqueItems": true, - "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] - }, - "title": "BOM References", - "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + "refreshTokenTtl": { + "type": "integer", + "title": "Refresh Token Time To Live", + "minimum": 0, + "description": "Validity period of a refresh token, in seconds." + }, + "idleTimeout": { + "type": "integer", + "title": "Idle Timeout", + "minimum": 0, + "description": "Period of inactivity after which the session ends, in seconds." + }, + "absoluteTimeout": { + "type": "integer", + "title": "Absolute Timeout", + "minimum": 0, + "description": "Period after session creation after which the session ends regardless of activity, in seconds." + }, + "userLogout": { + "type": "boolean", + "title": "User Logout", + "description": "Whether a user can explicitly end the session." + }, + "systemLogout": { + "type": "boolean", + "title": "System Logout", + "description": "Whether the system can end the session without user action." } } }, - "componentData": { + "relationship": { "type": "object", + "title": "Relationship", + "description": "A typed structural relationship from one element to one or more others, complementing the runtime exchanges captured by flows. The subject is `ref`, and the kind of relationship is expressed as a single typed property whose value lists the targets, mirroring the dependency graph for readability.", "additionalProperties": false, "required": [ - "type" + "ref" ], - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "type": { - "type": "string", - "title": "Type of Data", - "description": "The general theme or subject matter of the data being specified.", - "enum": [ - "source-code", - "configuration", - "dataset", - "definition", - "other" - ], - "meta:enum": { - "source-code": "Any type of code, code snippet, or data-as-code.", - "configuration": "Parameters or settings that may be used by other components.", - "dataset": "A collection of data.", - "definition": "Data that can be used to create new instances of what the definition defines.", - "other": "Any other type of data that does not fit into existing definitions." + "oneOf": [ + { + "required": [ + "aggregates" + ] + }, + { + "required": [ + "associates" + ] + }, + { + "required": [ + "composes" + ] + }, + { + "required": [ + "contains" + ] + }, + { + "required": [ + "dependsOn" + ] + }, + { + "required": [ + "generalizes" + ] + }, + { + "required": [ + "realizes" + ] + }, + { + "required": [ + "serves" + ] + }, + { + "required": [ + "custom" + ] + } + ], + "properties": { + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to the subject element of the relationship." + }, + "aggregates": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Aggregates", + "description": "The subject is the whole in a whole-part relationship in which each target part may exist independently of the whole." + }, + "associates": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Associates", + "description": "The subject has a general association with each target." + }, + "composes": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Composes", + "description": "The subject is the whole in a whole-part relationship in which each target part cannot exist without the whole." + }, + "contains": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Contains", + "description": "The subject contains or nests each target." + }, + "dependsOn": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Depends On", + "description": "The subject depends on each target." + }, + "generalizes": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Generalizes", + "description": "The subject is a generalisation of each target, as in inheritance." + }, + "realizes": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Realizes", + "description": "The subject realises or implements each target." + }, + "serves": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Serves", + "description": "The subject provides a service to each target." + }, + "custom": { + "type": "array", + "title": "Custom Relationships", + "description": "Relationships whose kind is not covered by the predefined properties. Each entry names the kind and lists its targets.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Custom Relationship", + "additionalProperties": false, + "required": [ + "type", + "targets" + ], + "properties": { + "type": { + "type": "string", + "title": "Type", + "minLength": 1, + "description": "The name of the custom relationship kind." + }, + "targets": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Targets", + "description": "The targets of the custom relationship." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom relationship kind." + } + } } + } + } + }, + "relationshipTargets": { + "type": "array", + "title": "Relationship Targets", + "description": "References using bom-link or bom-ref to the target elements of a relationship.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.", + "required": [ + "bom-ref", + "name", + "source", + "destination", + "type" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { - "title": "Dataset Name", - "description": "The name of the dataset.", - "type": "string" + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name or description of the flow." }, - "contents": { - "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", - "additionalProperties": false, - "properties": { - "attachment": { - "title": "Data Attachment", - "description": "A way to include textual or encoded data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { + "description": { + "type": "string", + "title": "Description", + "description": "Detailed description of what flows and why." + }, + "type": { + "title": "Type", + "description": "The type of flow. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { "type": "string", - "title": "Data URL", - "description": "The URL to where the data can be retrieved.", - "format": "iri-reference" + "title": "Predefined Flow Type", + "enum": [ + "control", + "data", + "energy", + "event", + "financial", + "message", + "physical", + "process", + "signal" + ], + "meta:enum": { + "control": "Control or command flow.", + "data": "Data or information flow.", + "energy": "Power or energy flow.", + "event": "Event or notification flow.", + "financial": "Financial, value, or payment flow.", + "message": "Message or communication flow.", + "physical": "Physical movement of goods or materials.", + "process": "Business process flow.", + "signal": "Hardware or system signal." + } }, - "properties": { - "type": "array", - "title": "Configuration Properties", - "description": "Provides the ability to document name-value parameters used for configuration.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + { + "type": "object", + "title": "Custom Flow Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom flow type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom flow type." + } } } - } + ] }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + "source": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the source of the flow. The source may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that originates the exchange." }, - "sensitiveData": { + "destination": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the destination of the flow. The destination may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that receives the exchange." + }, + "bidirectional": { + "type": "boolean", + "title": "Bidirectional", + "default": false, + "description": "Whether flow occurs in both directions." + }, + "synchronous": { + "type": "boolean", + "title": "Synchronous", + "description": "Whether the flow is synchronous or asynchronous." + }, + "encrypted": { + "type": "boolean", + "title": "Encrypted", + "description": "Whether the data carried by this flow is encrypted in transit." + }, + "volume": { + "type": "string", + "title": "Volume", + "description": "Expected volume or frequency of flow." + }, + "timing": { + "type": "string", + "title": "Timing", + "description": "Timing characteristics (real-time, batch, scheduled)." + }, + "protocols": { "type": "array", - "title": "Sensitive Data", - "description": "A description of any sensitive data in a dataset.", + "title": "Protocols", + "uniqueItems": true, "items": { "type": "string" + }, + "description": "Communication protocols used by this flow." + }, + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "Data profiles that govern the data carried by this flow. A flow may carry data governed by multiple profiles, for example a payment submission carrying both payment card data and customer personally identifiable information. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice" } }, - "graphics": { - "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection" + "dataObjects": { + "type": "array", + "title": "Data Objects", + "description": "The specific data objects carried by this flow. Each object names a payload and may reference one of the flow's data profiles for its governing policy.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataObject" + } }, - "description": { - "title": "Dataset Description", - "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", - "type": "string" + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication required for this flow." }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models enforced on this flow." + }, + "sequence": { + "type": "integer", + "title": "Sequence", + "minimum": 0, + "description": "Ordering hint so flows can be assembled into sequence diagrams." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "identifiers": { - "type": "array", - "title": "Identifiers", - "description": "Identifiers asserted by one or more parties to identify this component. Each entry groups one or more identity claims by the party asserting them. Identifiers carry positive claims of identity. For unverified or inferred identity data, use evidence.", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identifier" - }, - "uniqueItems": true - }, - "identifier": { + "actor": { "type": "object", - "title": "Identifier", - "description": "A set of identifiers attributed to a single asserting party.", + "title": "Actor", + "description": "An actor is a contextual binding between a party and the modelled system. The party identifies who or what is acting (an organisation, person, system, or persona). The actor layer adds properties that are meaningful only within the blueprint, such as the permissions the actor holds in this system and the trust zone in which the actor operates. Identity, roles, archetype, and inter-party relations such as delegation are carried by the wrapped party and shall not be duplicated on the actor.", "required": [ - "party", - "identities" + "bom-ref", + "party" ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this actor binding. References to actors from other parts of the blueprint, such as use cases or flows, use this identifier." }, "party": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Asserting Party", - "description": "Reference using bom-link or bom-ref to the party making the identity assertion." + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "title": "Party", + "description": "The party that this actor binds to the modelled system. May be an inline party object declaring identity and roles in place, or a bom-link or bom-ref to a party declared elsewhere in the document." }, - "identities": { + "description": { + "type": "string", + "title": "Description", + "description": "A narrative describing this actor's role within the modelled system, distinct from the party's identity-level description. Use to record context-specific framing such as why this actor is in scope or how it interacts with the assets in this blueprint." + }, + "permissions": { "type": "array", - "title": "Identities", - "description": "The discrete identity claims asserted by the party.", + "title": "Permissions", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identity" + "type": "string" }, - "minItems": 1, - "uniqueItems": true + "description": "The permissions, capabilities, or duties this actor holds within the modelled system. Distinct from any innate party-level capabilities; these are scoped to the blueprint." + }, + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Zone", + "description": "Reference using bom-link or bom-ref to the trust zone in which the actor operates." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "identity": { + "assumption": { "type": "object", - "title": "Identity", - "description": "A single identity claim, pairing a typed identifier scheme with the value asserted under that scheme.", + "title": "Assumption", + "description": "A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.", "required": [ - "scheme", - "value" + "description" ], "additionalProperties": false, "properties": { - "scheme": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identityScheme" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "value": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identityValue" + "description": { + "type": "string", + "title": "Description", + "minLength": 1, + "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies." + }, + "topic": { + "title": "Topic", + "description": "The topic of the assumption. Use the custom option for topics not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Assumption Topic", + "enum": [ + "availability", + "business", + "compliance", + "operational", + "performance", + "security", + "technical" + ], + "meta:enum": { + "availability": "Assumption about system uptime, redundancy, or failover capabilities.", + "business": "Assumption about business requirements, constraints, or organizational context.", + "compliance": "Assumption about regulatory, legal, or policy compliance obligations.", + "operational": "Assumption about operational procedures, staffing, or maintenance practices.", + "performance": "Assumption about throughput, latency, capacity, or scalability characteristics.", + "security": "Assumption about threat landscape, trust boundaries, or security controls.", + "technical": "Assumption about technology choices, capabilities, or technical constraints." + } + }, + { + "type": "object", + "title": "Custom Assumption Topic", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assumption topic." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assumption topic." + } + } + } + ] + }, + "relatedAssets": { + "type": "array", + "title": "Related Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes." + }, + "validity": { + "type": "string", + "title": "Validity", + "enum": [ + "invalid", + "unknown", + "unverified", + "verified" + ], + "meta:enum": { + "invalid": "The assumption has been disproven or is no longer applicable.", + "unknown": "The validity of the assumption has not yet been assessed.", + "unverified": "The assumption has been identified but not yet validated.", + "verified": "The assumption has been confirmed as true through validation." + }, + "default": "unknown", + "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound." + }, + "impact": { + "type": "string", + "title": "Impact", + "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components." + }, + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." + }, + "validationMethod": { + "type": "string", + "title": "Validation Method", + "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement." + }, + "validationDate": { + "type": "string", + "title": "Validation Date", + "format": "date-time", + "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation." } } }, - "identityScheme": { - "title": "Identifier Scheme", - "description": "The scheme under which an identifier is asserted. Either a predefined value or a custom scheme described by name and description.", - "oneOf": [ - { + "visualization": { + "type": "object", + "title": "Visualization", + "description": "A visual representation of the model or a subset of its elements, capturing the diagram type, its content, and the elements depicted.", + "required": [ + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name or title of the visualization." + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of what the visualization shows." + }, + "type": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType" + }, + "attachment": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL to the diagram if stored externally." + }, + "level": { "type": "string", + "title": "Level", "enum": [ - "purl", - "cpe", - "swid", - "swhid", - "omniborid", - "epc-rfid", - "giai", - "gln", - "gmn", - "gtin-8", - "gtin-12", - "gtin-13", - "gtin-14", - "mpn", - "part-number", - "model-number", - "sku", - "serial-number", - "asset-tag", - "udi-di", - "udi-pi", - "fcc-id", - "imei", - "mac-address", - "tei" + "detailed", + "high", + "medium", + "overview" ], "meta:enum": { - "purl": "Package-URL identifier, conforming to the Package-URL specification.", - "cpe": "Common Platform Enumeration name, conforming to NIST Interagency Report 7695.", - "swid": "Software Identification tag identifier, conforming to ISO/IEC 19770-2.", - "swhid": "Software Heritage persistent identifier.", - "omniborid": "OmniBOR Artifact Identifier, also known as a gitoid.", - "epc-rfid": "Electronic Product Code - RFID (EPC Tag Data Standard)", - "giai": "Global Individual Asset Identifier (GIAI)", - "gln": "Global Location Number (GLN)", - "gmn": "Global Model Number (GMN)", - "gtin-8": "Global Trade Identification Number (GTIN-8 / EAN/UCC-8)", - "gtin-12": "Global Trade Identification Number (GTIN-12 / UPC-A)", - "gtin-13": "Global Trade Identification Number (GTIN-13 / EAN/UCC-13)", - "gtin-14": "Global Trade Identification Number (GTIN / EAN/UCC-14 or ITF-14)", - "mpn": "Manufacturer Part Number, assigned by the original manufacturer.", - "part-number": "Part number assigned by a distributor, integrator, or operator.", - "model-number": "Product model number assigned by the manufacturer.", - "sku": "Stock Keeping Unit, assigned by a seller or distributor.", - "serial-number": "Unique identifier for an individual instance of a product.", - "asset-tag": "Asset tag assigned by the owning or operating organization.", - "udi-di": "Unique Device Identifier, Device Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.", - "udi-pi": "Unique Device Identifier, Production Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.", - "fcc-id": "United States Federal Communications Commission equipment identifier.", - "imei": "International Mobile Equipment Identity, conforming to 3GPP TS 23.003.", - "mac-address": "IEEE 802 Media Access Control address.", - "tei": "Transparency Exchange Identifier conforming to the Transparency Exchange API specification." + "detailed": "Fine-grained view showing implementation-level specifics.", + "high": "High-level view showing major components and relationships.", + "medium": "Intermediate view balancing breadth and depth.", + "overview": "Top-level summary providing a broad perspective of the system." + }, + "description": "Level of detail in the visualization." + }, + "elements": { + "type": "array", + "title": "Elements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to elements shown in this visualization." + }, + "interactive": { + "type": "boolean", + "title": "Interactive", + "description": "Whether the visualization is interactive." + }, + "layers": { + "type": "array", + "title": "Layers", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Layers or views available in the visualization." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "visualizationType": { + "type": "object", + "title": "Visualization Type", + "description": "The type of diagram or visual representation.", + "oneOf": [ + { + "title": "Predefined Visualization Type", + "description": "A visualization type selected from a predefined set of well-known diagram types.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "enum": [ + "activity", + "architecture", + "attack-tree", + "block", + "class", + "code", + "communication", + "component", + "container", + "context", + "data-flow", + "deployment", + "entity", + "flowchart", + "matrix", + "mind-map", + "network", + "process", + "sequence", + "state", + "timing", + "use-case" + ], + "meta:enum": { + "activity": "Activity or workflow diagram.", + "architecture": "System architecture diagram.", + "attack-tree": "Attack tree diagram showing alternative paths to a goal.", + "block": "Block diagram, including SysML block definition and internal block diagrams.", + "class": "Class or object diagram.", + "code": "Code structure diagram.", + "communication": "Communication diagram, formerly known as the collaboration diagram.", + "component": "Component diagram.", + "container": "Container diagram, as in C4.", + "context": "Context diagram.", + "data-flow": "Data flow diagram, or DFD.", + "deployment": "Deployment or infrastructure diagram.", + "entity": "Entity relationship diagram.", + "flowchart": "Flowchart depicting steps or decision logic.", + "matrix": "Matrix diagram, such as a dependency structure or traceability matrix.", + "mind-map": "Mind map diagram for decomposition or brainstorming.", + "network": "Network topology diagram.", + "process": "Business process diagram.", + "sequence": "Sequence or interaction diagram.", + "state": "State machine diagram.", + "timing": "Timing diagram showing state changes over time.", + "use-case": "Use case diagram." + } + } } }, { - "type": "object", - "title": "Custom Identifier Scheme", - "description": "A custom identifier scheme not represented in the predefined taxonomy.", + "title": "Custom Visualization Type", + "description": "A custom visualization type not covered by the predefined enumeration.", "required": [ "name" ], @@ -2587,4500 +3174,10971 @@ "properties": { "name": { "type": "string", - "minLength": 1, "title": "Name", - "description": "The name of the custom identifier scheme." + "minLength": 1, + "description": "The name of the custom visualization type." }, "description": { "type": "string", "title": "Description", - "description": "A description of the custom identifier scheme." + "description": "A description of the custom visualization type." } } } ] }, - "identityValue": { - "type": "string", - "minLength": 1, - "title": "Identifier Value", - "description": "The value of an identifier." - } - } - }, - "cyclonedx-composition-2.0": { - "type": "null", - "title": "CycloneDX Composition Model", - "$defs": { - "compositions": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/composition" - }, - "uniqueItems": true, - "title": "Compositions", - "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." - }, - "composition": { + "assetClassification": { "type": "object", - "title": "Compositions", - "required": [ - "aggregate" - ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "aggregate": { - "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/aggregateType", - "title": "Aggregate", - "description": "Specifies an aggregate type that describes how complete a relationship is." + "criticality": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/criticality" }, - "assemblies": { - "type": "array", - "uniqueItems": true, - "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] - }, - "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" }, - "dependencies": { + "categories": { "type": "array", - "uniqueItems": true, "items": { "type": "string" }, - "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + "description": "Business or technical categories." }, - "vulnerabilities": { + "tags": { "type": "array", - "uniqueItems": true, "items": { "type": "string" }, - "title": "BOM references", - "description": "The bom-ref identifiers of the vulnerabilities being described." - }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + "description": "Tags for classification and search." } } }, - "aggregateType": { - "type": "string", - "default": "not_specified", - "enum": [ - "complete", - "incomplete", - "incomplete_first_party_only", - "incomplete_first_party_proprietary_only", - "incomplete_first_party_opensource_only", - "incomplete_third_party_only", - "incomplete_third_party_proprietary_only", - "incomplete_third_party_opensource_only", - "unknown", - "not_specified" - ], - "meta:enum": { - "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", - "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", - "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", - "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", - "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", - "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", - "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", - "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", - "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", - "not_specified": "The relationship completeness is not specified." + "ownership": { + "type": "array", + "title": "Ownership", + "description": "Parties responsible for the asset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the relationship (`owner`, `steward`, `custodian`, `end-user`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" } - } - } - }, - "cyclonedx-cryptography-2.0": { - "type": "null", - "title": "CycloneDX Cryptography Model", - "$defs": { - "cryptoProperties": { - "type": "object", - "title": "Cryptographic Properties", - "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", - "additionalProperties": false, - "required": [ - "assetType" - ], - "properties": { - "assetType": { + }, + "authenticationType": { + "title": "Authentication Type", + "description": "The authentication method or protocol used to verify identity, either a predefined value from the enumeration or a custom object describing a method not covered by the enumeration.", + "oneOf": [ + { "type": "string", - "title": "Asset Type", - "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", + "title": "Predefined Authentication Type", + "description": "A predefined authentication method from the enumeration.", "enum": [ - "algorithm", + "api-key", + "basic", + "bearer", + "biometric", "certificate", - "protocol", - "related-crypto-material" + "digest", + "eap", + "fido2", + "form", + "hmac", + "jwt", + "kerberos", + "ldap", + "magic-link", + "mtls", + "none", + "ntlm", + "oauth1", + "oauth2", + "oidc", + "pin", + "psk", + "push", + "radius", + "saml", + "scram", + "session-cookie", + "ssh", + "totp" ], "meta:enum": { - "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", - "certificate": "An electronic document that is used to provide the identity or validate a public key.", - "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", - "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + "api-key": "API key authentication.", + "basic": "HTTP Basic authentication (RFC 7617), where the browser presents a native credential dialog and the username and password are sent on each request.", + "bearer": "Bearer token authentication.", + "biometric": "Biometric authentication, such as fingerprint or face recognition.", + "certificate": "Certificate-based authentication.", + "digest": "Digest authentication.", + "eap": "Extensible Authentication Protocol, commonly used with IEEE 802.1X.", + "fido2": "FIDO2 or WebAuthn passwordless authentication.", + "form": "Form-based authentication, where credentials such as a username and password are submitted through an application login form rather than the browser-native HTTP Basic dialog.", + "hmac": "HMAC request signing using a shared secret key.", + "jwt": "JSON Web Token authentication.", + "kerberos": "Kerberos authentication.", + "ldap": "LDAP directory authentication.", + "magic-link": "Passwordless authentication using a single-use link.", + "mtls": "Mutual TLS authentication.", + "none": "No authentication required.", + "ntlm": "NTLM authentication.", + "oauth1": "OAuth 1.0 authentication.", + "oauth2": "OAuth 2.0 authentication.", + "oidc": "OpenID Connect authentication.", + "pin": "Personal identification number, a short secret used as a knowledge factor, such as a device or application unlock PIN.", + "psk": "Pre-shared key authentication.", + "push": "Out-of-band push approval, where a prompt is sent to a registered device or application for the user to approve or deny, optionally confirmed by matching a displayed number.", + "radius": "RADIUS authentication.", + "saml": "SAML authentication.", + "scram": "Salted Challenge Response Authentication Mechanism.", + "session-cookie": "Session authentication using a server-side session identified by a cookie.", + "ssh": "SSH key authentication.", + "totp": "Time-based one-time password authentication." } }, - "algorithmProperties": { + { "type": "object", - "title": "Algorithm Properties", - "description": "Additional properties specific to a cryptographic algorithm.", + "title": "Custom Authentication Type", + "description": "A custom authentication method not covered by the predefined enumeration, allowing organisations to describe proprietary, emerging, or composite authentication approaches.", "additionalProperties": false, + "required": [ + "name" + ], "properties": { - "primitive": { + "name": { "type": "string", - "title": "primitive", - "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", - "enum": [ - "drbg", - "mac", - "block-cipher", - "stream-cipher", - "signature", - "hash", - "pke", - "xof", - "kdf", - "key-agree", - "kem", - "ae", - "combiner", - "key-wrap", - "other", - "unknown" - ], - "meta:enum": { - "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", - "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", - "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", - "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", - "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", - "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", - "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", - "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", - "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", - "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", - "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", - "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", - "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", - "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", - "other": "Another primitive type.", - "unknown": "The primitive is not known." - } - }, - "algorithmFamily": { - "$ref": "../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum", - "title": "Algorithm Family", - "description": "A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.", - "examples": [ - "3DES", - "Blowfish", - "ECDH" - ] + "title": "Name", + "minLength": 1, + "description": "The name of the custom authentication method." }, - "parameterSetIdentifier": { + "description": { "type": "string", - "title": "Parameter Set Identifier", - "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." - }, - "ellipticCurve": { - "$ref": "../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", - "title": "Elliptic Curve", - "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema." - }, - "executionEnvironment": { + "title": "Description", + "description": "A description of the custom authentication method, including how identity is verified and any relevant constraints." + } + } + } + ] + }, + "authorizationType": { + "title": "Authorization Type", + "description": "The authorization model used to determine and enforce access permissions, either a predefined value from the enumeration or a custom object describing a model not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Authorization Type", + "description": "A predefined authorization model from the enumeration.", + "enum": [ + "abac", + "acl", + "capability", + "dac", + "mac", + "none", + "pbac", + "radac", + "rbac", + "rebac" + ], + "meta:enum": { + "abac": "Attribute-Based Access Control.", + "acl": "Access Control Lists.", + "capability": "Capability-Based Access Control.", + "dac": "Discretionary Access Control.", + "mac": "Mandatory Access Control.", + "none": "No authorization controls.", + "pbac": "Policy-Based Access Control.", + "radac": "Risk-Adaptive Access Control.", + "rbac": "Role-Based Access Control.", + "rebac": "Relationship-Based Access Control." + } + }, + { + "type": "object", + "title": "Custom Authorization Type", + "description": "A custom authorization model not covered by the predefined enumeration, allowing organisations to describe proprietary, domain-specific, or composite access control models.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { "type": "string", - "title": "Execution Environment", - "description": "The target and execution environment in which the algorithm is implemented in.", - "enum": [ - "software-plain-ram", - "software-encrypted-ram", - "software-tee", - "hardware", - "other", - "unknown" - ], - "meta:enum": { - "software-plain-ram": "A software implementation running in plain unencrypted RAM.", - "software-encrypted-ram": "A software implementation running in encrypted RAM.", - "software-tee": "A software implementation running in a trusted execution environment.", - "hardware": "A hardware implementation.", - "other": "Another implementation environment.", - "unknown": "The execution environment is not known." - } - }, - "implementationPlatform": { - "type": "array", - "title": "Implementation platforms", - "description": "The target platforms for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", - "items": { - "type": "string", - "title": "Platform", - "description": "The target platform for the implementation.", - "enum": [ - "generic", - "x86_32", - "x86_64", - "armv7-a", - "armv7-m", - "armv8-a", - "armv8-m", - "armv9-a", - "armv9-m", - "s390x", - "ppc64", - "ppc64le", - "riscv32", - "riscv64", - "other", - "unknown" - ], - "meta:enum": { - "generic": "Platform-independent implementation.", - "x86_32": "Intel/AMD 32-bit x86 architecture.", - "x86_64": "Intel/AMD 64-bit x86-64 architecture.", - "armv7-a": "ARM 32-bit application profile (Cortex-A).", - "armv7-m": "ARM 32-bit microcontroller profile (Cortex-M).", - "armv8-a": "ARM 64-bit application profile (AArch64).", - "armv8-m": "ARM 32-bit microcontroller with TrustZone.", - "armv9-a": "ARM 64-bit with enhanced security features.", - "armv9-m": "ARM microcontroller with advanced security.", - "s390x": "IBM Z series mainframe 64-bit.", - "ppc64": "IBM PowerPC 64-bit big-endian.", - "ppc64le": "IBM PowerPC 64-bit little-endian.", - "riscv32": "RISC-V 32-bit open standard architecture.", - "riscv64": "RISC-V 64-bit open standard architecture.", - "other": "Another platform.", - "unknown": "The platform is not known." - } - } + "title": "Name", + "minLength": 1, + "description": "The name of the custom authorization model." }, - "certificationLevel": { - "type": "array", - "title": "Certification Level", - "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", - "items": { - "type": "string", - "enum": [ - "none", - "fips140-1-l1", - "fips140-1-l2", - "fips140-1-l3", - "fips140-1-l4", - "fips140-2-l1", - "fips140-2-l2", - "fips140-2-l3", - "fips140-2-l4", - "fips140-3-l1", - "fips140-3-l2", - "fips140-3-l3", - "fips140-3-l4", - "cc-eal1", - "cc-eal1+", - "cc-eal2", - "cc-eal2+", - "cc-eal3", - "cc-eal3+", - "cc-eal4", - "cc-eal4+", - "cc-eal5", - "cc-eal5+", - "cc-eal6", - "cc-eal6+", - "cc-eal7", - "cc-eal7+", - "cavp", - "other", - "unknown" - ], - "meta:enum": { - "none": "No certification obtained", - "fips140-1-l1": "FIPS 140-1 Level 1", - "fips140-1-l2": "FIPS 140-1 Level 2", - "fips140-1-l3": "FIPS 140-1 Level 3", - "fips140-1-l4": "FIPS 140-1 Level 4", - "fips140-2-l1": "FIPS 140-2 Level 1", - "fips140-2-l2": "FIPS 140-2 Level 2", - "fips140-2-l3": "FIPS 140-2 Level 3", - "fips140-2-l4": "FIPS 140-2 Level 4", - "fips140-3-l1": "FIPS 140-3 Level 1", - "fips140-3-l2": "FIPS 140-3 Level 2", - "fips140-3-l3": "FIPS 140-3 Level 3", - "fips140-3-l4": "FIPS 140-3 Level 4", - "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", - "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", - "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", - "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", - "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", - "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", - "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", - "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", - "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", - "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", - "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", - "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", - "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", - "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", - "cavp": "Cryptographic Algorithm Validation Program", - "other": "Another certification", - "unknown": "The certification level is not known" - } - } - }, - "mode": { - "type": "string", - "title": "Mode", - "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", - "enum": [ - "cbc", - "ecb", - "ccm", - "gcm", - "cfb", - "ofb", - "ctr", - "siv", - "gcm-siv", - "ocb", - "eax", - "kw", - "kwp", - "cts", - "xts", - "gmac", - "cmac", - "xpn", - "ff1", - "ff3-1", - "other", - "unknown" - ], - "meta:enum": { - "cbc": "Cipher Block Chaining mode.", - "ecb": "Electronic Codebook mode.", - "ccm": "Counter with CBC-MAC (AEAD).", - "gcm": "Galois/Counter Mode (AEAD).", - "cfb": "Cipher Feedback mode.", - "ofb": "Output Feedback mode.", - "ctr": "Counter mode.", - "siv": "Synthetic Initialization Vector mode.", - "gcm-siv": "GCM with Synthetic IV (nonce-misuse resistant).", - "ocb": "Offset Codebook Mode (AEAD).", - "eax": "Encrypt-then-Authenticate-then-Translate mode.", - "kw": "AES Key Wrap (RFC 3394).", - "kwp": "AES Key Wrap with Padding (RFC 5649).", - "cts": "Ciphertext Stealing mode.", - "xts": "XEX Tweaked-codebook with Stealing (disk encryption).", - "gmac": "Galois Message Authentication Code", - "cmac": "Cipher-based Message Authentication Code", - "xpn": "Extended Packet Numbering mode.", - "ff1": "Format-preserving encryption mode 1.", - "ff3-1": "Format-preserving encryption mode 3, update 1.", - "other": "Another mode of operation.", - "unknown": "The mode is not known." - } - }, - "padding": { + "description": { "type": "string", - "title": "Padding", - "description": "The padding scheme that is used for the cryptographic algorithm.", - "enum": [ - "pkcs5", - "pkcs7", - "pkcs1v15", - "oaep", - "raw", - "pss", - "x931", - "other", - "unknown" - ], - "meta:enum": { - "pkcs5": "PKCS#5 padding for password-based cryptography.", - "pkcs7": "PKCS#7 padding with length-indicating bytes.", - "pkcs1v15": "PKCS#1 v1.5 padding for RSA.", - "oaep": "Optimal Asymmetric Encryption Padding for RSA.", - "raw": "No padding applied.", - "pss": "Probabilistic Signature Scheme for RSA signatures.", - "x931": "ANSI X9.31 padding for RSA.", - "other": "Another padding scheme.", - "unknown": "The padding scheme is not known." - } - }, - "cryptoFunctions": { - "type": "array", - "title": "Cryptographic functions", - "description": "The cryptographic functions implemented by the cryptographic algorithm.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction" - } - }, - "classicalSecurityLevel": { - "type": "integer", - "title": "classical security level", - "description": "The classical security level that a cryptographic algorithm provides (in bits).", - "minimum": 0 - }, - "nistQuantumSecurityLevel": { - "type": "integer", - "title": "NIST security strength category", - "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", - "minimum": 0, - "maximum": 6 - }, - "secProperties": { - "type": "array", - "title": "Security Properties", - "description": "Formal guarantees about an algorithm's resistance to specific adversarial capabilities under a defined threat model. Example: Key Encapsulation Mechanisms (KEMs) may target IND-CPA or IND-CCA security; choosing IND-CCA impacts safe use in settings with active/chosen-ciphertext attacks.", - "items": { - "type": "string", - "title": "Security Property", - "examples": [ - "IND-CPA", - "IND-CCA", - "IND-CCA2", - "SUF-CMA", - "EUF-CMA", - "collision-resistant", - "preimage-resistant", - "second-preimage-resistant" - ] - } + "title": "Description", + "description": "A description of the custom authorization model, including how access decisions are made and any relevant constraints." } } + } + ] + } + } + }, + "cyclonedx-business-objective-2.0": { + "type": "null", + "title": "CycloneDX Business Objective Model", + "$defs": { + "businessObjectives": { + "type": "array", + "title": "Business Objectives", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-business-objective-2.0/$defs/businessObjective" + }, + "description": "A collection of reusable business objectives that other elements may reference." + }, + "businessObjective": { + "type": "object", + "title": "Business Objective", + "description": "A business goal that a subject supports and that threats, risks, use cases, and requirements can be traced back to. Business objectives anchor risk-centric analysis, such as the first stage of PASTA, where threats and risks are evaluated against what the organization is trying to achieve.", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "certificateProperties": { - "type": "object", - "title": "Certificate Properties", - "description": "Properties for cryptographic assets of asset type 'certificate'.", - "additionalProperties": false, - "properties": { - "serialNumber": { - "type": "string", - "title": "Serial Number", - "description": "The serial number is a unique identifier for the certificate issued by a CA." - }, - "subjectName": { - "type": "string", - "title": "Subject Name", - "description": "The subject name for the certificate." - }, - "issuerName": { - "type": "string", - "title": "Issuer Name", - "description": "The issuer name for the certificate." - }, - "notValidBefore": { - "type": "string", - "format": "date-time", - "title": "Not Valid Before", - "description": "The date and time according to ISO-8601 standard from which the certificate is valid." - }, - "notValidAfter": { - "type": "string", - "format": "date-time", - "title": "Not Valid After", - "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." - }, - "certificateFormat": { - "type": "string", - "title": "Certificate Format", - "description": "The format of the certificate.", - "examples": [ - "X.509", - "PEM", - "DER", - "CVC" - ] - }, - "certificateFileExtension": { - "type": "string", - "title": "Certificate File Extension", - "description": "The file extension of the certificate.", - "examples": [ - "crt", - "pem", - "cer", - "der", - "p12" - ] - }, - "fingerprint": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint", - "title": "Certificate Fingerprint", - "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." - }, - "certificateState": { - "type": "array", - "title": "Certificate Lifecycle State", - "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.", - "items": { - "type": "object", - "title": "State", - "description": "The state of the certificate.", - "oneOf": [ - { - "title": "Pre-Defined State", - "required": [ - "state" - ], - "additionalProperties": false, - "properties": { - "state": { - "type": "string", - "title": "State", - "description": "A pre-defined state in the certificate lifecycle.", - "enum": [ - "pre-activation", - "active", + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the business objective." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the business objective." + }, + "criticality": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/criticality", + "description": "The business criticality of the objective." + }, + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for this objective. May be an inline party object or a reference to a previously declared party." + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + } + } + }, + "cyclonedx-citation-2.0": { + "type": "null", + "title": "CycloneDX Citation Model", + "$defs": { + "citations": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation" + }, + "uniqueItems": true, + "title": "Citations", + "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." + }, + "citation": { + "type": "object", + "title": "Citation", + "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference" + }, + "pointers": { + "type": "array", + "items": { + "type": "string", + "title": "Field Reference", + "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies." + }, + "minItems": 1, + "title": "Field References", + "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "expressions": { + "type": "array", + "items": { + "type": "string", + "title": "Path Expression", + "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM." + }, + "minItems": 1, + "title": "Path Expressions", + "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time when the attribution was made or the information was supplied." + }, + "attributedTo": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Attributed To", + "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "process": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Process Reference", + "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "note": { + "type": "string", + "title": "Note", + "description": "A description or comment about the context or quality of the data attribution." + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures", + "title": "Signature", + "description": "A digital signature verifying the authenticity or integrity of the attribution." + } + }, + "required": [ + "timestamp" + ], + "anyOf": [ + { + "required": [ + "attributedTo" + ] + }, + { + "required": [ + "process" + ] + } + ], + "oneOf": [ + { + "required": [ + "pointers" + ] + }, + { + "required": [ + "expressions" + ] + } + ] + } + } + }, + "cyclonedx-common-2.0": { + "type": "null", + "title": "CycloneDX Common Model", + "$defs": { + "refType": { + "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "type": "string", + "minLength": 1, + "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" + }, + "refLinkType": { + "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "bomLinkDocumentType": { + "title": "BOM-Link Document", + "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLinkElementType": { + "title": "BOM-Link Element", + "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLink": { + "title": "BOM-Link", + "anyOf": [ + { + "title": "BOM-Link Document", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "hash": { + "type": "object", + "title": "Hash", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm", + "title": "Hash Algorithm", + "description": "The standard, well-known algorithm used to compute the hash." + }, + "content": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashValue", + "title": "Hash Value", + "description": "The value of the hash computed using the standard, well-known algorithm." + } + } + }, + "hashAlgorithm": { + "type": "string", + "title": "Hash Algorithm", + "description": "The algorithm that generated the hash value.", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3", + "Streebog-256", + "Streebog-512" + ] + }, + "hashValue": { + "type": "string", + "title": "Hash Value", + "description": "The value of the hash.", + "examples": [ + "3942447fac867ae5cdb3229b658f4d48" + ], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "mediaType": { + "type": "string", + "title": "Media Type", + "description": "The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.", + "examples": [ + "text/plain", + "application/json", + "image/png" + ], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "mediaType": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/mediaType" + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ], + "meta:enum": { + "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + } + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + } + } + }, + "base64": { + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", + "description": "A Base64-encoded string." + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + }, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLink" + } + ], + "title": "URL", + "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "A comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "source-distribution", + "distribution", + "distribution-intake", + "license", + "build-meta", + "build-system", + "release-notes", + "security-contact", + "model-card", + "log", + "configuration", + "evidence", + "formulation", + "attestation", + "threat-model", + "adversary-model", + "risk-assessment", + "vulnerability-assertion", + "exploitability-statement", + "pentest-report", + "static-analysis-report", + "dynamic-analysis-report", + "runtime-analysis-report", + "component-analysis-report", + "maturity-report", + "certification-report", + "codified-infrastructure", + "quality-metrics", + "poam", + "perspective", + "electronic-signature", + "digital-signature", + "rfc-9116", + "patent", + "patent-family", + "patent-assertion", + "citation", + "swid-tag", + "other" + ], + "meta:enum": { + "vcs": "Version Control System", + "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", + "website": "Website", + "advisories": "Security advisories", + "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", + "mailing-list": "Mailing list or discussion group", + "social": "Social media account", + "chat": "Real-time chat platform", + "documentation": "Documentation, guides, or how-to instructions", + "support": "Community or commercial support", + "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", + "distribution": "Direct or repository download location", + "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", + "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", + "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", + "build-system": "Reference to an automated build system", + "release-notes": "Reference to release notes", + "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", + "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", + "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", + "configuration": "Parameters or settings that may be used by other components or services.", + "evidence": "Information used to substantiate a claim.", + "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.", + "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", + "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", + "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", + "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", + "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", + "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", + "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", + "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", + "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", + "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", + "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", + "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", + "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", + "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", + "quality-metrics": "Report or system in which quality metrics can be obtained.", + "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "perspective": "A CycloneDX perspective defines a domain-specific view, enabling different audiences to interpret and navigate the data through their own conceptual lens.", + "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", + "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", + "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", + "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-assertion": "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", + "swid-tag": "A Software Identification (SWID) tag document conforming to ISO/IEC 19770-2. The reference resolves to the XML SoftwareIdentity document itself, including all of its metadata (entities, evidence, payload, links, and meta elements). This is distinct from the `swid` identifier scheme, which carries only the tagId of a SWID tag.", + "other": "Use this if no other types accurately describe the purpose of the external reference." + } + }, + "hashes": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash" + }, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "postalAddress": { + "type": "object", + "title": "Postal address", + "description": "An address used to identify a contactable location.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "country": { + "type": "string", + "title": "Country", + "description": "The country name or the two-letter ISO 3166-1 country code." + }, + "region": { + "type": "string", + "title": "Region", + "description": "The region or state in the country.", + "examples": [ + "Texas" + ] + }, + "locality": { + "type": "string", + "title": "Locality", + "description": "The locality or city within the country.", + "examples": [ + "Austin" + ] + }, + "postOfficeBoxNumber": { + "type": "string", + "title": "Post Office Box Number", + "description": "The post office box number.", + "examples": [ + "901" + ] + }, + "postalCode": { + "type": "string", + "title": "Postal Code", + "description": "The postal code.", + "examples": [ + "78758" + ] + }, + "streetAddress": { + "type": "string", + "title": "Street Address", + "description": "The street address.", + "examples": [ + "100 Main Street" + ] + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Organization Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "address": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/postalAddress", + "title": "Organization Address", + "description": "The physical address (location) of the organization" + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Organization URL(s)", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": [ + "https://example.com" + ] + }, + "contact": { + "type": "array", + "title": "Organizational Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": [ + "Contact name" + ] + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": [ + "firstname.lastname@example.com" + ] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": [ + "800-555-1212" + ] + } + } + }, + "organizationalEntityOrContact": {}, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + }, + "additionalProperties": false + }, + "extensibleProperties": { + "type": "object", + "title": "Extensible Properties", + "patternProperties": { + "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { + "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", + "examples": [ + "ext::", + "ext:example.org:myExtension" + ], + "if": { + "type": [ + "object", + "array" + ] + }, + "then": { + "type": "object", + "required": [ + "$schema" + ], + "properties": { + "$schema": { + "type": "string", + "format": "uri" + } + } + }, + "else": { + "type": [ + "string", + "number", + "boolean", + "null" + ] + } + } + } + }, + "baseObject": { + "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties" + } + ], + "properties": { + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", + "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." + }, + "ordinalVersion": { + "title": "Ordinal Version", + "description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.", + "type": "string", + "pattern": "^\\d+(\\.\\d+)*$", + "examples": [ + "1", + "1.2", + "1.2.3", + "2025.09.02", + "10.4.7.3" + ] + }, + "lifecycle": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase" + }, + { + "title": "Custom Lifecycle Phase", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" + } + } + } + ] + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycle" + } + }, + "preDefinedLifecyclePhase": { + "title": "Pre-Defined Phase", + "required": [ + "phase" + ], + "additionalProperties": false, + "properties": { + "phase": { + "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.", + "enum": [ + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" + ], + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } + } + } + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", + "examples": [ + "json-parser", + "object-persistence", + "text-to-image", + "translation", + "object-detection" + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, + "title": "Patch Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/diff" + }, + "resolves": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + }, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Issue", + "description": "An individual issue that has been resolved.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "meta:enum": { + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, + "title": "Issue Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "Issue ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Issue Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Issue Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "National Vulnerability Database", + "NVD", + "Apache" + ] + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": [ + "https://example.com" + ] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "locale": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatures", + "title": "Signatures", + "description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)." + } + } + }, + "cyclonedx-component-2.0": { + "type": "null", + "title": "CycloneDX Component Model", + "$defs": { + "components": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice" + }, + "uniqueItems": true, + "title": "Components" + }, + "component": { + "type": "object", + "title": "Component", + "required": [ + "type", + "name" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "platform", + "operating-system", + "device", + "device-driver", + "firmware", + "file", + "machine-learning-model", + "data", + "cryptographic-asset" + ], + "meta:enum": { + "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", + "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", + "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", + "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", + "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", + "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", + "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", + "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", + "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", + "data": "A collection of discrete values that convey information.", + "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + }, + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "examples": [ + "library" + ] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": [ + "image/jpeg" + ], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "parties": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/parties" + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": [ + "com.acme" + ] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": [ + "tomcat-catalina" + ] + }, + "version": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + }, + "versionRange": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/versionRange", + "title": "Component Version Range", + "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/patch" + } + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "components": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice" + }, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." + }, + "modelCard": { + "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard", + "title": "AI/ML Model Card" + }, + "data": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentData" + }, + "title": "Data", + "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." + }, + "cryptoProperties": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties", + "title": "Cryptographic Properties" + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + } + }, + "allOf": [ + { + "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", + "not": { + "required": [ + "version", + "versionRange" + ] + } + }, + { + "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", + "if": { + "properties": { + "isExternal": { + "const": false + } + } + }, + "then": { + "not": { + "required": [ + "versionRange" + ] + } + }, + "else": true + } + ] + }, + "componentOrChoice": { + "title": "Component or Component Choice", + "description": "An entry in a components array. May be a concrete component, or a component-choice wrapper that expresses a conditional or alternate relationship between two or more components. The discriminator is the `type` property: when `type` is `component-choice`, the entry shall conform to the `componentChoice` schema; otherwise it shall conform to the `component` schema.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentChoice" + } + ] + }, + "componentChoice": { + "type": "object", + "title": "Component Choice", + "description": "A wrapper that expresses a conditional or alternate relationship between two or more components. Use to model approved alternates, multi-sourced parts, build variants, and required component groups in physical device bills of materials.", + "required": [ + "type", + "operator", + "components" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "const": "component-choice", + "title": "Type", + "description": "Discriminator for a component-choice entry. The value shall be the literal string `component-choice`." + }, + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the component-choice elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Name", + "description": "A display name for the choice. Typically corresponds to a reference designator, a design intent name, or a description of the role the chosen component fulfils.", + "examples": [ + "2N2222 or PN2222A Transistor", + "U1 5V LDO Regulator" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the choice and the rationale behind the alternates." + }, + "operator": { + "type": "string", + "enum": [ + "OR", + "XOR", + "AND" + ], + "meta:enum": { + "OR": "Any non-empty subset of the contained components may be installed. Use for approved alternates where more than one may legitimately appear in a given instance.", + "XOR": "Exactly one of the contained components is installed in any single instance. Use for approved alternates that are mutually exclusive per instance, while the population of units may include multiple alternates across sourcing.", + "AND": "All of the contained components are installed together as a group. Use for tightly coupled component sets such as a transceiver and its required matching balun." + }, + "title": "Operator", + "description": "The logical relationship between the contained components." + }, + "components": { + "type": "array", + "minItems": 2, + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice" + }, + "title": "Components", + "description": "Two or more alternate or grouped entries. Each entry may itself be a component-choice to express nested alternates, such as a choice between kits." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "version": { + "description": "A single disjunctive version identifier, for a component or service.", + "type": "string", + "maxLength": 1024, + "examples": [ + "9.0.14", + "v1.33.7", + "7.0.0-M1", + "2.0pre1", + "1.0.0-beta1", + "0.8.15" + ] + }, + "versionRange": { + "description": "A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "type": "string", + "minLength": 1, + "maxLength": 4096, + "examples": [ + "vers:cargo/9.0.14", + "vers:npm/1.2.3|>=2.0.0|<5.0.0", + "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", + "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ] + }, + "copyrightText": { + "type": "string", + "title": "Component Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": [ + "Acme Inc" + ] + }, + "copyright": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyrightObject" + }, + "title": "Copyright", + "description": "Captures intellectual property assertions, providing evidence of possible ownership and legal protection." + }, + "copyrightObject": { + "type": "object", + "title": "Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text", + "description": "The textual content of the copyright." + } + } + }, + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "identity": { + "type": "array", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence" + } + }, + "occurrences": { + "type": "array", + "title": "Occurrences", + "description": "Evidence of individual instances of a component spread across multiple locations.", + "items": { + "type": "object", + "required": [ + "location" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "location": { + "type": "string", + "title": "Location", + "description": "The location or path to where the component was found." + }, + "line": { + "type": "integer", + "minimum": 0, + "title": "Line Number", + "description": "The line number where the component was found." + }, + "offset": { + "type": "integer", + "minimum": 0, + "title": "Offset", + "description": "The offset where the component was found." + }, + "symbol": { + "type": "string", + "title": "Symbol", + "description": "The symbol name that was found associated with the component." + }, + "additionalContext": { + "type": "string", + "title": "Additional Context", + "description": "Any additional context of the detected component (e.g. a code snippet)." + }, + "accountInfo": { + "type": "string", + "title": "Account Information", + "description": "The account or user information associated with the occurrence." + }, + "systemOwner": { + "type": "string", + "title": "System Owner", + "description": "The owner of the system where the component was found." + }, + "startTime": { + "type": "string", + "format": "date-time", + "title": "Start Time", + "description": "The date and time when the process detecting the occurrence started." + }, + "endTime": { + "type": "string", + "format": "date-time", + "title": "End Time", + "description": "The date and time when the process detecting the occurrence ended." + }, + "usageCount": { + "type": "integer", + "minimum": 0, + "title": "Usage Count", + "description": "The number of times the component occurred in the detecting process." + } + } + } + }, + "callstack": { + "type": "object", + "title": "Call Stack", + "description": "Evidence of the components use through the callstack.", + "additionalProperties": false, + "properties": { + "frames": { + "type": "array", + "title": "Frames", + "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", + "items": { + "type": "object", + "required": [ + "module" + ], + "additionalProperties": false, + "properties": { + "package": { + "title": "Package", + "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", + "type": "string" + }, + "module": { + "title": "Module", + "description": "A module or class that encloses functions/methods and other code.", + "type": "string" + }, + "function": { + "title": "Function", + "description": "A block of code designed to perform a particular task.", + "type": "string" + }, + "parameters": { + "title": "Parameters", + "description": "Arguments that are passed to the module or function.", + "type": "array", + "items": { + "type": "string" + } + }, + "line": { + "title": "Line", + "description": "The line number the code that is called resides on.", + "type": "integer" + }, + "column": { + "title": "Column", + "description": "The column the code that is called resides.", + "type": "integer" + }, + "fullFilename": { + "title": "Full Filename", + "description": "The full path and filename of the module.", + "type": "string" + } + } + } + } + } + }, + "licenses": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", + "title": "License Evidence" + }, + "copyright": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyright" + } + } + }, + "componentIdentityEvidence": { + "type": "object", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component.", + "required": [ + "scheme" + ], + "additionalProperties": false, + "properties": { + "scheme": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identityScheme" + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "concludedValue": { + "type": "string", + "title": "Concluded Value", + "description": "The value of the scheme that has been concluded based on the aggregate of all methods (if available)." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique", + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, + "componentData": { + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "type": { + "type": "string", + "title": "Type of Data", + "description": "The general theme or subject matter of the data being specified.", + "enum": [ + "source-code", + "configuration", + "dataset", + "definition", + "other" + ], + "meta:enum": { + "source-code": "Any type of code, code snippet, or data-as-code.", + "configuration": "Parameters or settings that may be used by other components.", + "dataset": "A collection of data.", + "definition": "Data that can be used to create new instances of what the definition defines.", + "other": "Any other type of data that does not fit into existing definitions." + } + }, + "name": { + "title": "Dataset Name", + "description": "The name of the dataset.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + }, + "properties": { + "type": "array", + "title": "Configuration Properties", + "description": "Provides the ability to document name-value parameters used for configuration.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + } + } + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data in a dataset.", + "items": { + "type": "string" + } + }, + "graphics": { + "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection" + }, + "description": { + "title": "Dataset Description", + "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", + "type": "string" + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + } + } + }, + "identifiers": { + "type": "array", + "title": "Identifiers", + "description": "Identifiers asserted by one or more parties to identify this component. Each entry groups one or more identity claims by the party asserting them. Identifiers carry positive claims of identity. For unverified or inferred identity data, use evidence.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identifier" + }, + "uniqueItems": true + }, + "identifier": { + "type": "object", + "title": "Identifier", + "description": "A set of identifiers attributed to a single asserting party.", + "required": [ + "party", + "identities" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "party": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Asserting Party", + "description": "Reference using bom-link or bom-ref to the party making the identity assertion." + }, + "identities": { + "type": "array", + "title": "Identities", + "description": "The discrete identity claims asserted by the party.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identity" + }, + "minItems": 1, + "uniqueItems": true + } + } + }, + "identity": { + "type": "object", + "title": "Identity", + "description": "A single identity claim, pairing a typed identifier scheme with the value asserted under that scheme.", + "required": [ + "scheme", + "value" + ], + "additionalProperties": false, + "properties": { + "scheme": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identityScheme" + }, + "value": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identityValue" + } + } + }, + "identityScheme": { + "title": "Identifier Scheme", + "description": "The scheme under which an identifier is asserted. Either a predefined value or a custom scheme described by name and description.", + "oneOf": [ + { + "type": "string", + "enum": [ + "purl", + "cpe", + "swid", + "swhid", + "omniborid", + "epc-rfid", + "giai", + "gln", + "gmn", + "gtin-8", + "gtin-12", + "gtin-13", + "gtin-14", + "mpn", + "part-number", + "model-number", + "sku", + "serial-number", + "asset-tag", + "udi-di", + "udi-pi", + "fcc-id", + "imei", + "mac-address", + "tei" + ], + "meta:enum": { + "purl": "Package-URL identifier, conforming to the Package-URL specification.", + "cpe": "Common Platform Enumeration name, conforming to NIST Interagency Report 7695.", + "swid": "Software Identification tag identifier, conforming to ISO/IEC 19770-2.", + "swhid": "Software Heritage persistent identifier.", + "omniborid": "OmniBOR Artifact Identifier, also known as a gitoid.", + "epc-rfid": "Electronic Product Code - RFID (EPC Tag Data Standard)", + "giai": "Global Individual Asset Identifier (GIAI)", + "gln": "Global Location Number (GLN)", + "gmn": "Global Model Number (GMN)", + "gtin-8": "Global Trade Identification Number (GTIN-8 / EAN/UCC-8)", + "gtin-12": "Global Trade Identification Number (GTIN-12 / UPC-A)", + "gtin-13": "Global Trade Identification Number (GTIN-13 / EAN/UCC-13)", + "gtin-14": "Global Trade Identification Number (GTIN / EAN/UCC-14 or ITF-14)", + "mpn": "Manufacturer Part Number, assigned by the original manufacturer.", + "part-number": "Part number assigned by a distributor, integrator, or operator.", + "model-number": "Product model number assigned by the manufacturer.", + "sku": "Stock Keeping Unit, assigned by a seller or distributor.", + "serial-number": "Unique identifier for an individual instance of a product.", + "asset-tag": "Asset tag assigned by the owning or operating organization.", + "udi-di": "Unique Device Identifier, Device Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.", + "udi-pi": "Unique Device Identifier, Production Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.", + "fcc-id": "United States Federal Communications Commission equipment identifier.", + "imei": "International Mobile Equipment Identity, conforming to 3GPP TS 23.003.", + "mac-address": "IEEE 802 Media Access Control address.", + "tei": "Transparency Exchange Identifier conforming to the Transparency Exchange API specification." + } + }, + { + "type": "object", + "title": "Custom Identifier Scheme", + "description": "A custom identifier scheme not represented in the predefined taxonomy.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom identifier scheme." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom identifier scheme." + } + } + } + ] + }, + "identityValue": { + "type": "string", + "minLength": 1, + "title": "Identifier Value", + "description": "The value of an identifier." + } + } + }, + "cyclonedx-composition-2.0": { + "type": "null", + "title": "CycloneDX Composition Model", + "$defs": { + "compositions": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/composition" + }, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + }, + "composition": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "aggregate": { + "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describes how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", + "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", + "unknown", + "not_specified" + ], + "meta:enum": { + "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", + "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", + "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", + "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", + "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", + "not_specified": "The relationship completeness is not specified." + } + } + } + }, + "cyclonedx-control-2.0": { + "type": "null", + "title": "CycloneDX Control Model", + "$defs": { + "controls": { + "type": "array", + "title": "Controls", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/control" + }, + "description": "The safeguards and countermeasures that are recommended or in place. Controls may be declared on their own for governance, risk, and compliance use cases, or referenced from threats, trust boundaries, and risk responses." + }, + "control": { + "type": "object", + "title": "Control", + "description": "A safeguard or countermeasure that protects systems, data, or operations. A control binds the elements that implement it to the requirements it satisfies, and records its implementation status and assessed effectiveness.", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the control elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the control." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the control." + }, + "category": { + "title": "Category", + "description": "The category of the control. Use the custom option for a category specific to an organization's taxonomy.", + "oneOf": [ + { + "title": "Predefined Control Category", + "type": "string", + "enum": [ + "preventive", + "detective", + "corrective", + "compensating", + "deterrent", + "recovery" + ], + "meta:enum": { + "preventive": "Prevents an unwanted event from occurring.", + "detective": "Identifies and records that an unwanted event has occurred or is occurring.", + "corrective": "Remedies the condition that allowed an unwanted event.", + "compensating": "Provides an alternative safeguard where a primary control is not feasible.", + "deterrent": "Discourages an actor from attempting an unwanted action.", + "recovery": "Restores operations after an unwanted event." + } + }, + { + "title": "Custom Control Category", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom category." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom category." + } + } + } + ] + }, + "status": { + "title": "Status", + "description": "The implementation status of the control.", + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/implementationStatus" + }, + "appliesTo": { + "type": "array", + "title": "Applies To", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the elements the control protects, such as components, services, zones, or boundaries. A control without this property applies to the organization or system as a whole." + }, + "implementedBy": { + "type": "array", + "title": "Implemented By", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the components, services, formulation workflows, or parties that implement the control." + }, + "satisfies": { + "type": "array", + "title": "Satisfies", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements the control satisfies, including requirements defined within standards." + }, + "effectiveness": { + "title": "Effectiveness", + "description": "The assessed effectiveness of the control.", + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/effectiveness" + }, + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for the control. May be an inline party object or a reference to a previously declared party." + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "implementationStatus": { + "title": "Implementation Status", + "description": "The implementation status of a control or response. Use the custom option for a status specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Implementation Status", + "type": "string", + "enum": [ + "recommended", + "proposed", + "approved", + "rejected", + "planned", + "in-progress", + "implemented", + "verified", + "decommissioned" + ], + "meta:enum": { + "recommended": "Suggested by a producer, standard, or assessor. Not yet entered into the adopting organization's decision process.", + "proposed": "Entered into the adopting organization's decision process but not yet approved.", + "approved": "Approved for implementation.", + "rejected": "Considered and declined, with no intent to implement.", + "planned": "Implementation is planned.", + "in-progress": "Implementation is in progress.", + "implemented": "Implemented and in effect.", + "verified": "Implemented and verified as effective.", + "decommissioned": "Removed from service." + } + }, + { + "title": "Custom Implementation Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] + }, + "effectiveness": { + "type": "object", + "title": "Effectiveness", + "description": "The measured or assessed effectiveness of a control or response.", + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Percentage", + "description": "Effectiveness as a decimal from 0 to 1." + }, + "rating": { + "type": "string", + "title": "Rating", + "enum": [ + "ineffective", + "marginal", + "adequate", + "good", + "excellent" + ], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk.", + "marginal": "Slightly reduces risk.", + "adequate": "Adequately reduces risk.", + "good": "Significantly reduces risk.", + "excellent": "Nearly eliminates risk." + }, + "description": "Effectiveness as a qualitative rating." + } + } + } + } + }, + "cyclonedx-cryptography-2.0": { + "type": "null", + "title": "CycloneDX Cryptography Model", + "$defs": { + "cryptoProperties": { + "type": "object", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", + "additionalProperties": false, + "required": [ + "assetType" + ], + "properties": { + "assetType": { + "type": "string", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", + "enum": [ + "algorithm", + "certificate", + "protocol", + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + } + }, + "algorithmProperties": { + "type": "object", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", + "enum": [ + "drbg", + "mac", + "block-cipher", + "stream-cipher", + "signature", + "hash", + "pke", + "xof", + "kdf", + "key-agree", + "kem", + "ae", + "combiner", + "key-wrap", + "other", + "unknown" + ], + "meta:enum": { + "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", + "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", + "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", + "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", + "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", + "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", + "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", + "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", + "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", + "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", + "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", + "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", + "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", + "other": "Another primitive type.", + "unknown": "The primitive is not known." + } + }, + "algorithmFamily": { + "$ref": "../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum", + "title": "Algorithm Family", + "description": "A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.", + "examples": [ + "3DES", + "Blowfish", + "ECDH" + ] + }, + "parameterSetIdentifier": { + "type": "string", + "title": "Parameter Set Identifier", + "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." + }, + "ellipticCurve": { + "$ref": "../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema." + }, + "executionEnvironment": { + "type": "string", + "title": "Execution Environment", + "description": "The target and execution environment in which the algorithm is implemented in.", + "enum": [ + "software-plain-ram", + "software-encrypted-ram", + "software-tee", + "hardware", + "other", + "unknown" + ], + "meta:enum": { + "software-plain-ram": "A software implementation running in plain unencrypted RAM.", + "software-encrypted-ram": "A software implementation running in encrypted RAM.", + "software-tee": "A software implementation running in a trusted execution environment.", + "hardware": "A hardware implementation.", + "other": "Another implementation environment.", + "unknown": "The execution environment is not known." + } + }, + "implementationPlatform": { + "type": "array", + "title": "Implementation platforms", + "description": "The target platforms for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", + "items": { + "type": "string", + "title": "Platform", + "description": "The target platform for the implementation.", + "enum": [ + "generic", + "x86_32", + "x86_64", + "armv7-a", + "armv7-m", + "armv8-a", + "armv8-m", + "armv9-a", + "armv9-m", + "s390x", + "ppc64", + "ppc64le", + "riscv32", + "riscv64", + "other", + "unknown" + ], + "meta:enum": { + "generic": "Platform-independent implementation.", + "x86_32": "Intel/AMD 32-bit x86 architecture.", + "x86_64": "Intel/AMD 64-bit x86-64 architecture.", + "armv7-a": "ARM 32-bit application profile (Cortex-A).", + "armv7-m": "ARM 32-bit microcontroller profile (Cortex-M).", + "armv8-a": "ARM 64-bit application profile (AArch64).", + "armv8-m": "ARM 32-bit microcontroller with TrustZone.", + "armv9-a": "ARM 64-bit with enhanced security features.", + "armv9-m": "ARM microcontroller with advanced security.", + "s390x": "IBM Z series mainframe 64-bit.", + "ppc64": "IBM PowerPC 64-bit big-endian.", + "ppc64le": "IBM PowerPC 64-bit little-endian.", + "riscv32": "RISC-V 32-bit open standard architecture.", + "riscv64": "RISC-V 64-bit open standard architecture.", + "other": "Another platform.", + "unknown": "The platform is not known." + } + } + }, + "certificationLevel": { + "type": "array", + "title": "Certification Level", + "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", + "items": { + "type": "string", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "cavp", + "other", + "unknown" + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "cavp": "Cryptographic Algorithm Validation Program", + "other": "Another certification", + "unknown": "The certification level is not known" + } + } + }, + "mode": { + "type": "string", + "title": "Mode", + "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", + "enum": [ + "cbc", + "ecb", + "ccm", + "gcm", + "cfb", + "ofb", + "ctr", + "siv", + "gcm-siv", + "ocb", + "eax", + "kw", + "kwp", + "cts", + "xts", + "gmac", + "cmac", + "xpn", + "ff1", + "ff3-1", + "other", + "unknown" + ], + "meta:enum": { + "cbc": "Cipher Block Chaining mode.", + "ecb": "Electronic Codebook mode.", + "ccm": "Counter with CBC-MAC (AEAD).", + "gcm": "Galois/Counter Mode (AEAD).", + "cfb": "Cipher Feedback mode.", + "ofb": "Output Feedback mode.", + "ctr": "Counter mode.", + "siv": "Synthetic Initialization Vector mode.", + "gcm-siv": "GCM with Synthetic IV (nonce-misuse resistant).", + "ocb": "Offset Codebook Mode (AEAD).", + "eax": "Encrypt-then-Authenticate-then-Translate mode.", + "kw": "AES Key Wrap (RFC 3394).", + "kwp": "AES Key Wrap with Padding (RFC 5649).", + "cts": "Ciphertext Stealing mode.", + "xts": "XEX Tweaked-codebook with Stealing (disk encryption).", + "gmac": "Galois Message Authentication Code", + "cmac": "Cipher-based Message Authentication Code", + "xpn": "Extended Packet Numbering mode.", + "ff1": "Format-preserving encryption mode 1.", + "ff3-1": "Format-preserving encryption mode 3, update 1.", + "other": "Another mode of operation.", + "unknown": "The mode is not known." + } + }, + "padding": { + "type": "string", + "title": "Padding", + "description": "The padding scheme that is used for the cryptographic algorithm.", + "enum": [ + "pkcs5", + "pkcs7", + "pkcs1v15", + "oaep", + "raw", + "pss", + "x931", + "other", + "unknown" + ], + "meta:enum": { + "pkcs5": "PKCS#5 padding for password-based cryptography.", + "pkcs7": "PKCS#7 padding with length-indicating bytes.", + "pkcs1v15": "PKCS#1 v1.5 padding for RSA.", + "oaep": "Optimal Asymmetric Encryption Padding for RSA.", + "raw": "No padding applied.", + "pss": "Probabilistic Signature Scheme for RSA signatures.", + "x931": "ANSI X9.31 padding for RSA.", + "other": "Another padding scheme.", + "unknown": "The padding scheme is not known." + } + }, + "cryptoFunctions": { + "type": "array", + "title": "Cryptographic functions", + "description": "The cryptographic functions implemented by the cryptographic algorithm.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction" + } + }, + "classicalSecurityLevel": { + "type": "integer", + "title": "classical security level", + "description": "The classical security level that a cryptographic algorithm provides (in bits).", + "minimum": 0 + }, + "nistQuantumSecurityLevel": { + "type": "integer", + "title": "NIST security strength category", + "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", + "minimum": 0, + "maximum": 6 + }, + "secProperties": { + "type": "array", + "title": "Security Properties", + "description": "Formal guarantees about an algorithm's resistance to specific adversarial capabilities under a defined threat model. Example: Key Encapsulation Mechanisms (KEMs) may target IND-CPA or IND-CCA security; choosing IND-CCA impacts safe use in settings with active/chosen-ciphertext attacks.", + "items": { + "type": "string", + "title": "Security Property", + "examples": [ + "IND-CPA", + "IND-CCA", + "IND-CCA2", + "SUF-CMA", + "EUF-CMA", + "collision-resistant", + "preimage-resistant", + "second-preimage-resistant" + ] + } + } + } + }, + "certificateProperties": { + "type": "object", + "title": "Certificate Properties", + "description": "Properties for cryptographic assets of asset type 'certificate'.", + "additionalProperties": false, + "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." + }, + "subjectName": { + "type": "string", + "title": "Subject Name", + "description": "The subject name for the certificate." + }, + "issuerName": { + "type": "string", + "title": "Issuer Name", + "description": "The issuer name for the certificate." + }, + "notValidBefore": { + "type": "string", + "format": "date-time", + "title": "Not Valid Before", + "description": "The date and time according to ISO-8601 standard from which the certificate is valid." + }, + "notValidAfter": { + "type": "string", + "format": "date-time", + "title": "Not Valid After", + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." + }, + "certificateFormat": { + "type": "string", + "title": "Certificate Format", + "description": "The format of the certificate.", + "examples": [ + "X.509", + "PEM", + "DER", + "CVC" + ] + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", "suspended", "deactivated", "revoked", "destroyed" ], "meta:enum": { - "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", - "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", - "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", - "suspended": "The use of a certificate may be suspended for several possible reasons.", - "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", - "destroyed": "The certificate has been destroyed." + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certificate may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + } + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, + { + "title": "Custom State", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "State", + "description": "The name of the certificate lifecycle state." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the certificate lifecycle state." + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + } + ] + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactivated." + }, + "revocationDate": { + "type": "string", + "format": "date-time", + "title": "Revocation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "commonExtensionName", + "commonExtensionValue" + ], + "additionalProperties": false, + "properties": { + "commonExtensionName": { + "type": "string", + "title": "name", + "description": "The name of the extension.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." + } + }, + "commonExtensionValue": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", + "required": [ + "customExtensionName" + ], + "additionalProperties": false, + "properties": { + "customExtensionName": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "customExtensionValue": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ] + } + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "relatedCryptoMaterialProperties": { + "type": "object", + "title": "Related Cryptographic Material Properties", + "description": "Properties for cryptographic assets of asset type: `related-crypto-material`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related cryptographic material.", + "enum": [ + "private-key", + "public-key", + "secret-key", + "key", + "ciphertext", + "signature", + "digest", + "initialization-vector", + "nonce", + "seed", + "salt", + "shared-secret", + "tag", + "additional-data", + "password", + "credential", + "token", + "other", + "unknown" + ], + "meta:enum": { + "private-key": "The confidential key of a key pair used in asymmetric cryptography.", + "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", + "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", + "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", + "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", + "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", + "digest": "The output of the hash function.", + "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", + "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", + "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", + "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", + "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", + "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", + "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", + "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", + "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", + "token": "An object encapsulating a security identity.", + "other": "Another type of cryptographic asset.", + "unknown": "The type of cryptographic asset is not known." + } + }, + "id": { + "type": "string", + "title": "ID", + "description": "The unique identifier for the related cryptographic material." + }, + "state": { + "type": "string", + "title": "State", + "description": "The key state as defined by NIST SP 800-57.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The associated value of the cryptographic material." + }, + "size": { + "type": "integer", + "title": "Size", + "description": "The size of the cryptographic asset (in bits)." + }, + "format": { + "type": "string", + "title": "Format", + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." + }, + "securedBy": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy", + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." + }, + "fingerprint": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint" + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + }, + "keyUsage": { + "type": "array", + "title": "Key Usage", + "description": "Defines the permitted cryptographic usage for the asset.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction", + "title": "Usage", + "description": "A permitted cryptographic usage." + } + } + } + }, + "protocolProperties": { + "type": "object", + "title": "Protocol Properties", + "description": "Properties specific to cryptographic assets of type: `protocol`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "The concrete protocol type.", + "enum": [ + "tls", + "ssh", + "ipsec", + "ike", + "sstp", + "wpa", + "dtls", + "quic", + "eap-aka", + "eap-aka-prime", + "prins", + "5g-aka", + "other", + "unknown" + ], + "meta:enum": { + "tls": "Transport Layer Security", + "ssh": "Secure Shell", + "ipsec": "Internet Protocol Security", + "ike": "Internet Key Exchange", + "sstp": "Secure Socket Tunneling Protocol", + "wpa": "Wi-Fi Protected Access", + "dtls": "Datagram Transport Layer Security", + "quic": "Quick UDP Internet Connections", + "eap-aka": "Extensible Authentication Protocol variant", + "eap-aka-prime": "Enhanced version of EAP-AKA", + "prins": "Protection of Inter-Network Signaling", + "5g-aka": "Authentication and Key Agreement for 5G", + "other": "Another protocol type", + "unknown": "The protocol type is not known" + } + }, + "version": { + "type": "string", + "title": "Protocol Version", + "description": "The version of the protocol.", + "examples": [ + "1.0", + "1.2", + "1.99" + ] + }, + "cipherSuites": { + "type": "array", + "title": "Cipher Suites", + "description": "A list of cipher suites related to the protocol.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite", + "title": "Cipher Suite" + } + }, + "ikev2TransformTypes": { + "type": "object", + "title": "IKEv2 Transform Types", + "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", + "additionalProperties": false, + "properties": { + "encr": { + "type": "array", + "title": "Encryption Algorithms (ENCR)", + "description": "Transform Type 1: encryption algorithms.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, + "prf": { + "type": "array", + "title": "Pseudorandom Functions (PRF)", + "description": "Transform Type 2: pseudorandom functions.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } + }, + "integ": { + "type": "array", + "title": "Integrity Algorithms (INTEG)", + "description": "Transform Type 3: integrity algorithms.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } + }, + "ke": { + "type": "array", + "title": "Key Exchange Methods (KE)", + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke" + } + }, + "esn": { + "type": "boolean", + "title": "Extended Sequence Number (ESN)", + "description": "Specifies if an Extended Sequence Number (ESN) is used." + }, + "auth": { + "type": "array", + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } + } + } + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "oid": { + "type": "string", + "title": "OID", + "description": "The object identifier (OID) of the cryptographic asset." + } + } + }, + "cipherSuite": { + "type": "object", + "title": "Cipher Suite", + "description": "Object representing a cipher suite.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Common Name", + "description": "A common name for the cipher suite.", + "examples": [ + "TLS_DHE_RSA_WITH_AES_128_CCM" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the cipher suite.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + }, + "identifiers": { + "type": "array", + "title": "Cipher Suite Identifiers", + "description": "A list of common identifiers for the cipher suite.", + "items": { + "type": "string", + "title": "identifier", + "description": "Cipher suite identifier.", + "examples": [ + "0xC0", + "0x9E" + ] + } + }, + "tlsGroups": { + "type": "array", + "title": "TLS Groups", + "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "items": { + "type": "string", + "title": "Group Name", + "description": "The name of the TLS group.", + "examples": [ + "x25519", + "ffdhe2048" + ] + } + }, + "tlsSignatureSchemes": { + "type": "array", + "title": "TLS Signature Schemes", + "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "items": { + "type": "string", + "title": "Signature Scheme", + "description": "The name of the TLS signature scheme.", + "examples": [ + "ecdsa_secp256r1_sha256", + "rsa_pss_rsae_sha256", + "ed25519" + ] + } + } + } + }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the integrity algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE).", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the key exchange algorithm." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the authentication method." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "cryptographicFunction": { + "type": "string", + "title": "Cryptographic Function", + "description": "A cryptographic function or usage.", + "enum": [ + "generate", + "paramgen", + "paramver", + "keygen", + "keyver", + "encrypt", + "decrypt", + "digest", + "tag", + "keyderive", + "sign", + "verify", + "encapsulate", + "decapsulate", + "keyagree", + "wrap", + "unwrap", + "other", + "unknown" + ], + "meta:enum": { + "generate": "Generates random data, IVs, or nonces.", + "paramgen": "Generates cryptographic domain parameters.", + "paramver": "Verifies cryptographic domain parameters.", + "keygen": "Generates cryptographic keys.", + "keyver": "Verifies cryptographic keys.", + "encrypt": "Transforms plaintext into ciphertext.", + "decrypt": "Transforms ciphertext into plaintext.", + "digest": "Computes a hash value from input data.", + "tag": "Generates an authentication tag for data integrity.", + "keyderive": "Derives keys from another key or shared secret.", + "sign": "Creates a digital signature using a private key.", + "verify": "Verifies a digital signature using a public key.", + "encapsulate": "Encapsulates a secret using a public key (KEM).", + "decapsulate": "Decapsulates a secret using a private key (KEM).", + "keyagree": "Derives a shared secret between parties.", + "wrap": "Encrypts a key for secure storage or transport.", + "unwrap": "Decrypts a wrapped key to recover the original key.", + "other": "Another cryptographic function.", + "unknown": "The cryptographic function is not known." + } + }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, + "fingerprint": { + "type": "object", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset.", + "oneOf": [ + { + "title": "Standard Hash", + "description": "A fingerprint computed using a standard, well-known hash algorithm.", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm" + }, + "content": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashValue" + } + } + }, + { + "title": "Custom Fingerprint", + "description": "A fingerprint computed with a custom or non-standard algorithm not covered by the standard hash algorithms.", + "required": [ + "customAlg", + "customContent" + ], + "additionalProperties": false, + "properties": { + "customAlg": { + "type": "string", + "title": "Custom Fingerprint Algorithm", + "description": "The name of the custom algorithm used to compute the fingerprint." + }, + "customContent": { + "type": "string", + "title": "Custom Fingerprint Content", + "description": "The value of the fingerprint computed using the custom algorithm." + } + } + } + ] + }, + "securedBy": { + "type": "object", + "title": "Secured By", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "additionalProperties": false, + "properties": { + "mechanism": { + "type": "string", + "title": "Mechanism", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "HSM", + "TPM", + "SGX", + "Software", + "None" + ] + }, + "algorithmRef": { + "type": "array", + "title": "References", + "description": "The bom-refs to the assets securing this asset (e.g., algorithms, hardware, keys).", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } + } + } + } + } + }, + "cyclonedx-data-2.0": { + "type": "null", + "title": "CycloneDX Data Model", + "$defs": { + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "A catalogue of reusable data profile definitions. Each entry is a complete inline data profile carrying its own bom-ref so other objects may reference it.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + } + }, + "dataProfile": { + "type": "object", + "title": "Data Profile", + "description": "Captures the classification, information types, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this data profile." + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or label that identifies this data profile, such as the name of the dataset, information asset, or data domain it describes.", + "examples": [ + "Customer PII Dataset", + "Transaction Logs", + "Employee Health Records" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system." + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification", + "description": "The classification of the data, indicating the level of protection required. A data profile carries a single classification reflecting the highest applicable level for the data it describes." + }, + "informationTypes": { + "type": "array", + "title": "Information Types", + "description": "The types of information contained in the data. A data profile may contain multiple information types, for example a profile may carry both personally identifiable information and financial data. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/informationType" + }, + "examples": [ + [ + "pii", + "financial" + ], + [ + "phi", + "biometric", + { + "name": "minor-health-data", + "description": "Health information for individuals under 18, subject to COPPA and HIPAA." + } + ] + ] + }, + "subjects": { + "type": "array", + "title": "Subjects", + "description": "The entities, groups, categories, or things that the data is about or pertains to. Identifying data subjects is essential for determining applicable privacy regulations, handling requirements, and protected class obligations.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/subject" + }, + "examples": [ + [ + { + "name": "EU Residents", + "type": "group", + "protectedClass": false, + "jurisdictions": [ + "DE", + "FR", + "IT" + ], + "regulations": [ + "GDPR" + ] + }, + { + "name": "Pediatric Patients", + "type": "group", + "protectedClass": true, + "jurisdictions": [ + "US" + ], + "regulations": [ + "HIPAA", + "COPPA" + ] + } + ] + ] + }, + "purposes": { + "type": "array", + "title": "Purposes", + "description": "The stated purposes for which this data is collected, processed, or retained. Under the principle of purpose limitation, data must only be used for purposes compatible with those originally specified. Capturing purposes explicitly enables automated compliance checking and compatibility analysis across the data lifecycle.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/purpose" + }, + "examples": [ + [ + { + "name": "Service Delivery", + "legalBasis": "contract" + }, + { + "name": "Fraud Prevention", + "legalBasis": "legitimate interest" + } + ] + ] + }, + "jurisdictions": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/jurisdictions", + "description": "The jurisdictions whose laws and regulations apply to this data based on its nature, classification, or how it is processed and stored. See also subject.jurisdictions for jurisdictions that apply because of who the data is about." + }, + "regulations": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/regulations", + "description": "The regulations that apply to this data based on its nature, classification, or processing context. See also subject.regulations for regulations that apply because of who the data is about." + }, + "dataFormats": { + "type": "array", + "title": "Data Formats", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The formats in which the data is stored or transmitted.", + "examples": [ + [ + "JSON", + "CSV", + "Parquet" + ] + ] + }, + "schema": { + "type": "array", + "title": "Schema", + "uniqueItems": true, + "items": { + "type": "string", + "format": "uri" + }, + "description": "References to schema contracts or documents describing the data structure.", + "examples": [ + [ + "https://example.com/schemas/customer-v2.json" + ] + ] + }, + "access": { + "type": "array", + "title": "Access", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures." + }, + "collection": { + "type": "array", + "title": "Collection", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations." + }, + "disposal": { + "type": "array", + "title": "Disposal", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction." + }, + "handling": { + "type": "array", + "title": "Handling", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations." + }, + "processing": { + "type": "array", + "title": "Processing", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions." + }, + "retention": { + "type": "array", + "title": "Retention", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation." + }, + "ttl": { + "type": "integer", + "title": "Time to Live", + "minimum": 1, + "description": "The time-to-live in seconds for transient data that is not persisted, such as protected health information carried inside a short-lived JSON Web Token or sensitive material held in memory for the duration of a single request. Distinct from retention, which applies to persisted data and is governed by requirement objects.", + "examples": [ + 300, + 3600 + ] + }, + "sharing": { + "type": "array", + "title": "Sharing", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "dataProfileChoice": { + "title": "Data Profile Choice", + "description": "A data profile represented either as a complete inline object or as a reference to a previously declared profile. References use bom-link or bom-ref to point at a profile declared in the root profiles catalogue or elsewhere in the document.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + }, + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to a previously declared data profile." + } + ] + }, + "dataObject": { + "type": "object", + "title": "Data Object", + "description": "A specific data payload such as a message, record, or document. Distinct from a data profile, which is a policy template; a data object is an instance whose name, schema, format, and field-level attributes describe a concrete payload. The governing policy is supplied by an optional reference to a data profile. A single profile may govern many data objects; each data object refers to at most one profile.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this data object." + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the data object, such as the name of the message, record, document, or table row it represents.", + "examples": [ + "user_registration", + "payment_request", + "audit_event" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the data object, including its purpose, origin, and any context relevant to interpreting its attributes." + }, + "profile": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice", + "title": "Profile", + "description": "The data profile that governs this object's classification, information types, and lifecycle requirements. May be an inline profile object or a reference using bom-link or bom-ref to a previously declared profile." + }, + "informationTypes": { + "type": "array", + "title": "Information Types", + "description": "The types of information contained in this object. May refine or extend the information types declared on the referenced profile. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/informationType" + } + }, + "schema": { + "type": "object", + "title": "Schema", + "description": "The structural contract describing this object's shape, such as a JSON Schema, XSD, Avro schema, or Protobuf descriptor.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL or URN pointing to the schema document." + }, + "mediaType": { + "type": "string", + "title": "Media Type", + "description": "Media type of the schema, for example application/schema+json, application/xml, or application/vnd.apache.avro+json.", + "examples": [ + "application/schema+json", + "application/xml", + "application/vnd.apache.avro+json" + ] + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "Additional notes about the schema, such as its version or compatibility expectations." + } + } + }, + "format": { + "type": "object", + "title": "Format", + "description": "The serialisation or encoding format of this object, such as application/json, text/csv, or application/hl7-v2.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL or URN pointing to the format specification." + }, + "mediaType": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/mediaType" + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "Additional notes about the format." + } + } + }, + "attributes": { + "type": "array", + "title": "Attributes", + "description": "The fields, columns, or properties contained in this object. Each attribute may carry a typed information type to support field-level classification and compliance analysis.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataAttribute" + } + }, + "relationships": { + "type": "array", + "title": "Relationships", + "description": "Relationships from this data object to other data objects, such as the associations between entities in a logical or conceptual data model.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataRelationship" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "dataAttribute": { + "type": "object", + "title": "Data Attribute", + "description": "A single field, column, or property within a data object. Carries an optional information type so that producers and consumers can classify and reason about data at field granularity rather than only at the object level.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this attribute, enabling it to be referenced as a key target." + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the attribute as it appears in the data object, such as a field name, column name, or property key.", + "examples": [ + "email", + "dateOfBirth", + "panToken", + "amount" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the attribute, such as its semantics, expected values, or constraints." + }, + "informationType": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/informationType", + "title": "Information Type", + "description": "The information type carried by this attribute. Field-level typing enables compliance analysis at finer granularity than the object-level information types." + }, + "required": { + "type": "boolean", + "title": "Required", + "description": "Indicates whether the attribute is required for the data object to be valid." + }, + "sensitive": { + "type": "boolean", + "title": "Sensitive", + "description": "Indicates whether the attribute carries sensitive content that warrants extra protection beyond the object-level classification, such as masking in logs or stricter access controls." + }, + "key": { + "type": "string", + "title": "Key", + "enum": [ + "primary", + "foreign", + "unique" + ], + "meta:enum": { + "primary": "The attribute is part of the primary key that uniquely identifies the data object.", + "foreign": "The attribute is a foreign key referencing another data object.", + "unique": "The attribute carries a uniqueness constraint." + }, + "description": "The key role of the attribute within the data object." + }, + "references": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "References", + "description": "For a foreign key, a reference using bom-link or bom-ref to the data object or attribute it refers to." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "dataRelationship": { + "type": "object", + "title": "Data Relationship", + "description": "A relationship from one data object to another, such as an association between entities in a logical or conceptual data model, carrying its cardinality and optionally the attributes that participate.", + "additionalProperties": false, + "required": [ + "target", + "cardinality" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the relationship, such as the role or verb that describes it." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the relationship." + }, + "target": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Target", + "description": "Reference using bom-link or bom-ref to the related data object." + }, + "cardinality": { + "type": "string", + "title": "Cardinality", + "enum": [ + "one-to-one", + "one-to-many", + "many-to-one", + "many-to-many" + ], + "meta:enum": { + "one-to-one": "Each record of the source relates to at most one record of the target, and the reverse.", + "one-to-many": "Each record of the source relates to many records of the target.", + "many-to-one": "Many records of the source relate to one record of the target.", + "many-to-many": "Many records of the source relate to many records of the target." + }, + "description": "The cardinality of the relationship." + }, + "sourceAttributes": { + "type": "array", + "title": "Source Attributes", + "description": "References using bom-link or bom-ref to the attributes on this data object that participate in the relationship, such as the foreign key columns.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "targetAttributes": { + "type": "array", + "title": "Target Attributes", + "description": "References using bom-link or bom-ref to the attributes on the target data object that the relationship refers to, such as the primary key columns.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "subject": { + "type": "object", + "title": "Subject", + "description": "An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. A subject is identified in one of three ways: inline by `name` and `type`, by an inline `party` object, or by `ref` pointing at any bom-ref'd element declared elsewhere in the document (a party, component, service, asset, dataset, or other element). At least one of these forms shall be supplied. Subject-context attributes such as protected-class status, applicable jurisdictions, and applicable regulations are carried here regardless of which identification form is used.", + "additionalProperties": false, + "anyOf": [ + { + "required": [ + "name", + "type" + ] + }, + { + "required": [ + "party" + ] + }, + { + "required": [ + "ref" + ] + } + ], + "examples": [ + { + "name": "EU Residents", + "type": "group", + "protectedClass": false, + "jurisdictions": [ + "DE", + "FR" + ], + "regulations": [ + "GDPR" + ] + }, + { + "ref": "party-pediatric-patients", + "protectedClass": true, + "jurisdictions": [ + "US" + ], + "regulations": [ + "HIPAA", + "COPPA" + ] + }, + { + "party": { + "roles": [ + { + "role": "data-subject" + } + ], + "persona": { + "archetype": "customer", + "scope": "external", + "description": "Fleet vehicle owners enrolled in the connected-services platform." + } + }, + "protectedClass": false + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor. Optional when `party` or `ref` is supplied.", + "minLength": 1, + "examples": [ + "EU Residents", + "Pediatric Patients", + "Fleet Vehicles" + ] + }, + "type": { + "type": "string", + "title": "Type", + "description": "A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices. Optional when `party` or `ref` is supplied.", + "minLength": 1, + "examples": [ + "individual", + "group", + "technology" + ] + }, + "party": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/party", + "title": "Party", + "description": "An inline party object identifying the subject. Use this when the subject is best modelled as a party (organization, person, system, or persona) and has not been declared elsewhere in the document. The party's `roles` should include `data-subject`." + }, + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to any element declared elsewhere in the document that identifies the subject, such as a party, component, service, asset, dataset, or other bom-ref'd element. Use this when the subject is already represented elsewhere and you want to point at it rather than redeclare it." + }, + "protectedClass": { + "type": "boolean", + "title": "Protected Class", + "description": "Indicates whether this subject represents or includes a legally protected class under applicable regulations. Protected classes are groups defined by characteristics such as race, ethnicity, religion, gender, age, disability, sexual orientation, national origin, or genetic information. When true, additional regulatory obligations may apply to the collection, processing, and sharing of data about this subject, including GDPR special category data provisions, US civil rights protections, COPPA requirements for children, and HIPAA protections for health information." + }, + "jurisdictions": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/jurisdictions", + "description": "The jurisdictions whose laws and regulations apply specifically because of this subject. See also dataProfile.jurisdictions for jurisdictions that apply to the data itself." + }, + "regulations": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/regulations", + "description": "The regulations that apply specifically because of this subject. See also dataProfile.regulations for regulations that apply to the data itself." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the subject, its relationship to the data, and any special handling considerations. This may include why the subject is relevant, what aspects of the subject the data captures, and any known sensitivities or regulatory implications." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "jurisdictions": { + "type": "array", + "title": "Jurisdictions", + "description": "The geographic or political jurisdictions whose laws and regulations apply. Values should use ISO 3166-1 alpha-2 country codes or ISO 3166-2 subdivision codes for subnational jurisdictions.", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 2, + "examples": [ + "US", + "GB", + "US-CA" + ] + }, + "examples": [ + [ + "US", + "GB", + "DE" + ] + ] + }, + "regulations": { + "type": "array", + "title": "Regulations", + "description": "The specific laws, regulations, or compliance frameworks that apply.", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1, + "examples": [ + "GDPR", + "HIPAA", + "PCI-DSS" + ] + }, + "examples": [ + [ + "GDPR", + "CCPA", + "PCI-DSS" + ] + ] + }, + "purpose": { + "type": "object", + "title": "Purpose", + "description": "The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.", + "required": [ + "name" + ], + "additionalProperties": false, + "examples": [ + { + "name": "Service Delivery", + "legalBasis": "contract" + }, + { + "name": "Fraud Prevention", + "legalBasis": "legitimate interest" + }, + { + "name": "Marketing Analytics", + "legalBasis": "consent" + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the purpose for which data is collected or processed.", + "minLength": 1, + "examples": [ + "Service Delivery", + "Fraud Prevention", + "Marketing Analytics" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the purpose, how the data serves it, and any constraints on use. This narrative should be specific enough to evaluate whether subsequent processing activities are compatible with the original stated purpose." + }, + "legalBasis": { + "type": "string", + "title": "Legal Basis", + "description": "The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.", + "minLength": 1, + "examples": [ + "consent", + "contract", + "legitimate interest" + ] + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "dataClassification": { + "title": "Data Classification", + "description": "Classifies data by the level of protection it requires, either using a predefined classification level or a custom level not covered by the enumeration. Classification drives protection requirements such as access control, encryption, disclosure restrictions, and statutory handling obligations.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Classification", + "description": "A predefined classification level from the enumeration.", + "enum": [ + "confidential", + "internal", + "public", + "restricted", + "classified" + ], + "meta:enum": { + "confidential": "Confidential information requiring protection.", + "internal": "Internal use only within the organisation.", + "public": "Public information that can be freely shared.", + "restricted": "Highly restricted information with limited access and special protection measures.", + "classified": "Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations." + } + }, + { + "type": "object", + "title": "Custom Classification", + "description": "A custom classification level not covered by the predefined enumeration.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom classification level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of what this custom classification level means and the protections it implies." + } + } + } + ] + }, + "informationType": { + "title": "Information Type", + "description": "Identifies a type of information contained in the data, either using a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. A single dataset can contain multiple information types and is captured as an array on the data profile.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Information Type", + "description": "A predefined information type from the enumeration.", + "enum": [ + "authentication", + "behavioral", + "biometric", + "communication", + "credentials", + "device", + "financial", + "genetic", + "intellectual-property", + "location", + "logs", + "operational", + "pci", + "phi", + "pii", + "safety", + "telemetry" + ], + "meta:enum": { + "authentication": "Authentication data such as passwords, PINs, or security questions.", + "behavioral": "Behavioural data such as browsing history, usage patterns, or profiling data.", + "biometric": "Biometric data such as fingerprints, facial recognition, or voice patterns.", + "communication": "Communication content such as messages, emails, or call records.", + "credentials": "Secrets, tokens, or credentials.", + "device": "Device identifiers or hardware-level data.", + "financial": "Financial statements or transaction data.", + "genetic": "Genetic or genomic data.", + "intellectual-property": "Intellectual property or trade secrets.", + "location": "Precise or inferred geographic location data.", + "logs": "Operational or security log data.", + "operational": "Operational or process data.", + "pci": "Payment card industry data.", + "phi": "Protected health information.", + "pii": "Personally identifiable information.", + "safety": "Safety critical data or signals.", + "telemetry": "System or product telemetry data." + } + }, + { + "type": "object", + "title": "Custom Information Type", + "description": "A custom information type not covered by the predefined enumeration.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom information type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom information type and any handling implications it carries." + } + } + } + ] + }, + "dataGovernance": { + "type": "array", + "title": "Data Governance", + "description": "Parties responsible for the data throughout its lifecycle. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the governance relationship (`owner` for ownership and risk accountability, `steward` for content and business rules, `custodian` for safe custody, transport, and storage, `data-controller`, `data-processor`, `data-recipient`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" + } + }, + "dataFlowDirection": { + "type": "string", + "title": "Data Flow Direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service.", + "enum": [ + "bi-directional", + "inbound", + "outbound", + "unknown" + ], + "meta:enum": { + "bi-directional": "Data flows in and out of the service.", + "inbound": "Data that enters a service.", + "outbound": "Data that exits a service.", + "unknown": "The directional flow of data is not known." + } + } + } + }, + "cyclonedx-declaration-2.0": { + "type": "null", + "title": "CycloneDX Declaration Model", + "$defs": { + "declarations": { + "type": "object", + "title": "Declarations", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", + "additionalProperties": false, + "properties": { + "assessors": { + "type": "array", + "title": "Assessors", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", + "items": { + "type": "object", + "title": "Assessor", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." + }, + "organization": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organization", + "description": "The entity issuing the assessment." + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", + "items": { + "type": "object", + "title": "Attestation", + "additionalProperties": false, + "properties": { + "summary": { + "type": "string", + "title": "Summary", + "description": "The short description explaining the main points of the attestation." + }, + "assessor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Assessor", + "description": "The `bom-ref` to the assessor asserting the attestation." + }, + "map": { + "type": "array", + "title": "Map", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", + "items": { + "type": "object", + "title": "Map", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Requirement", + "description": "The `bom-ref` to the requirement being attested to." + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of `bom-ref` to the claims being attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "counterClaims": { + "type": "array", + "title": "Counter Claims", + "description": "The list of `bom-ref` to the counter claims being attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "conformance": { + "type": "object", + "title": "Conformance", + "description": "The conformance of the claim meeting a requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the conformance score." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "References using bom-link or bom-ref to the controls that mitigate identified gaps in conformance with the requirement. Each mitigation strategy should be substantiated by evidence.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } } - }, - "reason": { - "type": "string", - "title": "Reason", - "description": "A reason for the certificate being in this state." } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "The confidence of the claim meeting the requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the confidence score." + } + } + } + } + } + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of claims.", + "items": { + "type": "object", + "title": "Claim", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "target": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Target", + "description": "Reference using bom-link or bom-ref to the target of the claim, such as a control, system, application, module, team, person, process, or business unit." + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "The specific statement or assertion about the target." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "References using bom-link or bom-ref to the controls that mitigate identified weaknesses in the evidence supporting the claim. Each mitigation strategy should be substantiated by evidence.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "The written explanation of why the evidence provided substantiates the claim." + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of `bom-ref` to evidence that supports this claim.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of evidence", + "items": { + "type": "object", + "title": "Evidence", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "propertyName": { + "type": "string", + "title": "Property Name", + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The written description of what this evidence is and how it was created." + }, + "data": { + "type": "array", + "title": "Data", + "description": "The output or analysis that supports claims.", + "items": { + "type": "object", + "title": "Data", + "additionalProperties": false, + "properties": { + "name": { + "title": "Data Name", + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the evidence was created." + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "The date and time (timestamp) when the evidence is no longer valid." + }, + "author": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Author", + "description": "The author of the evidence." + }, + "reviewer": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Reviewer", + "description": "The reviewer of the evidence." + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "The list of targets which claims are made against.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The list of organizations which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + } + }, + "components": { + "type": "array", + "title": "Components", + "description": "The list of components which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + } + }, + "services": { + "type": "array", + "title": "Services", + "description": "The list of services which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + } + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", + "additionalProperties": false, + "properties": { + "statement": { + "type": "string", + "title": "Statement", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ + "I certify, to the best of my knowledge, that all information is correct." + ] + }, + "signatories": { + "type": "array", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", + "items": { + "type": "object", + "title": "Signatory", + "additionalProperties": false, + "oneOf": [ + { + "required": [ + "signature" + ] }, { - "title": "Custom State", "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "State", - "description": "The name of the certificate lifecycle state." - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the certificate lifecycle state." - }, - "reason": { - "type": "string", - "title": "Reason", - "description": "A reason for the certificate being in this state." - } - } + "externalReference", + "organization" + ] } - ] + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + }, + "organization": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } + } + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + } + } + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + } + } + } + } + }, + "cyclonedx-definition-2.0": { + "type": "null", + "title": "CycloneDX Definition Model", + "$defs": { + "definitions": { + "type": "object", + "title": "Definitions", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "additionalProperties": false, + "properties": { + "standards": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standards" + }, + "patents": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patents" + }, + "useCases": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/useCases" + }, + "requirements": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirements" + }, + "businessObjectives": { + "$ref": "#/$defs/cyclonedx-business-objective-2.0/$defs/businessObjectives" + } + } + } + } + }, + "cyclonedx-dependency-2.0": { + "type": "null", + "title": "CycloneDX Dependency Model", + "$defs": { + "dependencies": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + }, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships including provided & implemented components." + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "References a component or service by its bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + }, + "provides": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "title": "Provides", + "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + } + } + } + } + }, + "cyclonedx-formulation-2.0": { + "type": "null", + "title": "CycloneDX Formulation Model", + "$defs": { + "formulation": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/formula" + }, + "uniqueItems": true, + "title": "Formulation", + "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + }, + "formula": { + "title": "Formula", + "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "components": { + "title": "Components", + "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "uniqueItems": true + }, + "services": { + "title": "Services", + "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true + }, + "workflows": { + "title": "Workflows", + "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", + "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workflow" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "workflow": { + "title": "Workflow", + "description": "A specialized orchestration task.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "tasks": { + "title": "Tasks", + "description": "The tasks that comprise the workflow.", + "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/task" + } + }, + "taskDependencies": { + "title": "Task dependency graph", + "description": "The graph of dependencies between tasks within the workflow.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + } + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for workflow's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "task": { + "title": "Task", + "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", + "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + }, + "uniqueItems": true + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for task's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "step": { + "type": "object", + "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "A name for the step.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the step.", + "type": "string" + }, + "commands": { + "title": "Commands", + "description": "Ordered list of commands or directives for the step", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/command" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "command": { + "type": "object", + "additionalProperties": false, + "properties": { + "executed": { + "title": "Executed", + "description": "A text representation of the executed command.", + "type": "string" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "workspace": { + "title": "Workspace", + "description": "A named filesystem or data resource shareable by workflow tasks.", + "type": "object", + "required": [ + "bom-ref", + "uid" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "aliases": { + "title": "Aliases", + "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "type": "array", + "items": { + "type": "string" + } + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "accessMode": { + "title": "Access mode", + "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "type": "string", + "enum": [ + "read-only", + "read-write", + "read-write-once", + "write-once", + "write-only" + ] + }, + "mountPath": { + "title": "Mount path", + "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", + "type": "string" + }, + "managedDataType": { + "title": "Managed data type", + "description": "The name of a domain-specific data type the workspace represents.", + "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", + "examples": [ + "ConfigMap", + "Secret" + ], + "type": "string" + }, + "volumeRequest": { + "title": "Volume request", + "description": "Identifies the reference to the request for a specific volume type and parameters.", + "examples": [ + "a kubernetes Persistent Volume Claim (PVC) name" + ], + "type": "string" + }, + "volume": { + "title": "Volume", + "description": "Information about the actual volume instance allocated to the workspace.", + "$comment": "The actual volume allocated may be different than the request.", + "examples": [ + "see https://kubernetes.io/docs/concepts/storage/persistent-volumes/" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/volume" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "volume": { + "title": "Volume", + "description": "An identifiable, logical unit of data storage tied to a physical device.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the volume instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the volume instance", + "type": "string" + }, + "mode": { + "title": "Mode", + "description": "The mode for the volume instance.", + "type": "string", + "enum": [ + "filesystem", + "block" + ], + "default": "filesystem" + }, + "path": { + "title": "Path", + "description": "The underlying path created from the actual volume.", + "type": "string" + }, + "sizeAllocated": { + "title": "Size allocated", + "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", + "examples": [ + "10GB", + "2Ti", + "1Pi" + ], + "type": "string" + }, + "persistent": { + "title": "Persistent", + "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", + "type": "boolean" + }, + "remote": { + "title": "Remote", + "description": "Indicates if the volume is remotely (i.e., network) attached.", + "type": "boolean" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "trigger": { + "title": "Trigger", + "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "type": "object", + "additionalProperties": false, + "required": [ + "type", + "bom-ref", + "uid" + ], + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "type": { + "title": "Type", + "description": "The source type of event which caused the trigger to fire.", + "type": "string", + "enum": [ + "manual", + "api", + "webhook", + "scheduled" + ] + }, + "event": { + "title": "Event", + "description": "The event data that caused the associated trigger to activate.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/event" + }, + "conditions": { + "type": "array", + "title": "Conditions", + "description": "A list of conditions used to determine if a trigger should be activated.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/condition" + } + }, + "timeActivated": { + "title": "Time activated", + "description": "The date and time (timestamp) when the trigger was activated.", + "type": "string", + "format": "date-time" + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "event": { + "title": "Event", + "description": "Represents something that happened that may trigger a response.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier of the event.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the event.", + "type": "string" + }, + "timeReceived": { + "title": "Time Received", + "description": "The date and time (timestamp) when the event was received.", + "type": "string", + "format": "date-time" + }, + "data": { + "title": "Data", + "description": "Encoding of the raw event data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "source": { + "title": "Source", + "description": "References the component or service that was the source of the event", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "References the component or service that was the target of the event", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "inputType": { + "title": "Input type", + "description": "Type that represents various input data types and formats.", + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "parameters" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "source": { + "title": "Source", + "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", + "examples": [ + "source code repository", + "database" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", + "examples": [ + "workspace", + "directory" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", + "examples": [ + "a reference to a configuration file in a repository (i.e., a bom-ref)", + "a reference to a scanning service used in a task (i.e., a bom-ref)" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "parameters": { + "title": "Parameters", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/parameter" + } + }, + "environmentVars": { + "title": "Environment variables", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] + } + }, + "data": { + "title": "Data", + "description": "Inputs that have the form of data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "outputType": { + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "Describes the type of data output.", + "type": "string", + "enum": [ + "artifact", + "attestation", + "log", + "evidence", + "metrics", + "other" + ] + }, + "source": { + "title": "Source", + "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "examples": [ + "a log file described as an `externalReference` within its target domain." + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource generated as output by the task.", + "examples": [ + "configuration file", + "source code", + "scanning service" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "data": { + "title": "Data", + "description": "Outputs that have the form of data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "environmentVars": { + "title": "Environment variables", + "description": "Outputs that have the form of environment variables.", + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "resourceReferenceChoice": { + "title": "Resource reference choice", + "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", + "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "type": "object", + "additionalProperties": false, + "properties": { + "ref": { + "title": "BOM Reference", + "description": "References an object by its bom-ref attribute", + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "externalReference": { + "title": "External reference", + "description": "Reference to an externally accessible resource.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + }, + "oneOf": [ + { + "required": [ + "ref" + ] + }, + { + "required": [ + "externalReference" + ] + } + ] + }, + "condition": { + "title": "Condition", + "description": "A condition that was used to determine a trigger should be activated.", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "Describes the set of conditions which cause the trigger to activate.", + "type": "string" + }, + "expression": { + "title": "Expression", + "description": "The logical expression that was evaluated that determined the trigger should be fired.", + "type": "string" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "taskType": { + "type": "string", + "enum": [ + "copy", + "clone", + "lint", + "scan", + "merge", + "build", + "test", + "deliver", + "deploy", + "release", + "clean", + "other" + ], + "meta:enum": { + "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", + "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", + "lint": "A task that checks source code for programmatic and stylistic errors.", + "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", + "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", + "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", + "test": "A task that verifies the functionality of a component or service.", + "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", + "deploy": "A task that deploys a built artifact for execution on one or more target systems.", + "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", + "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", + "other": "A workflow task that does not match current task type definitions." + } + }, + "parameter": { + "title": "Parameter", + "description": "A representation of a functional parameter.", + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the parameter.", + "type": "string" + }, + "value": { + "title": "Value", + "description": "The value of the parameter.", + "type": "string" + }, + "dataType": { + "title": "Data type", + "description": "The data type of the parameter.", + "type": "string" + } + } + } + } + }, + "cyclonedx-jss_X590_2023_10-2.0": { + "type": "null", + "title": "CycloneDX Model for JSON Signature Scheme (JSS)", + "description": "JSON Schema implementing ITU-T X.590 (10/2023) – JSON Signature Scheme (JSS). Defines the structure for digitally signing JSON objects while keeping the payload in JSON format. Supports single signatures, multiple independent signatures, and chained counter-signatures. Intended for use as a $defs import in CycloneDX 2.0.", + "$defs": { + "timestamp": { + "title": "Timestamp", + "description": "An RFC 3339 timestamp in the UTC+0 time zone. Must use the 'Z' suffix. Sub-second precision, when present, MUST be exactly three digits (millisecond precision). If no sub-second digits are included, the decimal point MUST NOT be present. Matches the pattern: yyyy-mm-ddThh:mm:ss[.sss]Z", + "$comment": "Normative source: ITU-T X.590 clause 6.1", + "type": "string", + "pattern": "^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](?:\\.[0-9]+)?Z$", + "examples": [ + "2023-10-29T13:56:08Z", + "2023-10-29T13:56:08.000Z", + "2023-11-15T08:30:00.123Z" + ] + }, + "identifier": { + "title": "Identifier", + "description": "A Universally Unique Identifier (UUID) conformant with RFC 4122. Used to uniquely identify a signature object. Signatures sharing the same 'id' are treated as versions of the same logical signature, differentiated by their 'modified' timestamp.", + "$comment": "Normative source: ITU-T X.590 clause 6.1", + "type": "string", + "format": "uuid", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", + "examples": [ + "f47ac10b-58cc-4372-a567-0e02b2c3d479" + ] + }, + "hashAlgorithm": { + "title": "Hash Algorithm", + "description": "This property identifies the hashing algorithm, as defined by the Internet Assigned Numbers Authority (IANA)…, that was used to hash the JCS version of the full JSON object (JSON Object + JSS Signature) and is a case-sensitive ASCII string. Implementations MAY use any current and widely accepted hashing algorithm (e.g., sha-256, sha-512) that is defined in the IANA registry. The actual signing process, defined in the algorithm property, sometimes uses an internal hashing algorithm inside the signing process itself, this property MAY identify the same hashing algorithm as the signing process or MAY identify a different hashing algorithm.", + "$comment": "Normative source: ITU-T X.590 clause 6.2.1", + "type": "string", + "pattern": "^[a-z0-9-]+$", + "examples": [ + "sha-256", + "sha-384", + "sha-512", + "sha3-256", + "sha3-512" + ] + }, + "algorithmVocabulary": { + "title": "Signature Algorithm Type Vocabulary (signature-algorithm-type-ov)", + "description": "NOTE – At the time of this writing quantum safe algorithms could come from those defined in XMSS [IETF RFC 8391] section 5.3 or LMS [IETF RFC 8554] section 5.1 and other algorithms could come from those defined in JWA [IETF RFC 7518] section 3.1 or [IETF RFC 8037] section 3.1 (see the table below for a list of values from those RFCs). While JWA [IETF RFC 7518] section 3.1 defines the following symmetric algorithms: HS256, HS384, and HS512, these algorithms SHOULD NOT be used. If one of these three symmetric algorithms is used, the sharing and transmission of those keys is out of scope for this Recommendation.", + "$comment": "Normative source: ITU-T X.590 clause 6.2.2 and Table 1", + "type": "string", + "enum": [ + "XMSS-SHA2_10_256", + "XMSS-SHA2_16_256", + "XMSS-SHA2_20_256", + "LMS_SHA256_M32_H5", + "LMS_SHA256_M32_H10", + "LMS_SHA256_M32_H15", + "LMS_SHA256_M32_H20", + "LMS_SHA256_M32_H25", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "Ed25519", + "Ed448" + ] + }, + "algorithm": { + "title": "Signing Algorithm", + "description": "This property identifies the algorithm that was used to sign the JSON data and is a case-sensitive ASCII string. The value for this property SHOULD come from the signature-algorithm-type-ov vocabulary (see clause 6.2.2) and SHOULD be a current and widely accepted quantum safe algorithm, but MAY use any currently accepted safe algorithm.", + "$comment": "Normative source: ITU-T X.590 clause 6.2.1", + "type": "string", + "anyOf": [ + { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithmVocabulary" + }, + { + "type": "string", + "title": "Other algorithm identifier", + "description": "Any other current, widely accepted, safe algorithm identifier not present in the signature-algorithm-type-ov vocabulary (X.590 clause 6.2.2 makes that vocabulary a SHOULD, not a MUST)." + } + ], + "examples": [ + "Ed25519", + "ES256", + "XMSS-SHA2_10_256", + "LMS_SHA256_M32_H5", + "PS512" + ] + }, + "publicKey": { + "title": "Public Key (PEM, header-stripped)", + "description": "This property contains a privacy enhanced mail (PEM) encoded public key without the header and footer for the algorithm selected in the algorithm property.", + "$comment": "Normative source: ITU-T X.590 clause 6.2.1", + "type": "string", + "pattern": "^[A-Za-z0-9+/]+={0,2}$", + "examples": [ + "MCowBQYDK2VwAyEAubMonBfU9pvIbj5RCiWQLD45Jvu6mKr+kQXjvjW8ZkU=" + ] + }, + "publicCertChain": { + "title": "Public Certificate Chain", + "description": "This property contains a public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.7 of [IETF RFC 7517] as quoted here. This property \"contains a chain (X.509 certificate chain) of one or more PKIX certificates [IETF RFC 5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (section 4 of [IETF RFC 4648] – not base64URL.encoded) DER [b-ITU-T X.690] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key.\" This property is called \"x5c\" in section 4.7 of [IETF RFC 7517].", + "$comment": "Normative source: ITU-T X.590 clause 6.2.1", + "type": "array", + "items": { + "type": "string", + "description": "Base64-encoded (standard, not base64URL) DER-encoded PKIX certificate value (RFC 5280)." + }, + "minItems": 1 + }, + "certUrl": { + "title": "Certificate URL", + "description": "This property contains a uniform resource identifier (URI) [IETF RFC 3986] that refers to a resource for an X.509 public key certificate or certificate chain [IETF RFC 5280] for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.6 of [IETF RFC 7517] as quoted here. \"The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [IETF RFC 5280] in PEM-encoded form, with each certificate delimited as specified in section 6.1 of RFC 4945 [IETF RFC 4945]. The key in the first certificate MUST match the public key. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [IETF RFC 2818] [IETF RFC 5246]; the identity of the server MUST be validated, as per section 6 of RFC 6125 [IETF RFC 6125].\" This property is called \"x5u\" in section 4.6 of [IETF RFC 7517].", + "$comment": "Normative source: ITU-T X.590 clause 6.2.1", + "type": "string", + "format": "uri", + "pattern": "^https://", + "examples": [ + "https://pki.example.com/certs/signing-cert.pem" + ] + }, + "thumbprint": { + "title": "Certificate Thumbprint", + "description": "This property contains a fingerprint of a public key or public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.9 of [IETF RFC 7517] as quoted here. This property \"is a base64URL.encoded SHA-256 thumbprint (a.k.a. digest, X.509 certificate SHA-256 thumbprint) of the DER encoding of an X.509 certificate [IETF RFC 5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key.\" This property is called \"x5t#S256\" in section 4.9 of [IETF RFC 7517].", + "$comment": "Normative source: ITU-T X.590 clause 6.2.1", + "type": "string", + "pattern": "^[A-Za-z0-9_-]{43}$", + "examples": [ + "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" + ] + }, + "signatureObject": { + "title": "Signature Object", + "description": "A JSS signature object as defined in ITU-T X.590 clause 6.2. Captures the hashing algorithm, signing algorithm, public key material (in one of four forms), the base64URL-encoded digital signature value, and optional metadata. May nest a child 'signature' property to form a counter-signature chain.", + "$comment": "unevaluatedProperties: true is intentional. ITU-T X.590 clause 6.2 explicitly states that implementers MAY add additional properties to satisfy meta-data requirements for their application. The clause 6.3 properties (type, id, related_to, etc.) are themselves defined as non-exhaustive examples of such extensions.", + "type": "object", + "properties": { + "hash_algorithm": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/hashAlgorithm" + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithm" + }, + "public_key": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicKey" + }, + "public_cert_chain": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicCertChain" + }, + "cert_url": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/certUrl" + }, + "thumbprint": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/thumbprint" + }, + "value": { + "title": "Signature Value", + "description": "A base64URL.encoded signature that was created using the signature algorithm defined in the algorithm property and a key. In pseudo code it is defined as: base64URL.encode(sign(algorithm, key, hash(jcs()))).", + "$comment": "Normative source: ITU-T X.590 clause 6.2.1", + "type": "string", + "pattern": "^[A-Za-z0-9_-]+={0,2}$" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject", + "title": "Counter-Signature", + "description": "This property enables a signature to be countersigned, meaning a signature can be signed by another signature.", + "$comment": "Normative source: ITU-T X.590 clause 6.2.1" + }, + "type": { + "title": "Type Indicator", + "description": "The value of this property MUST be jss.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1", + "type": "string", + "const": "jss" + }, + "id": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/identifier", + "title": "Signature Identifier", + "description": "A value that uniquely identifies the signature. All signatures with the same ID are considered different versions of the same signature and the version of the signature is identified by its modified property.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1" + }, + "related_to": { + "title": "Related Object Reference", + "description": "A value that can identify the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1", + "type": "string" + }, + "related_version": { + "title": "Related Object Version", + "description": "A value that can identify the version of the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1", + "type": "string" + }, + "created": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp", + "title": "Created Timestamp", + "description": "The time at which this signature was originally created. The creator can use any time it deems most appropriate as the time the signature was created, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The created property MUST NOT be changed when creating a new version of the signature.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1", + "pattern": "^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$" + }, + "modified": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp", + "title": "Modified Timestamp", + "description": "The time that this particular version of the signature was last modified. The creator can use any time it deems most appropriate as the time that this version of the signature was modified, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The modified property MUST be later than or equal to the value of the created property. If the created and modified properties are the same, then this is the first version of the signature.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1. Cross-field invariant: 'modified' MUST be greater than or equal to 'created'. JSON Schema 2020-12 cannot compare two sibling property values, so this constraint is NOT enforced by this schema and MUST be validated by the consuming tool or conformance suite.", + "pattern": "^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$" + }, + "revoked": { + "title": "Revoked Flag", + "description": "A boolean that identifies if the signature creator deems that this signature is no longer valid. The default value is false.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1", + "type": "boolean", + "default": false + }, + "signee": { + "title": "Signee", + "description": "An unstructured string value for the name of the entity or organization that produced this signature.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1", + "type": "string" + }, + "valid_from": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp", + "title": "Valid From", + "description": "The time from which this signature is considered valid. If omitted, the signature is valid at all times or until the timestamp defined by valid_until. If the revoked property is true then this property MUST be ignored.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1" + }, + "valid_until": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp", + "title": "Valid Until", + "description": "The time at which this signature is no longer considered valid. If the valid_until property is omitted, then there is no constraint on the latest time for which the signature is valid. This property MUST be greater than the timestamp in the valid_from property if the valid_from property is defined. If the revoked property is true then this property MUST be ignored.", + "$comment": "Normative source: ITU-T X.590 clause 6.3.1. Cross-field invariant: when 'valid_from' is present, 'valid_until' MUST be greater than 'valid_from'. JSON Schema 2020-12 cannot compare two sibling property values, so this constraint is NOT enforced by this schema and MUST be validated by the consuming tool or conformance suite." + } + }, + "required": [ + "hash_algorithm", + "algorithm", + "value" + ], + "anyOf": [ + { + "required": [ + "public_key" + ], + "description": "Public key material provided as PEM-encoded public key (header/footer stripped)." + }, + { + "required": [ + "public_cert_chain" + ], + "description": "Public key material provided as a base64-encoded DER X.509 certificate chain." + }, + { + "required": [ + "cert_url" + ], + "description": "Public key material provided by reference to a TLS-accessible certificate URI." + }, + { + "required": [ + "thumbprint" + ], + "description": "Public key material referenced by a base64URL-encoded SHA-256 certificate thumbprint." + } + ], + "unevaluatedProperties": true + }, + "signatures": { + "title": "Signatures Array", + "description": "A JSON array of one or more signature objects. MUST be located at the top-level of the signed JSON object. The property name used to hold this array SHOULD be 'signatures', but implementations MAY use a different name provided it does not conflict with any other top-level property name in the host JSON object. All signature objects in this array are independent parallel signatures over the same JSON object; for chained counter-signatures, use the nested 'signature' property within an individual signature object.", + "$comment": "Normative source: ITU-T X.590 clause 6 – 'The property that holds the signature MUST be a JSON list property and MUST be located at the top-level of the original JSON object.'", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject" + }, + "minItems": 1 + } + } + }, + "cyclonedx-license-2.0": { + "type": "null", + "title": "CycloneDX License Model", + "$defs": { + "licenseChoice": { + "title": "License Choice", + "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", + "type": "array", + "items": { + "oneOf": [ + { + "type": "object", + "title": "License", + "required": [ + "license" + ], + "additionalProperties": false, + "properties": { + "license": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/license" } - }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "Creation Date", - "description": "The date and time (timestamp) when the certificate was created or pre-activated." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "Activation Date", - "description": "The date and time (timestamp) when the certificate was activated." - }, - "deactivationDate": { - "type": "string", - "format": "date-time", - "title": "Deactivation Date", - "description": "The date and time (timestamp) when the related certificate was deactivated." - }, - "revocationDate": { - "type": "string", - "format": "date-time", - "title": "Revocation Date", - "description": "The date and time (timestamp) when the certificate was revoked." - }, - "destructionDate": { - "type": "string", - "format": "date-time", - "title": "Destruction Date", - "description": "The date and time (timestamp) when the certificate was destroyed." - }, - "certificateExtensions": { - "type": "array", - "title": "Certificate Extensions", - "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", - "items": { - "type": "object", - "title": "Extension", - "description": "", - "oneOf": [ - { - "title": "Common Extensions", - "required": [ - "commonExtensionName", - "commonExtensionValue" - ], - "additionalProperties": false, - "properties": { - "commonExtensionName": { - "type": "string", - "title": "name", - "description": "The name of the extension.", - "enum": [ - "basicConstraints", - "keyUsage", - "extendedKeyUsage", - "subjectAlternativeName", - "authorityKeyIdentifier", - "subjectKeyIdentifier", - "authorityInformationAccess", - "certificatePolicies", - "crlDistributionPoints", - "signedCertificateTimestamp" - ], - "meta:enum": { - "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", - "keyUsage": "Specifies the allowed uses of the public key in the certificate.", - "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", - "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", - "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", - "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", - "authorityInformationAccess": "Contains CA issuers and OCSP information.", - "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", - "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", - "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." - } - }, - "commonExtensionValue": { - "type": "string", - "title": "Value", - "description": "The value of the certificate extension." - } + } + }, + { + "title": "License Expression", + "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", + "type": "object", + "additionalProperties": false, + "required": [ + "expression" + ], + "properties": { + "expression": { + "type": "string", + "title": "SPDX License Expression", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + }, + "expressionDetails": { + "title": "Expression Details", + "description": "Details for parts of the `expression`.", + "type": "array", + "items": { + "type": "object", + "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", + "required": [ + "licenseIdentifier" + ], + "properties": { + "licenseIdentifier": { + "title": "License Identifier", + "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", + "type": "string", + "examples": [ + "Apache-2.0", + "GPL-3.0-only WITH Classpath-exception-2.0", + "LicenseRef-my-custom-license" + ] + }, + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "text": { + "title": "License texts", + "description": "A way to include the textual content of the license.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" } }, - { - "title": "Custom Extensions", - "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", - "required": [ - "customExtensionName" - ], - "additionalProperties": false, - "properties": { - "customExtensionName": { - "type": "string", - "title": "Name", - "description": "The name for the custom certificate extension." - }, - "customExtensionValue": { - "type": "string", - "title": "Value", - "description": "The description of the custom certificate extension." - } - } - } - ] + "additionalProperties": false + } + }, + "acknowledgement": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" + }, + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "licensing": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } - }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" } } + ] + } + }, + "license": { + "type": "object", + "title": "License", + "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", + "oneOf": [ + { + "required": [ + "id" + ] }, - "relatedCryptoMaterialProperties": { - "type": "object", - "title": "Related Cryptographic Material Properties", - "description": "Properties for cryptographic assets of asset type: `related-crypto-material`.", - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related cryptographic material.", - "enum": [ - "private-key", - "public-key", - "secret-key", - "key", - "ciphertext", - "signature", - "digest", - "initialization-vector", - "nonce", - "seed", - "salt", - "shared-secret", - "tag", - "additional-data", - "password", - "credential", - "token", - "other", - "unknown" - ], - "meta:enum": { - "private-key": "The confidential key of a key pair used in asymmetric cryptography.", - "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", - "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", - "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", - "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", - "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", - "digest": "The output of the hash function.", - "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", - "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", - "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", - "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", - "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", - "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", - "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", - "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", - "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", - "token": "An object encapsulating a security identity.", - "other": "Another type of cryptographic asset.", - "unknown": "The type of cryptographic asset is not known." - } - }, - "id": { - "type": "string", - "title": "ID", - "description": "The unique identifier for the related cryptographic material." - }, - "state": { - "type": "string", - "title": "State", - "description": "The key state as defined by NIST SP 800-57.", - "enum": [ - "pre-activation", - "active", - "suspended", - "deactivated", - "compromised", - "destroyed" - ] - }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "Creation Date", - "description": "The date and time (timestamp) when the related cryptographic material was created." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "Activation Date", - "description": "The date and time (timestamp) when the related cryptographic material was activated." - }, - "updateDate": { - "type": "string", - "format": "date-time", - "title": "Update Date", - "description": "The date and time (timestamp) when the related cryptographic material was updated." - }, - "expirationDate": { - "type": "string", - "format": "date-time", - "title": "Expiration Date", - "description": "The date and time (timestamp) when the related cryptographic material expires." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The associated value of the cryptographic material." - }, - "size": { - "type": "integer", - "title": "Size", - "description": "The size of the cryptographic asset (in bits)." - }, - "format": { - "type": "string", - "title": "Format", - "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." - }, - "securedBy": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy", - "title": "Secured By", - "description": "The mechanism by which the cryptographic asset is secured by." - }, - "fingerprint": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint" + { + "required": [ + "name" + ] + } + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "$ref": "../spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", + "examples": [ + "Apache-2.0" + ] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", + "examples": [ + "Acme Software License" + ] + }, + "acknowledgement": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" + }, + "text": { + "title": "License text", + "description": "A way to include the textual content of a license.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" + }, + "licensing": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "licenseAcknowledgementEnumeration": { + "title": "License Acknowledgement", + "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", + "type": "string", + "enum": [ + "declared", + "concluded" + ], + "meta:enum": { + "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", + "concluded": "Concluded licenses are verified and confirmed." + } + }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } + }, + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] }, - "keyUsage": { - "type": "array", - "title": "Key Usage", - "description": "Defines the permitted cryptographic usage for the asset.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction", - "title": "Usage", - "description": "A permitted cryptographic usage." - } + { + "required": [ + "individual" + ] } - } + ] }, - "protocolProperties": { + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", "type": "object", - "title": "Protocol Properties", - "description": "Properties specific to cryptographic assets of type: `protocol`.", "additionalProperties": false, "properties": { - "type": { - "type": "string", - "title": "Type", - "description": "The concrete protocol type.", - "enum": [ - "tls", - "ssh", - "ipsec", - "ike", - "sstp", - "wpa", - "dtls", - "quic", - "eap-aka", - "eap-aka-prime", - "prins", - "5g-aka", - "other", - "unknown" - ], - "meta:enum": { - "tls": "Transport Layer Security", - "ssh": "Secure Shell", - "ipsec": "Internet Protocol Security", - "ike": "Internet Key Exchange", - "sstp": "Secure Socket Tunneling Protocol", - "wpa": "Wi-Fi Protected Access", - "dtls": "Datagram Transport Layer Security", - "quic": "Quick UDP Internet Connections", - "eap-aka": "Extensible Authentication Protocol variant", - "eap-aka-prime": "Enhanced version of EAP-AKA", - "prins": "Protection of Inter-Network Signaling", - "5g-aka": "Authentication and Key Agreement for 5G", - "other": "Another protocol type", - "unknown": "The protocol type is not known" - } + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "version": { - "type": "string", - "title": "Protocol Version", - "description": "The version of the protocol.", - "examples": [ - "1.0", - "1.2", - "1.99" + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" ] }, - "cipherSuites": { - "type": "array", - "title": "Cipher Suites", - "description": "A list of cipher suites related to the protocol.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite", - "title": "Cipher Suite" - } + { + "required": [ + "individual" + ] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "ikev2TransformTypes": { - "type": "object", - "title": "IKEv2 Transform Types", - "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", - "additionalProperties": false, - "properties": { - "encr": { - "type": "array", - "title": "Encryption Algorithms (ENCR)", - "description": "Transform Type 1: encryption algorithms.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc", - "title": "Encryption Algorithm (ENCR)" - } - }, - "prf": { - "type": "array", - "title": "Pseudorandom Functions (PRF)", - "description": "Transform Type 2: pseudorandom functions.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf", - "title": "Pseudorandom Function (PRF)" - } - }, - "integ": { - "type": "array", - "title": "Integrity Algorithms (INTEG)", - "description": "Transform Type 3: integrity algorithms.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ", - "title": "Integrity Algorithm (INTEG)" - } - }, - "ke": { - "type": "array", - "title": "Key Exchange Methods (KE)", - "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke" - } - }, - "esn": { - "type": "boolean", - "title": "Extended Sequence Number (ESN)", - "description": "Specifies if an Extended Sequence Number (ESN) is used." - }, - "auth": { - "type": "array", - "title": "IKEv2 Authentication methods", - "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth", - "title": "IKEv2 Authentication Method" - } - } - } + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + { + "required": [ + "individual" + ] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee.", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." } } }, - "oid": { + "lastRenewal": { "type": "string", - "title": "OID", - "description": "The object identifier (OID) of the cryptographic asset." + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." } } - }, - "cipherSuite": { + } + } + }, + "cyclonedx-metadata-2.0": { + "type": "null", + "title": "CycloneDX Metadata Model", + "$defs": { + "metadata": { "type": "object", - "title": "Cipher Suite", - "description": "Object representing a cipher suite.", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM.", "additionalProperties": false, "properties": { - "name": { + "timestamp": { "type": "string", - "title": "Common Name", - "description": "A common name for the cipher suite.", - "examples": [ - "TLS_DHE_RSA_WITH_AES_128_CCM" - ] + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the cipher suite.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } + "lifecycles": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" }, - "identifiers": { - "type": "array", - "title": "Cipher Suite Identifiers", - "description": "A list of common identifiers for the cipher suite.", - "items": { - "type": "string", - "title": "identifier", - "description": "Cipher suite identifier.", - "examples": [ - "0xC0", - "0x9E" - ] + "tools": { + "type": "object", + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "additionalProperties": false, + "properties": { + "components": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } } }, - "tlsGroups": { - "type": "array", - "title": "TLS Groups", - "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", - "items": { - "type": "string", - "title": "Group Name", - "description": "The name of the TLS group.", - "examples": [ - "x25519", - "ffdhe2048" - ] - } + "manufacturer": { + "title": "BOM Manufacturer", + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "tlsSignatureSchemes": { + "authors": { "type": "array", - "title": "TLS Signature Schemes", - "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "title": "BOM Authors", + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", "items": { - "type": "string", - "title": "Signature Scheme", - "description": "The name of the TLS signature scheme.", - "examples": [ - "ecdsa_secp256r1_sha256", - "rsa_pss_rsae_sha256", - "ed25519" - ] + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" } + }, + "component": { + "description": "The component that the BOM describes.", + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "licenses": { + "title": "BOM License(s)", + "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice" + }, + "distributionConstraints": { + "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Enc": { + "distributionConstraints": { + "title": "Distribution Constraints", + "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", "type": "object", - "title": "Encryption Algorithm (ENCR)", - "description": "Object representing an encryption algorithm (ENCR).", + "properties": { + "tlp": { + "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification", + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." + } + } + }, + "tlpClassification": { + "title": "Traffic Light Protocol (TLP) Classification", + "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", + "type": "string", + "default": "CLEAR", + "enum": [ + "CLEAR", + "GREEN", + "AMBER", + "AMBER_AND_STRICT", + "RED" + ], + "meta:enum": { + "CLEAR": "The information is not subject to any restrictions as regards the sharing.", + "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", + "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", + "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", + "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." + } + } + } + }, + "cyclonedx-party-2.0": { + "type": "null", + "title": "CycloneDX Party Model", + "$defs": { + "party": { + "type": "object", + "title": "Party", + "description": "Identifies an organization, individual, system, or abstract archetype that participates in supplying, producing, attesting, operating, owning, regulating, or otherwise relating to the subject. Each party plays one or more named roles. Roles may carry preference order (`role.order`) to express primary, alternate, and secondary rankings among parties sharing the same role.\n\nExactly one identity sub-shape (`organization`, `person`, `system`, or `persona`) shall be present. Optional sub-objects layer inter-party relationships and standard extension data.", + "required": [ + "roles" + ], "additionalProperties": false, "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the encryption method.", - "examples": [ - "ENCR_AES_GCM_16" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "roles": { + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/role" + }, + "title": "Roles", + "description": "One or more roles the party fulfils. Each role may carry an `order` indicating preference among parties sharing the same role (for example, primary versus alternate supplier)." + }, + "organization": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/organization", + "description": "Identity attributes valid when the party is an organization, company, government body, or other collective." + }, + "person": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/person", + "description": "Identity attributes valid when the party is an individual person." + }, + "system": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/system", + "title": "System", + "description": "Identity attributes valid when the party is a software system, hardware system, service account, automation, or autonomous agent." + }, + "persona": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/persona", + "title": "Persona", + "description": "Identity attributes valid when the party is an abstract archetype rather than a specific named instance." + }, + "relations": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyRelations", + "title": "Relations", + "description": "Links from this party to other parties." + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "person" ] }, - "keyLength": { - "type": "integer", - "title": "Encryption algorithm key length", - "description": "The key length of the encryption algorithm." + { + "required": [ + "system" + ] }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + { + "required": [ + "persona" + ] } + ] + }, + "parties": { + "type": "array", + "title": "Parties", + "description": "Parties associated with the subject. Each item identifies an organization, individual, system, or abstract archetype playing one or more named roles such as manufacturer, supplier, author, integrator, quality-control, or any custom role. The same party can hold multiple roles, each independently ranked via `role.order` to express preference (for example, primary supplier with order 1 and alternate supplier with order 2). Items may be inline party objects or references to parties declared elsewhere.", + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" } }, - "ikeV2Prf": { - "type": "object", - "title": "Pseudorandom Function (PRF)", - "description": "Object representing a pseudorandom function (PRF).", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the pseudorandom function.", - "examples": [ - "PRF_HMAC_SHA2_256" - ] + "partyChoice": { + "title": "Party Choice", + "description": "A party represented either as a complete object or as a reference to a previously declared party.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/party" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "A refLinkType pointing to a previously declared party." } - } + ] }, - "ikeV2Integ": { - "type": "object", - "title": "Integrity Algorithm (INTEG)", - "description": "Object representing an integrity algorithm (INTEG).", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the integrity algorithm.", - "examples": [ - "AUTH_HMAC_SHA2_256_128" - ] + "role": { + "title": "Role", + "description": "A role that a party fulfils. May be a predefined role from the CycloneDX role taxonomy or a custom role definition. The optional `order` property ranks parties that share the same role, supporting use cases such as primary versus alternate suppliers in hardware manufacturing supply chains.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/preDefinedRole" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + { + "title": "Custom Role", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom role.", + "examples": [ + "Chief Executive Officer", + "Data Protection Officer", + "Release Manager" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom role, including its responsibilities and scope." + }, + "order": { + "type": "integer", + "minimum": 1, + "title": "Order", + "description": "Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked." + } + } } - } + ] }, - "ikeV2Ke": { + "preDefinedRole": { + "title": "Pre-Defined Role", "type": "object", - "title": "Key Exchange Method (KE)", - "description": "Object representing a key exchange method (KE).", + "required": [ + "role" + ], "additionalProperties": false, "properties": { - "group": { - "type": "integer", - "title": "Group Identifier", - "description": "A group identifier for the key exchange algorithm." + "role": { + "type": "string", + "title": "Role", + "description": "A predefined role from the CycloneDX role taxonomy.", + "enum": [ + "agent", + "assembler", + "asserter", + "attacker", + "auditor", + "author", + "broker", + "carrier", + "certificate-authority", + "committer", + "competitor", + "consignee", + "consignor", + "contributor", + "customer", + "custodian", + "customs-broker", + "data-controller", + "data-processor", + "data-recipient", + "data-subject", + "delegate", + "developer", + "distributor", + "end-user", + "engineer", + "exporter", + "freight-forwarder", + "holder", + "importer", + "insider-threat", + "inspector", + "insurer", + "integrator", + "issuer", + "key-escrow-agent", + "legal-contact", + "licensee", + "licensor", + "maintainer", + "manufacturer", + "operator", + "owner", + "packager", + "partner", + "principal", + "publisher", + "purchaser", + "quality-control", + "regulator", + "relying-party", + "repackager", + "researcher", + "reviewer", + "security-contact", + "signatory", + "steward", + "subject", + "supplier", + "support-contact", + "third-party-logistics", + "timestamp-authority", + "validation-authority", + "verifier", + "warehouse-operator" + ], + "meta:enum": { + "agent": "Software or AI agent acting autonomously or semi-autonomously, typically on behalf of a principal.", + "assembler": "The party that assembles or integrates constituent parts into the subject. Common in hardware manufacturing and software build pipelines.", + "asserter": "The party making assertions about the subject, such as patent ownership or compliance claims.", + "attacker": "A hostile party targeting the subject.", + "auditor": "The party that conducted an audit or assessment of the subject.", + "author": "The party that created the subject. Common when the subject is created through manual processes.", + "broker": "The party that acts as an intermediary in commercial transactions.", + "carrier": "The party that physically transports goods, such as shipping lines, airlines, or trucking companies.", + "certificate-authority": "The party that issues, signs, and manages digital certificates within a public key infrastructure.", + "committer": "The party who committed or pushed changes to a version control system.", + "competitor": "A competing party in the same market or domain as the subject's organization.", + "consignee": "The party designated to receive a shipment of goods.", + "consignor": "The party that sends or ships goods to a consignee.", + "contributor": "A party that contributed to the development of the subject without being the primary author.", + "customer": "Customer of the organization that owns the subject.", + "custodian": "The party responsible for the safe custody, transport, and storage of the subject.", + "customs-broker": "The party that facilitates the clearance of goods through customs barriers.", + "data-controller": "The party that determines the purposes and means of processing personal data.", + "data-processor": "The party that processes personal data on behalf of a data controller.", + "data-recipient": "The party to which personal data is disclosed.", + "data-subject": "The natural person whose personal data is processed.", + "delegate": "A party exercising authority on behalf of another party identified via relations.delegatedBy.", + "developer": "Software developer or platform engineer.", + "distributor": "The party that distributes the subject to downstream consumers or customers.", + "end-user": "The end user of a system, service, or product.", + "engineer": "Engineer responsible for designing, implementing, or operating a system.", + "exporter": "The party that sends goods to another country for trade or sale.", + "freight-forwarder": "The party that arranges the shipment and logistics of goods on behalf of shippers.", + "holder": "The party that holds a verifiable credential, claim, or asset.", + "importer": "The party that brings goods into a country from abroad for trade or sale.", + "insider-threat": "A hostile or negligent party with legitimate access.", + "inspector": "The party that inspects goods for quality, safety, or regulatory compliance.", + "insurer": "The party that provides insurance coverage.", + "integrator": "The party that integrates the subject into a larger system or product.", + "issuer": "The party that issues a credential, claim, identifier, or asset.", + "key-escrow-agent": "The party that holds copies of cryptographic keys in escrow.", + "legal-contact": "The designated party to contact for legal matters.", + "licensee": "The party to which a license for the subject has been granted.", + "licensor": "The party that grants a license for the subject.", + "maintainer": "The party responsible for ongoing maintenance, including updates, patches, and security fixes.", + "manufacturer": "The party that manufactured or produced the subject. Common when the subject is produced through automated processes.", + "operator": "The party responsible for operating or running the subject in a production environment.", + "owner": "The party that holds ownership rights over the subject.", + "packager": "The party that packages goods for storage, shipment, or retail sale.", + "partner": "Business partner with a defined relationship.", + "principal": "The party on whose behalf another party acts, paired with delegate.", + "publisher": "The party that published the subject, making it available for consumption.", + "purchaser": "The party that purchased the subject or a license for its use.", + "quality-control": "The party responsible for quality control activities, including inspection, testing, and verification.", + "regulator": "Government or industry regulator with administrative authority over the subject.", + "relying-party": "The party that relies on credentials, claims, or attestations issued by another party.", + "repackager": "The party that repackages the subject, potentially combining it with other components.", + "researcher": "Security researcher, bug bounty hunter, or academic conducting authorized study.", + "reviewer": "The party that reviewed the subject or its associated evidence.", + "security-contact": "The designated party to contact in the event of a security incident.", + "signatory": "The party authorized to sign on behalf of an organization, affirming the validity or accuracy of statements or attestations.", + "steward": "The party responsible for the content, context, and associated business rules of the subject.", + "subject": "The party to whom an issued credential, claim, or identifier is bound.", + "supplier": "The party that supplied the subject. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "support-contact": "The designated party to contact for technical support.", + "third-party-logistics": "The party that provides outsourced logistics services.", + "timestamp-authority": "The party that issues trusted timestamps.", + "validation-authority": "The party that provides certificate validation services.", + "verifier": "The party that verifies credentials, claims, or attestations.", + "warehouse-operator": "The party responsible for storing, handling, and managing inventory within a warehouse or distribution centre." + } }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "order": { + "type": "integer", + "minimum": 1, + "title": "Order", + "description": "Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked. For example, a primary supplier may have `order: 1` while an alternate supplier has `order: 2`.", + "examples": [ + 1, + 2, + 3 + ] } } }, - "ikeV2Auth": { + "organization": { "type": "object", - "title": "IKEv2 Authentication method", - "description": "Object representing a IKEv2 Authentication method.", + "title": "Organization Identity", + "description": "Identity attributes for a party that is an organization, company, government body, or other collective.", "additionalProperties": false, "properties": { "name": { "type": "string", "title": "Name", - "description": "A name for the authentication method." + "description": "The common display or trading name of the organization. Use when the registered legal name is unknown or when the everyday name differs from the legal one.", + "examples": [ + "Acme", + "Globex" + ] }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - }, - "cryptographicFunction": { - "type": "string", - "title": "Cryptographic Function", - "description": "A cryptographic function or usage.", - "enum": [ - "generate", - "paramgen", - "paramver", - "keygen", - "keyver", - "encrypt", - "decrypt", - "digest", - "tag", - "keyderive", - "sign", - "verify", - "encapsulate", - "decapsulate", - "keyagree", - "wrap", - "unwrap", - "other", - "unknown" - ], - "meta:enum": { - "generate": "Generates random data, IVs, or nonces.", - "paramgen": "Generates cryptographic domain parameters.", - "paramver": "Verifies cryptographic domain parameters.", - "keygen": "Generates cryptographic keys.", - "keyver": "Verifies cryptographic keys.", - "encrypt": "Transforms plaintext into ciphertext.", - "decrypt": "Transforms ciphertext into plaintext.", - "digest": "Computes a hash value from input data.", - "tag": "Generates an authentication tag for data integrity.", - "keyderive": "Derives keys from another key or shared secret.", - "sign": "Creates a digital signature using a private key.", - "verify": "Verifies a digital signature using a public key.", - "encapsulate": "Encapsulates a secret using a public key (KEM).", - "decapsulate": "Decapsulates a secret using a private key (KEM).", - "keyagree": "Derives a shared secret between parties.", - "wrap": "Encrypts a key for secure storage or transport.", - "unwrap": "Decrypts a wrapped key to recover the original key.", - "other": "Another cryptographic function.", - "unknown": "The cryptographic function is not known." - } - }, - "relatedCryptographicAssets": { - "type": "array", - "title": "Related Cryptographic Assets", - "description": "A list of cryptographic assets related to this component.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset" - } - }, - "relatedCryptographicAsset": { - "type": "object", - "title": "Related Cryptographic Asset", - "description": "A cryptographic assets related to this component.", - "additionalProperties": false, - "properties": { - "type": { + "legalName": { "type": "string", - "title": "Type", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "title": "Legal Name", + "description": "The registered legal name of the organization, including any suffix such as Inc., S.r.l., GmbH, or LLC.", "examples": [ - "publicKey", - "privateKey", - "algorithm" + "Acme Microcontrollers S.r.l.", + "Acme Holdings, Inc." ] }, - "ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Reference to cryptographic asset", - "description": "The bom-ref to cryptographic asset." - } - } - }, - "fingerprint": { - "type": "object", - "title": "Fingerprint", - "description": "The fingerprint is a cryptographic hash of the asset.", - "oneOf": [ - { - "title": "Standard Hash", - "description": "A fingerprint computed using a standard, well-known hash algorithm.", - "required": [ - "alg", - "content" - ], - "additionalProperties": false, - "properties": { - "alg": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm" - }, - "content": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashValue" - } - } + "description": { + "type": "string", + "title": "Description", + "description": "A description of the organization itself, distinct from any role-specific or contextual description applied at the party wrapper level." }, - { - "title": "Custom Fingerprint", - "description": "A fingerprint computed with a custom or non-standard algorithm not covered by the standard hash algorithms.", - "required": [ - "customAlg", - "customContent" - ], - "additionalProperties": false, - "properties": { - "customAlg": { - "type": "string", - "title": "Custom Fingerprint Algorithm", - "description": "The name of the custom algorithm used to compute the fingerprint." - }, - "customContent": { - "type": "string", - "title": "Custom Fingerprint Content", - "description": "The value of the fingerprint computed using the custom algorithm." + "logo": { + "type": "string", + "format": "iri-reference", + "title": "Logo", + "description": "URL to an image representing the organization. Useful for catalog, datasheet, and user interface views." + }, + "foundingDate": { + "type": "string", + "format": "date", + "title": "Founding Date", + "description": "The date the organization was founded. Supports supplier due diligence and age-of-organization signals." + }, + "dissolutionDate": { + "type": "string", + "format": "date", + "title": "Dissolution Date", + "description": "The date the organization was dissolved or wound down. When present, the organization is no longer active." + }, + "jurisdiction": { + "type": "string", + "title": "Jurisdiction", + "description": "Country of registration as an ISO 3166-1 alpha-2 or alpha-3 code, optionally followed by an ISO 3166-2 subdivision separated by a hyphen.", + "examples": [ + "US-DE", + "IT-BO", + "CHE" + ] + }, + "identifiers": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/identifier" + }, + "title": "Identifiers", + "description": "Identifiers issued to or associated with the organization. May include legal and registration identifiers (LEI, DUNS, CAGE, NCAGE, EORI, VAT, tax identifiers) and non-legal identifiers such as workload or machine identities." + }, + "formerNames": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Former Names", + "description": "Prior names of the organization. Use when the entity has been renamed, merged, or acquired. Distinct from `aliases`, which captures concurrent alternate designations.", + "examples": [ + [ + "Atmel Corporation" + ] + ] + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "uniqueItems": true, + "title": "Aliases", + "description": "Concurrent alternate designations for the organization. Distinct from `formerNames`, which captures historical names. Common when modeling tracked threat-actor groups that are known by different designations across threat-intelligence vendors.", + "examples": [ + [ + "Fancy Bear", + "STRONTIUM", + "Sofacy", + "Sednit", + "Pawn Storm" + ] + ] + }, + "url": { + "type": "array", + "title": "URLs", + "description": "URLs associated with the organization. Each entry carries a `name` label and a `url` value so producers can describe homepage, support portal, press, status, code repository, and similar without ambiguity.", + "items": { + "type": "object", + "required": [ + "url" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "Label describing the URL, such as `homepage`, `support`, `press`, `status`, or `repository`.", + "examples": [ + "homepage", + "support", + "press", + "status", + "repository" + ] + }, + "url": { + "type": "string", + "format": "iri-reference", + "title": "URL" + } } } + }, + "addresses": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/postalAddress" + }, + "title": "Addresses", + "description": "Physical addresses associated with the organization." } - ] + } }, - "securedBy": { + "person": { "type": "object", - "title": "Secured By", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "title": "Person Identity", + "description": "Identity attributes for a party that is an individual person. The name model is intentionally unstructured: a single freeform `name` captures the full name as the person wishes to be known, accommodating the wide variation of naming conventions across cultures. See https://www.w3.org/International/questions/qa-personal-names for background.", "additionalProperties": false, "properties": { - "mechanism": { + "name": { "type": "string", - "title": "Mechanism", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "minLength": 1, + "title": "Name", + "description": "The person's full name as they wish to be known. A single freeform string. No assumption is made about given-versus-family ordering, mononym versus multi-component names, patronymics, or honorific embedding. Producers should use the form the person uses themselves.", "examples": [ - "HSM", - "TPM", - "SGX", - "Software", - "None" + "Ada Lovelace", + "Suharto", + "Maria del Carmen García López", + "Nguyá»…n Văn An" ] }, - "algorithmRef": { + "sortName": { + "type": "string", + "title": "Sort Name", + "description": "Optional sortable form of the name for catalog and index views. Use when the natural form of `name` does not sort intuitively, for example a comma-separated last-name-first form.", + "examples": [ + "Lovelace, Ada", + "García López, Maria del Carmen" + ] + }, + "honorificPrefix": { + "type": "string", + "title": "Honorific Prefix", + "description": "Honorific or title preceding the name, used in forms of address. Distinct from the name itself.", + "examples": [ + "Dr.", + "Prof." + ] + }, + "honorificSuffix": { + "type": "string", + "title": "Honorific Suffix", + "description": "Honorific or post-nominal letters following the name, used in forms of address. Distinct from the name itself.", + "examples": [ + "PhD", + "Esq." + ] + }, + "jobTitle": { + "type": "string", + "title": "Job Title", + "description": "The person's job title. Useful for credit lines and attribution.", + "examples": [ + "Chief Information Security Officer", + "Data Protection Officer", + "Senior Software Engineer" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the person, distinct from any role-specific or contextual description applied at the party wrapper level." + }, + "email": { "type": "array", - "title": "References", - "description": "The bom-refs to the assets securing this asset (e.g., algorithms, hardware, keys).", + "title": "Email", + "description": "Email addresses associated with the person. Each entry carries a `name` label and an `address` value so producers can describe work, personal, support, and similar contexts without ambiguity.", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "type": "object", + "required": [ + "address" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "Label describing the email, such as `work`, `personal`, `support`, or `security`.", + "examples": [ + "work", + "personal", + "support", + "security" + ] + }, + "address": { + "type": "string", + "format": "idn-email", + "title": "Address" + } + } + } + }, + "phone": { + "type": "array", + "title": "Phone", + "description": "Phone numbers associated with the person. Each entry carries a `name` label and a `number` value. Numbers should be expressed in E.164 form where possible.", + "items": { + "type": "object", + "required": [ + "number" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "Label describing the phone, such as `office`, `mobile`, `fax`, or `pager`.", + "examples": [ + "office", + "mobile", + "fax", + "pager" + ] + }, + "number": { + "type": "string", + "title": "Number", + "examples": [ + "+1-555-0100", + "+44 20 7946 0958" + ] + } + } + } + }, + "url": { + "type": "array", + "title": "URLs", + "description": "URLs associated with the person. Each entry carries a `name` label and a `url` value so producers can describe homepage, social profiles, code repositories, and similar without ambiguity.", + "items": { + "type": "object", + "required": [ + "url" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "Label describing the URL, such as `homepage`, `github`, `linkedin`, `mastodon`, or `orcid`.", + "examples": [ + "homepage", + "github", + "linkedin", + "orcid" + ] + }, + "url": { + "type": "string", + "format": "iri-reference", + "title": "URL" + } + } } + }, + "address": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/postalAddress", + "title": "Address" + }, + "affiliation": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Affiliation", + "description": "Reference using bom-link or bom-ref to an organization party with which the person is affiliated." } } - } - } - }, - "cyclonedx-data-2.0": { - "type": "null", - "title": "CycloneDX Data Model", - "$defs": { - "dataClassification": { - "type": "string", - "title": "Data Classification", - "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." }, - "dataGovernance": { + "system": { "type": "object", - "title": "Data Governance", - "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "title": "System Identity", + "description": "Identity attributes for a party that is a software system, hardware system, service account, automation, or autonomous agent.", "additionalProperties": false, "properties": { - "custodians": { - "type": "array", - "title": "Data Custodians", - "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", - "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" - } + "kind": { + "title": "Kind", + "description": "The kind of system the party represents. May be a predefined kind from the CycloneDX system-kind taxonomy expressed as a plain string, or a custom kind expressed as an object with `name` and optional `description`.", + "oneOf": [ + { + "title": "Pre-Defined Kind", + "type": "string", + "enum": [ + "software-system", + "hardware-system", + "service-account", + "machine-identity", + "automation", + "agent", + "bot", + "oracle", + "smart-contract", + "device", + "robot" + ], + "meta:enum": { + "software-system": "Application, service, or platform that performs actions as itself.", + "hardware-system": "Physical device or appliance that performs actions. Includes vehicles, drones, satellites, medical devices, network equipment, and industrial controllers unless a more specific kind applies.", + "service-account": "Non-human identity used by automation to authenticate.", + "machine-identity": "Cryptographic identity such as a certificate principal or workload identity.", + "automation": "Pipeline, job, or scheduled task that performs actions deterministically.", + "agent": "Autonomous or semi-autonomous agent that can plan and execute. Includes AI agents.", + "bot": "Scripted automation that interacts with an interface. Includes chatbots, robotic process automation bots, and scraping bots.", + "oracle": "External data feed or oracle, including blockchain oracles that bridge off-chain data into on-chain systems.", + "smart-contract": "On-chain program that executes deterministically.", + "device": "Physical end user device such as a phone or IoT device acting as a party in its own right.", + "robot": "Physical robot or autonomous mechanical system. For software-only counterparts, see `bot`, `agent`, or `automation`." + } + }, + { + "title": "Custom Kind", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom kind." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom kind." + } + } + } + ] }, - "stewards": { + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "Reference to any bom-ref'd object that represents this system. The referenced object provides the underlying identity (component, service, blueprint asset, or other object type). Use to associate the party with its concrete representation declared elsewhere." + }, + "identifiers": { "type": "array", - "title": "Data Stewards", - "description": "Data stewards are responsible for data content, context, and associated business rules.", "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" - } + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/identifier" + }, + "title": "Identifiers", + "description": "Machine identifiers for the system, such as service principal, workload identity, certificate subject, or device serial." }, - "owners": { + "permissions": { "type": "array", - "title": "Data Owners", - "description": "Data owners are concerned with risk and appropriate access to data.", "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" - } + "type": "string" + }, + "uniqueItems": true, + "title": "Permissions", + "description": "Capabilities or duties the system possesses." } } }, - "dataGovernanceResponsibleParty": { + "persona": { "type": "object", + "title": "Persona Identity", + "description": "Identity attributes for a party that is an abstract archetype rather than a specific named instance. Use for generic users, generic suppliers, or hypothesized attackers when a specific party is intentionally not named. When the specific instance is known (for example a tracked APT group), use `organization` instead.", "additionalProperties": false, "properties": { - "organization": { - "title": "Organization", - "description": "The organization that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "contact": { - "title": "Individual", - "description": "The individual that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" + "description": { + "type": "string", + "title": "Description", + "description": "Free-text description of the persona instance. Use to refine the archetype with details relevant to the threat model, such as the persona's assumed context, history, or behavioral pattern.", + "examples": [ + "Disgruntled administrator with elevated access to the payment gateway and motive driven by recent performance review." ] }, - { - "required": [ - "contact" - ] - } - ] - }, - "dataFlowDirection": { - "type": "string", - "enum": [ - "inbound", - "outbound", - "bi-directional", - "unknown" - ], - "meta:enum": { - "inbound": "Data that enters a service.", - "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", - "unknown": "The directional flow of data is not known." - }, - "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." - } - } - }, - "cyclonedx-declaration-2.0": { - "type": "null", - "title": "CycloneDX Declaration Model", - "$defs": { - "declarations": { - "type": "object", - "title": "Declarations", - "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", - "additionalProperties": false, - "properties": { - "assessors": { - "type": "array", - "title": "Assessors", - "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", - "items": { - "type": "object", - "title": "Assessor", - "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "thirdParty": { - "type": "boolean", - "title": "Third Party", - "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." - }, - "organization": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organization", - "description": "The entity issuing the assessment." + "archetype": { + "title": "Archetype", + "description": "The persona archetype. May be a predefined archetype from the CycloneDX persona-archetype taxonomy expressed as a plain string, or a custom archetype expressed as an object with `name` and optional `description`.", + "oneOf": [ + { + "title": "Pre-Defined Archetype", + "type": "string", + "enum": [ + "end-user", + "power-user", + "administrator", + "developer", + "operator", + "internal", + "external", + "anonymous", + "guest", + "customer", + "partner", + "supplier", + "vendor", + "contractor", + "third-party", + "auditor", + "researcher", + "regulator", + "law-enforcement", + "attacker", + "insider-threat", + "hacktivist", + "nation-state", + "organized-crime", + "competitor", + "public" + ], + "meta:enum": { + "end-user": "Typical end user of the system.", + "power-user": "Advanced user with higher than average privileges.", + "administrator": "Administrative or privileged user.", + "developer": "Application developer or platform engineer.", + "operator": "Operational staff running the system.", + "internal": "Generic internal party.", + "external": "Generic external party without an account or operational relationship.", + "anonymous": "Unauthenticated visitor interacting with the system.", + "guest": "Semi-authenticated user with restricted privileges.", + "customer": "Customer of the organization that owns the subject.", + "partner": "Business partner with a defined relationship.", + "supplier": "Generic supplier providing goods or services on a transactional basis.", + "vendor": "Vendor delivering and operating goods or services with operational access to the subject.", + "contractor": "Third party with operational access under contract.", + "third-party": "Generic third party that does not fit partner, supplier, vendor, or contractor.", + "auditor": "External auditor or assessor.", + "researcher": "Security researcher, bug bounty hunter, or academic. Authorized probing party.", + "regulator": "Government or industry regulator with administrative authority over the subject.", + "law-enforcement": "Law enforcement entity with investigative authority.", + "attacker": "Generic hostile external party.", + "insider-threat": "Hostile or negligent party with legitimate access.", + "hacktivist": "Hostile party motivated by ideology or activism.", + "nation-state": "Hostile party sponsored or directed by a national government.", + "organized-crime": "Hostile party operating as part of an organized criminal enterprise.", + "competitor": "Generic competitor.", + "public": "General public not in direct interaction with the subject." } - } - } - }, - "attestations": { - "type": "array", - "title": "Attestations", - "description": "The list of attestations asserted by an assessor that maps requirements to claims.", - "items": { - "type": "object", - "title": "Attestation", - "additionalProperties": false, - "properties": { - "summary": { - "type": "string", - "title": "Summary", - "description": "The short description explaining the main points of the attestation." - }, - "assessor": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Assessor", - "description": "The `bom-ref` to the assessor asserting the attestation." - }, - "map": { - "type": "array", - "title": "Map", - "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", - "items": { - "type": "object", - "title": "Map", - "additionalProperties": false, - "properties": { - "requirement": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Requirement", - "description": "The `bom-ref` to the requirement being attested to." - }, - "claims": { - "type": "array", - "title": "Claims", - "description": "The list of `bom-ref` to the claims being attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "counterClaims": { - "type": "array", - "title": "Counter Claims", - "description": "The list of `bom-ref` to the counter claims being attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "conformance": { - "type": "object", - "title": "Conformance", - "description": "The conformance of the claim meeting a requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the conformance score." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - } - } - }, - "confidence": { - "type": "object", - "title": "Confidence", - "description": "The confidence of the claim meeting the requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the confidence score." - } - } - } - } + }, + { + "title": "Custom Archetype", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name" + }, + "description": { + "type": "string", + "title": "Description" } - }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" } } - } + ] }, - "claims": { - "type": "array", - "title": "Claims", - "description": "The list of claims.", - "items": { - "type": "object", - "title": "Claim", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "target": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Target", - "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." - }, - "predicate": { - "type": "string", - "title": "Predicate", - "description": "The specific statement or assertion about the target." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "reasoning": { - "type": "string", - "title": "Reasoning", - "description": "The written explanation of why the evidence provided substantiates the claim." - }, - "evidence": { - "type": "array", - "title": "Evidence", - "description": "The list of `bom-ref` to evidence that supports this claim.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "counterEvidence": { - "type": "array", - "title": "Counter Evidence", - "description": "The list of `bom-ref` to counterEvidence that supports this claim.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" - } - } + "scope": { + "type": "string", + "title": "Scope", + "enum": [ + "internal", + "external", + "mixed" + ], + "meta:enum": { + "internal": "Persona is internal to the organization that owns the subject.", + "external": "Persona is external to the organization that owns the subject.", + "mixed": "Persona may appear in either internal or external contexts." } }, - "evidence": { + "permissions": { "type": "array", - "title": "Evidence", - "description": "The list of evidence", "items": { - "type": "object", - "title": "Evidence", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "propertyName": { - "type": "string", - "title": "Property Name", - "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." - }, - "description": { - "type": "string", - "title": "Description", - "description": "The written description of what this evidence is and how it was created." - }, - "data": { - "type": "array", - "title": "Data", - "description": "The output or analysis that supports claims.", - "items": { - "type": "object", - "title": "Data", - "additionalProperties": false, - "properties": { - "name": { - "title": "Data Name", - "description": "The name of the data.", - "type": "string" - }, - "contents": { - "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", - "additionalProperties": false, - "properties": { - "attachment": { - "title": "Data Attachment", - "description": "A way to include textual or encoded data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { - "type": "string", - "title": "Data URL", - "description": "The URL to where the data can be retrieved.", - "format": "iri-reference" - } - } - }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" - }, - "sensitiveData": { - "type": "array", - "title": "Sensitive Data", - "description": "A description of any sensitive data included.", - "items": { - "type": "string" - } - }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" - } - } - } - }, - "created": { - "type": "string", - "format": "date-time", - "title": "Created", - "description": "The date and time (timestamp) when the evidence was created." - }, - "expires": { - "type": "string", - "format": "date-time", - "title": "Expires", - "description": "The date and time (timestamp) when the evidence is no longer valid." - }, - "author": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Author", - "description": "The author of the evidence." - }, - "reviewer": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Reviewer", - "description": "The reviewer of the evidence." - }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" - } - } - } + "type": "string" + }, + "uniqueItems": true, + "title": "Permissions", + "description": "Capabilities the persona is assumed to hold." }, - "targets": { - "type": "object", - "title": "Targets", - "description": "The list of targets which claims are made against.", - "additionalProperties": false, - "properties": { - "organizations": { - "type": "array", - "title": "Organizations", - "description": "The list of organizations which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - } - }, - "components": { - "type": "array", - "title": "Components", - "description": "The list of components which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + "assumedPosture": { + "type": "string", + "title": "Assumed Security Posture", + "description": "Assumed security posture of the persona in this context.", + "examples": [ + "authenticated", + "unauthenticated", + "authorized", + "privileged" + ] + } + } + }, + "partyRelations": { + "type": "object", + "title": "Party Relations", + "description": "Links from this party to other parties. Captures hierarchical, organizational, and delegation relationships. Order ranking is on the role itself (`role.order`), not here.", + "additionalProperties": false, + "properties": { + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Parent", + "description": "Reference to a parent party. Models organizational hierarchy, group membership, and corporate parent or subsidiary relationships." + }, + "delegatedBy": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Delegated By", + "description": "Reference to another party that delegated authority to this one. Models situations such as an autonomous agent acting on behalf of a human user, a contractor acting on behalf of a principal, or a service account assuming a role." + } + } + }, + "identifier": { + "type": "object", + "title": "Identifier", + "description": "An identifier issued by a recognized authority. Includes legal and registration identifiers as well as machine and workload identities.", + "required": [ + "scheme", + "value" + ], + "additionalProperties": false, + "properties": { + "scheme": { + "title": "Scheme", + "description": "The identifier scheme. May be a predefined scheme from the CycloneDX identifier-scheme taxonomy expressed as a plain string, or a custom scheme expressed as an object with `name` and optional `description` and `url`.", + "oneOf": [ + { + "title": "Pre-Defined Scheme", + "type": "string", + "enum": [ + "lei", + "duns", + "ncage", + "cage", + "eori", + "vat", + "gst", + "ein", + "tin", + "ruc", + "bvd", + "swift-bic", + "sec-cik", + "isin", + "figi", + "opencorporates", + "gln", + "gtin", + "iso6523", + "ofac-sdn", + "un-lm", + "oidc-sub", + "spiffe", + "did", + "vc-id" + ], + "meta:enum": { + "lei": "Legal Entity Identifier per ISO 17442.", + "duns": "Dun and Bradstreet D-U-N-S Number.", + "ncage": "NATO Commercial and Government Entity code.", + "cage": "United States Commercial and Government Entity code.", + "eori": "Economic Operator Registration and Identification number used in European Union customs.", + "vat": "Value Added Tax registration number.", + "gst": "Goods and Services Tax registration number.", + "ein": "United States Employer Identification Number.", + "tin": "Generic Taxpayer Identification Number.", + "ruc": "Registro Unico de Contribuyentes used in several Latin American countries.", + "bvd": "Bureau van Dijk identifier.", + "swift-bic": "Business Identifier Code per ISO 9362.", + "sec-cik": "United States Securities and Exchange Commission Central Index Key.", + "isin": "International Securities Identification Number per ISO 6166.", + "figi": "Financial Instrument Global Identifier.", + "opencorporates": "OpenCorporates company identifier.", + "gln": "GS1 Global Location Number.", + "gtin": "GS1 Global Trade Item Number when the party is also a registered trade entity.", + "iso6523": "ISO 6523 organization identifier. The value should encode the four-digit International Code Designator (ICD) followed by the organization identifier per the registry referenced by the ICD.", + "ofac-sdn": "United States Office of Foreign Assets Control Specially Designated Nationals list identifier.", + "un-lm": "United Nations Locode for a specific facility or jurisdiction.", + "oidc-sub": "OpenID Connect subject identifier for a machine or service identity.", + "spiffe": "SPIFFE ID for a workload identity.", + "did": "W3C Decentralized Identifier (DID) per https://www.w3.org/TR/did-core/. Common for autonomous agents, federated services, and verifiable-credential subjects.", + "vc-id": "W3C Verifiable Credential identifier per https://www.w3.org/TR/vc-data-model/." } }, - "services": { - "type": "array", - "title": "Services", - "description": "The list of services which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + { + "title": "Custom Scheme", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name" + }, + "description": { + "type": "string", + "title": "Description" + }, + "url": { + "type": "string", + "format": "iri-reference", + "title": "URL", + "description": "URL of the scheme registry or specification." + } } } - } + ] }, - "affirmation": { + "schemeVersion": { + "type": "string", + "title": "Scheme Version", + "description": "The version of the scheme that issued this identifier, if applicable." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the identifier." + }, + "issuedDate": { + "type": "string", + "format": "date", + "title": "Issued Date" + }, + "expirationDate": { + "type": "string", + "format": "date", + "title": "Expiration Date" + }, + "issuer": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Issuer", + "description": "Reference using bom-link or bom-ref to the party that issued the identifier." + } + } + }, + "postalAddress": { + "type": "object", + "title": "Postal Address", + "description": "An address used to identify a contactable or operational location.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Reference Identifier", + "description": "An optional identifier that can be used to reference the address from elsewhere. Every bom-ref shall be unique within the containing instance. The value should not start with the prefix 'urn:cdx:' to avoid conflicts with BOM-Link identifiers." + }, + "country": { + "type": "string", + "title": "Country", + "description": "The country name or the two-letter ISO 3166-1 country code. When the isoCode property is present, the value of isoCode is authoritative." + }, + "region": { + "type": "string", + "title": "Region", + "description": "The region or state in the country. When the isoCode property carries an ISO 3166-2 subdivision, the value of isoCode is authoritative.", + "examples": [ + "Texas" + ] + }, + "isoCode": { + "type": "string", + "pattern": "^[A-Z]{2}(-[A-Z0-9]{1,3})?$", + "title": "ISO Code", + "description": "An ISO 3166-1 alpha-2 country code, optionally followed by an ISO 3166-2 subdivision code separated by a hyphen. When present, this property is authoritative over the free-text country and region properties.", + "examples": [ + "IT-BO", + "US-CA", + "DE-BY" + ] + }, + "locality": { + "type": "string", + "title": "Locality", + "description": "The locality or city within the country.", + "examples": [ + "Austin" + ] + }, + "postOfficeBoxNumber": { + "type": "string", + "title": "Post Office Box Number", + "description": "The post office box number.", + "examples": [ + "901" + ] + }, + "postalCode": { + "type": "string", + "title": "Postal Code", + "description": "The postal code.", + "examples": [ + "78758" + ] + }, + "streetAddress": { + "type": "string", + "title": "Street Address", + "description": "The street address. Multi-line addresses are expressed as a single string with line breaks (`\\n`) between lines. Implementations and serialization formats are not required to preserve the order of elements in an array, so a multi-line address shall not be modeled as an array.", + "examples": [ + "100 Main Street", + "Acme Tower\nSuite 1200\n100 Main Street" + ] + }, + "coordinates": { "type": "object", - "title": "Affirmation", - "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", + "title": "Geographic Coordinates", + "description": "Geographic coordinates of the address.", "additionalProperties": false, + "required": [ + "latitude", + "longitude" + ], "properties": { - "statement": { - "type": "string", - "title": "Statement", - "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", - "examples": [ - "I certify, to the best of my knowledge, that all information is correct." - ] + "latitude": { + "type": "number", + "minimum": -90, + "maximum": 90, + "title": "Latitude", + "description": "Latitude in decimal degrees. Four or more decimal places are recommended for facility-level precision." }, - "signatories": { - "type": "array", - "title": "Signatories", - "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", - "items": { - "type": "object", - "title": "Signatory", - "additionalProperties": false, - "oneOf": [ - { - "required": [ - "signature" - ] - }, - { - "required": [ - "externalReference", - "organization" - ] - } - ], - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The signatory's name." - }, - "role": { - "type": "string", - "title": "Role", - "description": "The signatory's role within an organization." - }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" - }, - "organization": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organization", - "description": "The signatory's organization." - }, - "externalReference": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } - } - } + "longitude": { + "type": "number", + "minimum": -180, + "maximum": 180, + "title": "Longitude", + "description": "Longitude in decimal degrees. Four or more decimal places are recommended for facility-level precision." }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + "altitude": { + "type": "number", + "title": "Altitude", + "description": "Altitude in meters above the reference ellipsoid identified by the datum property." + }, + "datum": { + "type": "string", + "title": "Datum", + "description": "The geodetic datum used for the coordinates. WGS84 is assumed when omitted.", + "default": "WGS84", + "examples": [ + "WGS84", + "NAD83", + "ETRS89" + ] } } - }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" - } - } - } - } - }, - "cyclonedx-definition-2.0": { - "type": "null", - "title": "CycloneDX Definition Model", - "$defs": { - "definitions": { - "type": "object", - "title": "Definitions", - "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", - "additionalProperties": false, - "properties": { - "standards": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standards" - }, - "patents": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patents" } } } } }, - "cyclonedx-dependency-2.0": { + "cyclonedx-patent-2.0": { "type": "null", - "title": "CycloneDX Dependency Model", + "title": "CycloneDX Patent Model", "$defs": { - "dependencies": { + "patents": { "type": "array", + "title": "Patents", + "description": "The list of either individual patents or patent families.", "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - }, - "uniqueItems": true, - "title": "Dependencies", - "description": "Provides the ability to document dependency relationships including provided & implemented components." - }, - "dependency": { - "type": "object", - "title": "Dependency", - "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", - "required": [ - "ref" - ], - "additionalProperties": false, - "properties": { - "ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "References a component or service by its bom-ref attribute" - }, - "dependsOn": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - "title": "Depends On", - "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." - }, - "provides": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + "anyOf": [ + { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patent" }, - "title": "Provides", - "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." - } + { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFamily" + } + ] } - } - } - }, - "cyclonedx-formulation-2.0": { - "type": "null", - "title": "CycloneDX Formulation Model", - "$defs": { - "formulation": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/formula" - }, - "uniqueItems": true, - "title": "Formulation", - "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." }, - "formula": { - "title": "Formula", - "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "patent": { "type": "object", + "title": "Patent", + "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", + "required": [ + "patentNumber", + "jurisdiction", + "patentLegalStatus" + ], "additionalProperties": false, "properties": { "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "components": { - "title": "Components", - "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "uniqueItems": true + "patentNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Number", + "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", + "examples": [ + "US987654321", + "EP1234567B1" + ] }, - "services": { - "title": "Services", - "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - }, - "uniqueItems": true + "applicationNumber": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" }, - "workflows": { - "title": "Workflows", - "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", - "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "jurisdiction": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + }, + "priorityApplication": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + }, + "publicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Publication Number", + "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + }, + "title": { + "type": "string", + "title": "Patent Title", + "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + }, + "abstract": { + "type": "string", + "title": "Patent Abstract", + "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + }, + "filingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "grantDate": { + "type": "string", + "format": "date", + "title": "Grant Date", + "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + }, + "patentExpirationDate": { + "type": "string", + "format": "date", + "title": "Expiration Date", + "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." + }, + "patentLegalStatus": { + "type": "string", + "title": "Legal Status", + "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", + "enum": [ + "pending", + "granted", + "revoked", + "expired", + "lapsed", + "withdrawn", + "abandoned", + "suspended", + "reinstated", + "opposed", + "terminated", + "invalidated", + "in-force" + ], + "meta:enum": { + "pending": "The patent application has been filed but not yet examined or granted.", + "granted": "The patent application has been examined and a patent has been issued.", + "revoked": "The patent has been declared invalid through a legal or administrative process.", + "expired": "The patent has reached the end of its enforceable term.", + "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", + "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", + "abandoned": "The patent application was abandoned, often due to lack of action or response.", + "suspended": "Processing of the patent application has been temporarily halted.", + "reinstated": "A previously abandoned or lapsed patent has been reinstated.", + "opposed": "The patent application or granted patent is under formal opposition proceedings.", + "terminated": "The patent or application has been officially terminated.", + "invalidated": "The patent has been invalidated, either in part or in full.", + "in-force": "The granted patent is active and enforceable." + } + }, + "patentAssignee": { "type": "array", + "title": "Patent Assignees", + "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workflow" - }, - "uniqueItems": true + "oneOf": [ + { + "title": "Person", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + }, + { + "title": "Organizational Entity", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + } + ] + } }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } } }, - "workflow": { - "title": "Workflow", - "description": "A specialized orchestration task.", - "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "patentFamily": { "type": "object", + "title": "Patent Family", + "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", "required": [ - "bom-ref", - "uid", - "taskTypes" + "familyId" ], "additionalProperties": false, "properties": { "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" - }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" - }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" - }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." }, - "tasks": { - "title": "Tasks", - "description": "The tasks that comprise the workflow.", - "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/task" - } + "familyId": { + "type": "string", + "title": "Patent Family ID", + "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." }, - "taskDependencies": { - "title": "Task dependency graph", - "description": "The graph of dependencies between tasks within the workflow.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - } + "priorityApplication": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" }, - "taskTypes": { - "title": "Task types", - "description": "Indicates the types of activities performed by the set of workflow tasks.", - "$comment": "Currently, these types reflect common CI/CD actions.", + "members": { "type": "array", + "title": "Family Members", + "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "BOM Reference", + "description": "A `bom-ref` linking to a patent or application object within the BOM." } }, - "trigger": { - "title": "Trigger", - "description": "The trigger that initiated the task.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" - }, - "steps": { - "title": "Steps", - "description": "The sequence of steps for the task.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "patentAssertions": { + "type": "array", + "title": "Patent Assertions", + "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "items": { + "type": "object", + "title": "Patent Assertion", + "description": "An assertion linking a patent or patent family to this component or service.", + "required": [ + "assertionType", + "asserter" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." }, - "uniqueItems": true - }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", + "enum": [ + "ownership", + "license", + "third-party-claim", + "standards-inclusion", + "prior-art", + "exclusive-rights", + "non-assertion", + "research-or-evaluation" + ], + "meta:enum": { + "ownership": "The manufacturer asserts ownership of the patent or patent family.", + "license": "The manufacturer asserts they have a license to use the patent or patent family.", + "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", + "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", + "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", + "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", + "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", + "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." + } }, - "uniqueItems": true - }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "patentRefs": { + "type": "array", + "title": "Patent References", + "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } }, - "uniqueItems": true - }, - "timeStart": { - "title": "Time start", - "description": "The date and time (timestamp) when the task started.", - "type": "string", - "format": "date-time" - }, - "timeEnd": { - "title": "Time end", - "description": "The date and time (timestamp) when the task ended.", - "type": "string", - "format": "date-time" - }, - "workspaces": { - "title": "Workspaces", - "description": "A set of named filesystem or data resource shareable by workflow tasks.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + "asserter": { + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organizational Entity" + }, + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Person" + }, + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." + } + ] + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." } + } + } + }, + "patentApplicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Application Number", + "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", + "examples": [ + "US20240000123", + "EP23123456" + ] + }, + "patentJurisdiction": { + "type": "string", + "title": "Jurisdiction", + "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", + "pattern": "^[A-Z]{2}$", + "examples": [ + "US", + "EP", + "JP" + ] + }, + "patentFilingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "priorityApplication": { + "type": "object", + "title": "Priority Application", + "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", + "required": [ + "applicationNumber", + "jurisdiction", + "filingDate" + ], + "additionalProperties": false, + "properties": { + "applicationNumber": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" }, - "runtimeTopology": { - "title": "Runtime topology", - "description": "A graph of the component runtime topology for workflow's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - } + "jurisdiction": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "filingDate": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate" } } + } + } + }, + "cyclonedx-perspective-2.0": { + "type": "null", + "title": "CycloneDX Perspective Model", + "$defs": { + "perspectives": { + "type": "array", + "title": "Perspectives", + "description": "Defines domain-specific views into the document, enabling different audiences to interpret and navigate the data through their own conceptual lens. Each perspective identifies relevant data types and may provide domain-specific terminology mappings.", + "items": { + "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/perspective" + } }, - "task": { - "title": "Task", - "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", - "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "perspective": { "type": "object", + "title": "Perspective", + "description": "A domain-specific view that identifies the types of data relevant to a particular audience and provides optional terminology mappings to facilitate interpretation. Perspectives enable tooling to generate filtered views, translate terminology, and validate document completeness against audience-specific requirements.", + "additionalProperties": false, "required": [ - "bom-ref", - "uid", - "taskTypes" + "name", + "mappings" ], - "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" - }, "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "type": "string", + "title": "Perspective Name", + "description": "The name of the perspective, typically indicating the target audience or domain.", + "examples": [ + "AI/ML Transparency", + "Device Manufacturing Regulatory Compliance", + "Minimum Elements of an SBOM" + ] }, "description": { + "type": "string", "title": "Description", - "description": "A description of the resource instance.", - "type": "string" + "description": "A description of the perspective, its intended audience, and the use cases it supports." }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", + "domains": { "type": "array", - "uniqueItems": true, + "title": "Domains", + "description": "The domains or disciplines to which this perspective applies. Allows selection of multiple pre-defined domains, custom domains, or a combination of both.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveDomainChoice" } }, - "taskTypes": { - "title": "Task types", - "description": "Indicates the types of activities performed by the set of workflow tasks.", - "$comment": "Currently, these types reflect common CI/CD actions.", + "mappings": { "type": "array", + "title": "Data Type Mappings", + "description": "An array of mappings that identify the types of data relevant to this perspective using JSON path expressions. Each mapping may include domain-specific terminology.", + "minItems": 1, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveMapping" } }, - "trigger": { - "title": "Trigger", - "description": "The trigger that initiated the task.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" - }, - "steps": { - "title": "Steps", - "description": "The sequence of steps for the task.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" - }, - "uniqueItems": true - }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" - }, - "uniqueItems": true - }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" - }, - "uniqueItems": true - }, - "timeStart": { - "title": "Time start", - "description": "The date and time (timestamp) when the task started.", - "type": "string", - "format": "date-time" - }, - "timeEnd": { - "title": "Time end", - "description": "The date and time (timestamp) when the task ended.", - "type": "string", - "format": "date-time" - }, - "workspaces": { - "title": "Workspaces", - "description": "A set of named filesystem or data resource shareable by workflow tasks.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" - }, - "uniqueItems": true - }, - "runtimeTopology": { - "title": "Runtime topology", - "description": "A graph of the component runtime topology for task's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - }, - "uniqueItems": true - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "step": { - "type": "object", - "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", - "additionalProperties": false, - "properties": { - "name": { - "title": "Name", - "description": "A name for the step.", - "type": "string" - }, - "description": { - "title": "Description", - "description": "A description of the step.", - "type": "string" - }, - "commands": { - "title": "Commands", - "description": "Ordered list of commands or directives for the step", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/command" - } + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "command": { + "perspectiveMapping": { "type": "object", + "title": "Perspective Mapping", + "description": "Maps a JSON path expression to domain-specific terminology, enabling audiences to interpret CycloneDX data using familiar nomenclature. Each mapping identifies a data type within the document structure and may provide alternative names and descriptions used by the target audience.", "additionalProperties": false, - "properties": { - "executed": { - "title": "Executed", - "description": "A text representation of the executed command.", - "type": "string" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "workspace": { - "title": "Workspace", - "description": "A named filesystem or data resource shareable by workflow tasks.", - "type": "object", "required": [ - "bom-ref", - "uid" + "expression" ], - "additionalProperties": false, "properties": { - "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" - }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" - }, - "aliases": { - "title": "Aliases", - "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", - "type": "array", - "items": { - "type": "string" - } - }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" - }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } + "expression": { + "type": "string", + "title": "Path Expression", + "description": "A [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression that identifies the types of data relevant to this perspective.", + "examples": [ + "$.components[*].pedigree", + "$.components[?(@.type=='machine-learning-model')].modelCard", + "$.components[?(@.type=='cryptographic-asset')]", + "$.vulnerabilities" + ] }, - "accessMode": { - "title": "Access mode", - "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "nativeName": { "type": "string", - "enum": [ - "read-only", - "read-write", - "read-write-once", - "write-once", - "write-only" + "title": "Native Name", + "description": "The domain-specific term used by the target audience to describe the data identified by the expression.", + "examples": [ + "Foundation Models", + "Training Corpus", + "Cryptographic Inventory", + "Component Provenance" ] }, - "mountPath": { - "title": "Mount path", - "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", - "type": "string" + "nativeDescription": { + "type": "string", + "title": "Native Description", + "description": "A domain-specific description of the data type, explaining its significance within the context of the perspective." + }, + "relevance": { + "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveRelevance" }, - "managedDataType": { - "title": "Managed data type", - "description": "The name of a domain-specific data type the workspace represents.", - "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", - "examples": [ - "ConfigMap", - "Secret" - ], - "type": "string" + "weight": { + "type": "number", + "title": "Weight", + "description": "Describes the importance of a field in relation to other fields. Values shall be between 0.0 and 1.0. This allows for relative ranking of mappings, where higher values indicate greater importance.", + "minimum": 0, + "maximum": 1 }, - "volumeRequest": { - "title": "Volume request", - "description": "Identifies the reference to the request for a specific volume type and parameters.", - "examples": [ - "a kubernetes Persistent Volume Claim (PVC) name" - ], - "type": "string" + "rationale": { + "type": "string", + "title": "Rationale", + "description": "Explains why this data type is relevant to the perspective and how it should be interpreted or used." + } + } + }, + "perspectiveRelevance": { + "type": "string", + "title": "Perspective Relevance", + "description": "Indicates the importance of a data type to a perspective.", + "enum": [ + "required", + "recommended", + "optional", + "informative" + ], + "meta:enum": { + "required": "This data type is essential for the perspective and should always be present.", + "recommended": "This data type is highly relevant and should be included when available.", + "optional": "This data type provides supplementary information that may be useful.", + "informative": "This data type provides background context but is not directly actionable." + } + }, + "perspectiveDomainChoice": { + "title": "Perspective Domain Choice", + "description": "Allows selection of a pre-defined domain or specification of a custom domain.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/preDefinedPerspectiveDomain" }, - "volume": { - "title": "Volume", - "description": "Information about the actual volume instance allocated to the workspace.", - "$comment": "The actual volume allocated may be different than the request.", - "examples": [ - "see https://kubernetes.io/docs/concepts/storage/persistent-volumes/" + { + "type": "object", + "title": "Custom Domain", + "required": [ + "name" ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/volume" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Domain Name", + "description": "The name of the custom domain." + }, + "description": { + "type": "string", + "title": "Domain Description", + "description": "A description of the custom domain, its scope, and the concerns it addresses." + } + } } + ] + }, + "preDefinedPerspectiveDomain": { + "type": "string", + "title": "Pre-Defined Perspective Domain", + "description": "A pre-defined domain or discipline to which a perspective applies. Domains span security disciplines, safety engineering, industry verticals, technology areas, compliance frameworks, and cross-cutting concerns.", + "enum": [ + "application-security", + "cloud-security", + "container-security", + "cryptographic-security", + "cyber-security", + "data-security", + "endpoint-security", + "firmware-security", + "hardware-security", + "identity-access-management", + "network-security", + "operational-security", + "physical-security", + "supply-chain-security", + "web-security", + "automotive-safety", + "aviation-safety", + "environmental-safety", + "functional-safety", + "machinery-safety", + "maritime-safety", + "nuclear-safety", + "patient-safety", + "process-safety", + "railway-safety", + "aerospace-defense", + "automotive", + "building-automation", + "consumer-electronics", + "critical-infrastructure", + "education", + "energy-utilities", + "financial-services", + "government", + "healthcare", + "insurance", + "legal", + "manufacturing", + "media-entertainment", + "pharmaceuticals", + "retail", + "telecommunications", + "transportation", + "artificial-intelligence", + "edge-computing", + "embedded-systems", + "industrial-control-systems", + "industrial-iot", + "internet-of-things", + "machine-learning", + "medical-devices", + "mobile", + "operational-technology", + "robotics", + "scada", + "smart-grid", + "data-protection", + "export-control", + "intellectual-property", + "legal-compliance", + "licensing", + "privacy", + "regulatory-compliance", + "maintainability", + "performance", + "quality-assurance", + "reliability", + "testability", + "incident-response", + "penetration-testing", + "red-team", + "risk-management", + "threat-intelligence", + "threat-modeling", + "vulnerability-management", + "accessibility", + "ethics", + "human-factors", + "interoperability", + "resilience", + "sustainability", + "transparency" + ], + "meta:enum": { + "application-security": "Security concerns related to software applications, including vulnerabilities, secure coding practices, input validation, and dependency management.", + "cloud-security": "Security concerns specific to cloud computing environments, including configuration, identity management, data protection, and shared responsibility models.", + "container-security": "Security concerns related to containerised applications, including image provenance, runtime protection, orchestration security, and supply chain integrity.", + "cryptographic-security": "Concerns related to cryptographic implementations, algorithm selection, key management, certificate handling, and post-quantum cryptography readiness.", + "cyber-security": "Broad security concerns encompassing threat detection, incident response, security operations, and defence-in-depth strategies.", + "data-security": "Concerns related to protecting data at rest, in transit, and in use, including encryption, access controls, and data loss prevention.", + "endpoint-security": "Security concerns for end-user devices including workstations, mobile devices, and peripherals, encompassing malware protection and device management.", + "firmware-security": "Security concerns specific to firmware, including secure boot, firmware updates, integrity verification, and protection against persistent threats.", + "hardware-security": "Security concerns related to physical hardware, including trusted platform modules, hardware security modules, side-channel attacks, and tamper resistance.", + "identity-access-management": "Concerns related to authentication, authorisation, identity lifecycle management, privileged access, and zero-trust architectures.", + "network-security": "Security concerns related to network infrastructure, including firewalls, intrusion detection, segmentation, and secure communications.", + "operational-security": "Security concerns related to the deployment, configuration, and day-to-day operation of systems in production environments.", + "physical-security": "Security concerns related to physical access controls, environmental protections, surveillance, and tamper evidence.", + "supply-chain-security": "Concerns related to the security, integrity, and trustworthiness of components, vendors, and processes throughout the supply chain.", + "web-security": "Security concerns specific to web applications and services, including OWASP Top 10 vulnerabilities, API security, and client-side protections.", + "automotive-safety": "Safety concerns for automotive systems aligned with ISO 26262, including hazard analysis, functional safety requirements, and ASIL classifications.", + "aviation-safety": "Safety concerns for aviation systems aligned with DO-178C, DO-254, and DO-326A, including design assurance levels and airworthiness requirements.", + "environmental-safety": "Concerns related to environmental protection, hazardous materials handling, emissions, and ecological impact assessment.", + "functional-safety": "Safety concerns aligned with IEC 61508 and derivative standards, focusing on systematic failures, safety integrity levels, and risk reduction.", + "machinery-safety": "Safety concerns for industrial machinery aligned with ISO 12100 and IEC 62443, including safeguarding, emergency stops, and risk assessment.", + "maritime-safety": "Safety concerns for maritime and offshore systems, including vessel automation, navigation systems, and compliance with maritime regulations.", + "nuclear-safety": "Safety concerns for nuclear facilities and systems, including defence-in-depth, safety classification, and regulatory compliance with nuclear standards.", + "patient-safety": "Safety concerns for medical devices and healthcare systems focusing on preventing harm to patients, including adverse event prevention and clinical risk management.", + "process-safety": "Safety concerns for industrial processes involving hazardous materials, including process hazard analysis, safety instrumented systems, and layers of protection.", + "railway-safety": "Safety concerns for railway systems aligned with EN 50126, EN 50128, and EN 50129, including signalling, train control, and safety cases.", + "aerospace-defense": "Concerns specific to aerospace and defence industries, including mission-critical systems, military standards, and classified information handling.", + "automotive": "Industry-specific concerns for automotive manufacturers and suppliers, including ISO/SAE 21434 cyber security and vehicle type approval.", + "building-automation": "Concerns related to building management systems, HVAC controls, access systems, and smart building infrastructure.", + "consumer-electronics": "Concerns specific to consumer electronic devices, including product safety, electromagnetic compatibility, and consumer protection regulations.", + "critical-infrastructure": "Concerns related to systems designated as critical infrastructure, including sector-specific requirements and national security considerations.", + "education": "Concerns specific to educational institutions and EdTech, including student data protection, FERPA compliance, and academic integrity.", + "energy-utilities": "Concerns specific to energy and utility sectors, including NERC CIP compliance, grid security, and operational continuity.", + "financial-services": "Concerns specific to financial institutions, including PCI DSS, SOX compliance, fraud prevention, and transaction integrity.", + "government": "Concerns specific to government agencies and contractors, including FedRAMP, FISMA, and public sector procurement requirements.", + "healthcare": "Concerns specific to healthcare organisations, including HIPAA compliance, electronic health records, and healthcare interoperability.", + "insurance": "Concerns specific to insurance industry, including actuarial data integrity, claims processing security, and regulatory compliance.", + "legal": "Concerns specific to legal industry, including attorney-client privilege, e-discovery, and legal hold requirements.", + "manufacturing": "Concerns specific to manufacturing environments, including production systems, quality management, and shop floor security.", + "media-entertainment": "Concerns specific to media and entertainment, including digital rights management, content protection, and broadcast systems.", + "pharmaceuticals": "Concerns specific to pharmaceutical industry, including FDA 21 CFR Part 11, GxP compliance, and drug safety systems.", + "retail": "Concerns specific to retail industry, including point-of-sale security, e-commerce platforms, and customer data protection.", + "telecommunications": "Concerns specific to telecommunications providers, including network infrastructure, subscriber data, and regulatory compliance.", + "transportation": "Concerns related to transportation systems beyond automotive and rail, including logistics, fleet management, and traffic control systems.", + "artificial-intelligence": "Concerns related to AI systems, including model transparency, algorithmic bias, explainability, and ethical considerations.", + "edge-computing": "Concerns specific to edge computing deployments, including distributed processing, local data handling, and remote device management.", + "embedded-systems": "Concerns specific to embedded systems development, including real-time constraints, resource limitations, and hardware-software integration.", + "industrial-control-systems": "Concerns specific to ICS environments, including PLCs, DCS, and industrial automation security aligned with IEC 62443.", + "industrial-iot": "Concerns specific to Industrial Internet of Things deployments, combining IT security with OT requirements and industrial protocols.", + "internet-of-things": "Concerns related to IoT devices and ecosystems, including device security, communication protocols, and fleet management.", + "machine-learning": "Concerns specific to ML models, including training data provenance, model lineage, performance metrics, and reproducibility.", + "medical-devices": "Concerns specific to medical device development aligned with IEC 62304, FDA guidance, and MDR/IVDR requirements.", + "mobile": "Concerns specific to mobile applications and devices, including app store requirements, mobile-specific vulnerabilities, and device management.", + "operational-technology": "Concerns specific to OT environments, bridging IT and industrial systems with focus on availability, safety, and legacy system integration.", + "robotics": "Concerns specific to robotic systems, including autonomous operation, human-robot interaction safety, and motion control security.", + "scada": "Concerns specific to Supervisory Control and Data Acquisition systems, including remote monitoring, control system security, and protocol vulnerabilities.", + "smart-grid": "Concerns specific to smart grid infrastructure, including advanced metering, grid automation, and distributed energy resource management.", + "data-protection": "Concerns related to data protection regulations such as GDPR, CCPA, and cross-border data transfer requirements.", + "export-control": "Concerns related to export control regulations, including EAR, ITAR, and dual-use technology restrictions.", + "intellectual-property": "Concerns related to patents, trade secrets, copyright, and other intellectual property rights and protections.", + "legal-compliance": "Regulatory and legal requirements, including contractual obligations, liability considerations, and legal holds.", + "licensing": "Concerns related to software licensing, licence compatibility, open source obligations, and commercial licensing terms.", + "privacy": "Concerns related to personal data protection, privacy by design, consent management, and individual rights.", + "regulatory-compliance": "Concerns related to compliance with industry-specific regulations, standards, and certification requirements.", + "maintainability": "Concerns related to the ease of maintaining, updating, and supporting software and systems over their lifecycle.", + "performance": "Concerns related to system performance, scalability, response times, and resource utilisation.", + "quality-assurance": "Concerns related to testing, validation, verification, and overall quality metrics and processes.", + "reliability": "Concerns related to system reliability, fault tolerance, mean time between failures, and degradation modes.", + "testability": "Concerns related to the ability to test components and systems, including test coverage, test automation, and test data management.", + "incident-response": "Concerns related to detecting, responding to, and recovering from security incidents and breaches.", + "penetration-testing": "Concerns related to authorised security testing, vulnerability assessment, and security validation activities.", + "red-team": "Concerns related to adversarial simulation, attack path analysis, and security control effectiveness testing.", + "risk-management": "Concerns related to risk identification, assessment, treatment, and ongoing risk monitoring.", + "threat-intelligence": "Concerns related to threat actor analysis, indicators of compromise, and proactive threat hunting.", + "threat-modeling": "Concerns related to identifying weaknesses, threats, countermeasures, attack surfaces, and trust boundaries.", + "vulnerability-management": "Concerns related to vulnerability identification, prioritisation, remediation tracking, and disclosure processes.", + "accessibility": "Concerns related to ensuring systems are usable by people with disabilities, including WCAG compliance.", + "ethics": "Concerns related to ethical considerations in technology development, including algorithmic fairness and responsible innovation.", + "human-factors": "Concerns related to human-system interaction, usability, operator error prevention, and ergonomic design.", + "interoperability": "Concerns related to the ability of systems to exchange and use information effectively across boundaries.", + "resilience": "Concerns related to system resilience, business continuity, disaster recovery, and graceful degradation.", + "sustainability": "Concerns related to environmental sustainability, energy efficiency, and responsible resource consumption.", + "transparency": "Concerns related to openness, auditability, and the ability for stakeholders to understand system behaviour and composition." } - }, - "volume": { - "title": "Volume", - "description": "An identifiable, logical unit of data storage tied to a physical device.", + } + } + }, + "cyclonedx-profile-2.0": { + "type": "null", + "title": "CycloneDX Profile Model", + "$defs": { + "profiles": { "type": "object", + "title": "Profiles", + "description": "A registry of reusable, named characterizations of how a subject behaves or is governed within a domain. Profiles separate characterization from identity: identity describes who or what the subject is; the profile describes the durable attributes that characterize it. A profile is referenced by its bom-ref from the elements it characterizes, so a single profile can be reused by many subjects.", "additionalProperties": false, "properties": { - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the volume instance within its deployment context.", - "type": "string" - }, - "name": { - "title": "Name", - "description": "The name of the volume instance", - "type": "string" - }, - "mode": { - "title": "Mode", - "description": "The mode for the volume instance.", - "type": "string", - "enum": [ - "filesystem", - "block" - ], - "default": "filesystem" - }, - "path": { - "title": "Path", - "description": "The underlying path created from the actual volume.", - "type": "string" - }, - "sizeAllocated": { - "title": "Size allocated", - "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", - "examples": [ - "10GB", - "2Ti", - "1Pi" - ], - "type": "string" - }, - "persistent": { - "title": "Persistent", - "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", - "type": "boolean" - }, - "remote": { - "title": "Remote", - "description": "Indicates if the volume is remotely (i.e., network) attached.", - "type": "boolean" + "dataProfiles": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfiles" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "threatProfiles": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatProfiles" } } - }, - "trigger": { - "title": "Trigger", - "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + } + } + }, + "cyclonedx-release-notes-2.0": { + "type": "null", + "title": "CycloneDX Release Notes Model", + "$defs": { + "releaseNotes": { "type": "object", - "additionalProperties": false, + "title": "Release notes", "required": [ - "type", - "bom-ref", - "uid" + "type" ], + "additionalProperties": false, "properties": { - "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "type": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." + }, + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." }, "description": { + "type": "string", "title": "Description", - "description": "A description of the resource instance.", - "type": "string" - }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } + "description": "A short description of the release." }, - "type": { - "title": "Type", - "description": "The source type of event which caused the trigger to fire.", + "timestamp": { "type": "string", - "enum": [ - "manual", - "api", - "webhook", - "scheduled" - ] - }, - "event": { - "title": "Event", - "description": "The event data that caused the associated trigger to activate.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/event" + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." }, - "conditions": { + "aliases": { "type": "array", - "title": "Conditions", - "description": "A list of conditions used to determine if a trigger should be activated.", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/condition" - } + "type": "string" + }, + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." }, - "timeActivated": { - "title": "Time activated", - "description": "The date and time (timestamp) when the trigger was activated.", - "type": "string", - "format": "date-time" + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], + "resolves": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" }, - "uniqueItems": true + "title": "Resolves", + "description": "A collection of issues that have been resolved." }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], + "notes": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/note" }, - "uniqueItems": true + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." }, "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } } } }, - "event": { - "title": "Event", - "description": "Represents something that happened that may trigger a response.", + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], "additionalProperties": false, "properties": { - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier of the event.", - "type": "string" - }, - "description": { - "title": "Description", - "description": "A description of the event.", - "type": "string" - }, - "timeReceived": { - "title": "Time Received", - "description": "The date and time (timestamp) when the event was received.", - "type": "string", - "format": "date-time" + "locale": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/locale", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" }, - "data": { - "title": "Data", - "description": "Encoding of the raw event data.", + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + } + } + } + } + }, + "cyclonedx-requirement-2.0": { + "type": "null", + "title": "CycloneDX Engineering Requirement Model", + "$defs": { + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirement" + }, + "description": "A collection of requirements representing specific needs, constraints, or capabilities that must be met." + }, + "requirement": { + "type": "object", + "title": "Requirement", + "description": "A requirement represents a specific need, constraint, or capability that must be met.", + "required": [ + "bom-ref" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "source": { - "title": "Source", - "description": "References the component or service that was the source of the event", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)." }, - "target": { - "title": "Target", - "description": "References the component or service that was the target of the event", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "name": { + "type": "string", + "title": "Name", + "description": "A short name or title for the requirement." }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "inputType": { - "title": "Input type", - "description": "Type that represents various input data types and formats.", - "type": "object", - "oneOf": [ - { - "required": [ - "resource" - ] + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the requirement." }, - { - "required": [ - "parameters" - ] + "type": { + "type": "array", + "title": "Requirement Types", + "description": "The categories or classifications applicable to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirementType" + }, + "uniqueItems": true }, - { - "required": [ - "environmentVars" + "priority": { + "type": "string", + "title": "Priority", + "description": "The priority level of the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" ] }, - { - "required": [ - "data" - ] - } - ], - "additionalProperties": false, - "properties": { - "source": { - "title": "Source", - "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", - "examples": [ - "source code repository", - "database" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "status": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus" }, - "target": { - "title": "Target", - "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", - "examples": [ - "workspace", - "directory" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "version": { + "type": "string", + "title": "Version", + "description": "The version of the requirement." }, - "resource": { - "title": "Resource", - "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", - "examples": [ - "a reference to a configuration file in a repository (i.e., a bom-ref)", - "a reference to a scanning service used in a task (i.e., a bom-ref)" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "stakeholders": { + "type": "array", + "title": "Stakeholders", + "description": "The individuals or groups who have an interest in the requirement.", + "items": { + "type": "string" + }, + "uniqueItems": true }, - "parameters": { - "title": "Parameters", - "description": "Inputs that have the form of parameters with names and values.", + "acceptanceCriteria": { "type": "array", - "uniqueItems": true, + "title": "Acceptance Criteria", + "description": "Criteria that must be met for the requirement to be considered satisfied.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/parameter" - } + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion" + }, + "uniqueItems": true }, - "environmentVars": { - "title": "Environment variables", - "description": "Inputs that have the form of parameters with names and values.", + "dependencies": { "type": "array", - "uniqueItems": true, + "title": "Dependencies", + "description": "Other requirements that this requirement depends on.", "items": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - }, - { - "type": "string", - "title": "String-Based Environment Variables", - "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." - } - ] - } + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/dependency" + }, + "uniqueItems": true }, - "data": { - "title": "Data", - "description": "Inputs that have the form of data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Parent BOM Reference", + "description": "Optional reference using bom-link or bom-ref to a parent requirement. Establishes a hierarchy of requirements." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The reasoning or justification for the requirement." + }, + "fitCriterion": { + "type": "string", + "title": "Fit Criterion", + "description": "A measurable test that the solution must pass to be acceptable to the stakeholders." + }, + "effort": { + "type": "string", + "title": "Effort Estimation", + "description": "An estimation of the effort required to implement the requirement." + }, + "risk": { + "type": "string", + "title": "Risk", + "description": "The risk level associated with implementing or not implementing the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "attachments": { + "type": "array", + "title": "Attachments", + "description": "Files or documents attached to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "uniqueItems": true }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } } }, - "outputType": { + "requirementType": { + "type": "string", + "title": "Requirement Type", + "description": "The category or classification applicable to the requirement.", + "enum": [ + "accessibility", + "auditability", + "availability", + "business", + "compatibility", + "compliance", + "deployment", + "functional", + "interoperability", + "localization", + "maintainability", + "non-functional", + "other", + "performance", + "portability", + "privacy", + "regulatory", + "reliability", + "scalability", + "security", + "system", + "testability", + "usability", + "user" + ], + "meta:enum": { + "accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.", + "auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.", + "availability": "Requirements describing the uptime and operational availability of systems or services.", + "business": "Requirements derived from organizational goals, strategies, or business processes.", + "compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.", + "compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.", + "deployment": "Requirements related to deploying, configuring, and operating the system in production environments.", + "functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.", + "interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.", + "localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.", + "maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.", + "non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.", + "other": "Requirements that do not clearly fit into other specified categories.", + "performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.", + "portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.", + "privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.", + "regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.", + "reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.", + "scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.", + "security": "Requirements intended to protect systems, data, and users from malicious actions or threats.", + "system": "Technical requirements defining infrastructure, architecture, or underlying technologies.", + "testability": "Requirements ensuring the system can be effectively validated and tested.", + "usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.", + "user": "Requirements captured directly from user needs, tasks, and expectations." + } + }, + "requirementStatus": { + "type": "string", + "title": "Status", + "description": "The current status of the requirement in the development lifecycle.", + "enum": [ + "draft", + "proposed", + "approved", + "implemented", + "verified", + "deferred", + "rejected", + "replaced", + "obsolete" + ] + }, + "acceptanceCriterion": { "type": "object", - "oneOf": [ - { - "required": [ - "resource" - ] + "title": "Acceptance Criterion", + "description": "A specific condition that must be met for the requirement to be considered satisfied.", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the acceptance criterion." }, - { - "required": [ - "environmentVars" - ] + "description": { + "type": "string", + "title": "Description", + "description": "A description of the acceptance criterion." }, - { - "required": [ - "data" + "status": { + "type": "string", + "title": "Status", + "description": "The current status of the acceptance criterion.", + "enum": [ + "pending", + "passed", + "failed" ] } - ], + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "A dependency on another requirement.", "additionalProperties": false, "properties": { + "ref": { + "oneOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, "type": { - "title": "Type", - "description": "Describes the type of data output.", "type": "string", + "title": "Dependency Type", + "description": "The type of dependency relationship.", "enum": [ - "artifact", - "attestation", - "log", - "evidence", - "metrics", + "requires", + "conflicts-with", + "enhances", + "implements", "other" ] }, - "source": { - "title": "Source", - "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - }, - "target": { - "title": "Target", - "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", - "examples": [ - "a log file described as an `externalReference` within its target domain." - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - }, - "resource": { - "title": "Resource", - "description": "A reference to an independent resource generated as output by the task.", - "examples": [ - "configuration file", - "source code", - "scanning service" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "description": { + "type": "string", + "title": "Description", + "description": "A description of the dependency relationship." + } + } + }, + "requirementAssertions": { + "type": "array", + "title": "Requirement Assertions", + "description": "A list of assertions describing how a component relates to specific requirements.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Requirement Assertion", + "description": "An assertion linking one or more requirements to a component, specifying the nature of the relationship.", + "required": [ + "assertionType", + "requirementRefs" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the relationship between the component and the requirement.", + "enum": [ + "conflicts", + "not-applicable", + "not-assessed", + "other", + "partially-satisfies", + "satisfies", + "violates" + ], + "meta:enum": { + "conflicts": "The component is in tension with the requirement but a definitive determination of violation has not been made. This may indicate partial incompatibility, competing constraints, or an unresolved evaluation.", + "not-applicable": "The requirement does not pertain to this component. The evaluator has reviewed the requirement and determined it is irrelevant.", + "not-assessed": "The relationship between the component and the requirement has not yet been evaluated.", + "other": "A relationship that does not fit into the other predefined assertion types.", + "partially-satisfies": "The component partially meets the requirement but does not fully satisfy all of its conditions or acceptance criteria.", + "satisfies": "The component fully satisfies the requirement, meeting all of its conditions and acceptance criteria.", + "violates": "The component has been evaluated and conclusively determined to not meet the requirement, breaching one or more of its conditions or acceptance criteria." + } + }, + "requirementRefs": { + "type": "array", + "title": "Requirement References", + "description": "A list of BOM references linking to requirement objects defined in the BOM.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "Additional context or clarification regarding the assertion." + } + } + } + } + } + }, + "cyclonedx-risk-2.0": { + "type": "null", + "title": "CycloneDX Risk Model", + "$defs": { + "risks": { + "type": "object", + "title": "Risks", + "description": "A collection of risks identified through risk analysis, together with the assessments that evaluate them. The model is framework-neutral and can document risk regardless of the risk management framework in use, including [ISO 31000](https://www.iso.org/iso-31000-risk-management.html), [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final), the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework), [COSO ERM](https://www.coso.org/), [ISO/IEC 27005](https://www.iso.org/standard/80585.html), and OCTAVE. It accommodates qualitative, semi-quantitative, and quantitative assessment, and each rating records the scoring methodology used, such as [FAIR](https://www.fairinstitute.org/), [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), DREAD, [FMEA](https://asq.org/quality-resources/fmea), NIST SP 800-30, or OCTAVE Allegro. Each risk separates inherent, residual, and target ratings so risk reduction is explicit.", + "additionalProperties": false, + "properties": { + "risks": { + "type": "array", + "title": "Risks", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/risk" + }, + "description": "The documented risks identified through risk analysis." }, - "data": { - "title": "Data", - "description": "Outputs that have the form of data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "assessments": { + "type": "array", + "title": "Assessments", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/assessment" + }, + "description": "Point-in-time risk assessment events, each evaluating one or more of the documented risks." }, - "environmentVars": { - "title": "Environment variables", - "description": "Outputs that have the form of environment variables.", + "riskAppetites": { "type": "array", + "title": "Risk Appetites", + "uniqueItems": true, "items": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - }, - { - "type": "string", - "title": "String-Based Environment Variables", - "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." - } - ] + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAppetite" }, - "uniqueItems": true + "description": "The risk appetites that apply to this collection. Multiple entries support a document covering more than one party." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "resourceReferenceChoice": { - "title": "Resource reference choice", - "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", - "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "riskDomain": { "type": "object", + "required": [ + "type" + ], "additionalProperties": false, "properties": { - "ref": { - "title": "BOM Reference", - "description": "References an object by its bom-ref attribute", - "anyOf": [ + "type": { + "title": "Type", + "description": "The domain or category of risk. Use the custom option for domains specific to an organization's risk taxonomy.", + "oneOf": [ { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + "title": "Predefined Risk Domain", + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply-chain", + "technical", + "project", + "ethical", + "societal", + "human-rights", + "health", + "legal" + ], + "meta:enum": { + "security": "Information security and cybersecurity risks.", + "privacy": "Data protection and privacy risks.", + "operational": "Business operations and continuity risks.", + "financial": "Financial loss and economic impact risks.", + "compliance": "Regulatory and legal compliance risks.", + "strategic": "Strategic business and market risks.", + "reputational": "Brand and reputation damage risks.", + "safety": "Human safety and physical security risks.", + "environmental": "Environmental impact and sustainability risks.", + "supply-chain": "Supply chain and third-party risks.", + "technical": "Technical and technology risks.", + "project": "Project delivery and execution risks.", + "ethical": "Ethical risks, including the responsible use of automated decision-making and artificial intelligence.", + "societal": "Risks to society, communities, or democratic and civic processes.", + "human-rights": "Risks to fundamental human rights, including discrimination and loss of autonomy.", + "health": "Risks to physical or mental health and wellbeing.", + "legal": "Legal exposure, including liability and contractual risks." + } }, { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + "title": "Custom Risk Domain", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk domain." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk domain." + } + } } ] }, - "externalReference": { - "title": "External reference", - "description": "Reference to an externally accessible resource.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + "priority": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" + }, + "description": { + "type": "string", + "description": "Additional context for this risk domain." } - }, + } + }, + "riskAttribute": { + "title": "Risk Attribute", + "description": "A security or privacy attribute representing a potential impact area when a risk is realized. Use the custom option for attributes specific to an organization's risk taxonomy.", "oneOf": [ { - "required": [ - "ref" - ] + "title": "Predefined Risk Attribute", + "type": "string", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data-subject-rights", + "integrity", + "minimization", + "non-repudiation", + "possession", + "privacy", + "purpose-limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities.", + "authentication": "Verifying the identity of users, devices, or systems before granting access.", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources.", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified.", + "availability": "Ensuring systems, data, and services are accessible and operational when needed.", + "compliance": "Adherence to applicable laws, regulations, policies, and standards.", + "confidentiality": "Preventing unauthorized access to or disclosure of information.", + "connectivity": "Maintaining secure and reliable communication between systems or components.", + "control": "Enabling individuals to manage how their personal data is used and shared.", + "data-subject-rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorized actors.", + "minimization": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications.", + "possession": "Ensuring control or custody over data or assets, regardless of ownership.", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards.", + "purpose-limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection.", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing.", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose." + } }, { + "title": "Custom Risk Attribute", + "type": "object", "required": [ - "externalReference" - ] + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk attribute." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk attribute." + } + } } ] }, - "condition": { - "title": "Condition", - "description": "A condition that was used to determine a trigger should be activated.", + "risk": { "type": "object", + "required": [ + "bom-ref", + "name", + "statement" + ], "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "description": "A human-readable name for the risk." + }, + "statement": { + "type": "string", + "description": "Structured risk statement describing source, event, and impact." + }, "description": { - "title": "Description", - "description": "Describes the set of conditions which cause the trigger to activate.", - "type": "string" + "type": "string", + "description": "Additional narrative about the risk." }, - "expression": { - "title": "Expression", - "description": "The logical expression that was evaluated that determined the trigger should be fired.", - "type": "string" + "domains": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" + }, + "description": "The risk domains this risk affects." }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "taskType": { - "type": "string", - "enum": [ - "copy", - "clone", - "lint", - "scan", - "merge", - "build", - "test", - "deliver", - "deploy", - "release", - "clean", - "other" - ], - "meta:enum": { - "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", - "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", - "lint": "A task that checks source code for programmatic and stylistic errors.", - "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", - "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", - "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", - "test": "A task that verifies the functionality of a component or service.", - "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", - "deploy": "A task that deploys a built artifact for execution on one or more target systems.", - "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", - "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", - "other": "A workflow task that does not match current task type definitions." + "affects": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the subjects this risk concerns. A subject may be a component, service, dataset, or model, or a party such as a person, persona, or organization, including a group at risk of being systematically disadvantaged." + }, + "relatedThreats": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats or threat scenarios from a threat model that inform this risk. A reference may point to a discrete threat or to a threat scenario." + }, + "relatedVulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities that inform this risk." + }, + "relatedWeaknesses": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the weaknesses that inform this risk." + }, + "relatedRequirements": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements whose absence or non-conformance gives rise to this risk, such as a requirement that is unmet or only partially met." + }, + "relatedStandards": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the standards whose non-conformance gives rise to this risk." + }, + "relatedClaims": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the conformance claims that give rise to this risk, such as a [CycloneDX Attestations](https://cyclonedx.org/capabilities/attestations/) claim recording that a requirement is unmet or only partially met. The degree of conformance is carried by the claim, not by the risk." + }, + "relatedBusinessObjectives": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this risk threatens." + }, + "inherentRisk": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/rating", + "description": "The assessed risk before any responses are applied." + }, + "residualRisk": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/rating", + "description": "The assessed risk remaining after responses are applied." + }, + "targetRisk": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/rating", + "description": "The risk level the organization aims to reach for this risk. The overall risk appetite is recorded separately on the risks collection or assessment." + }, + "responses": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskResponse" + }, + "description": "The responses applied to this risk." + }, + "status": { + "title": "Status", + "description": "The lifecycle status of the risk. Use the custom option for a status specific to an organization's risk process.", + "oneOf": [ + { + "title": "Predefined Risk Status", + "type": "string", + "enum": [ + "identified", + "assessed", + "mitigated", + "accepted", + "transferred", + "retired" + ], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated.", + "assessed": "Risk has been assessed and prioritized.", + "mitigated": "Responses are in place reducing this risk.", + "accepted": "Risk has been formally accepted.", + "transferred": "Risk has been transferred to another party.", + "retired": "Risk no longer applies." + } + }, + { + "title": "Custom Risk Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] + }, + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for this risk. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } } }, - "parameter": { - "title": "Parameter", - "description": "A representation of a functional parameter.", + "rating": { "type": "object", + "title": "Rating", + "description": "A methodology-neutral assessment of risk along likelihood and impact, with an overall score. The same shape expresses inherent, residual, and target risk so reductions can be compared. A rating can be qualitative (a `level`), semi-quantitative (a numeric `score` on a bounded scale), or quantitative (for example a probable monetary loss under [FAIR](https://www.fairinstitute.org/)). For a catalogue of assessment techniques, see [IEC 31010](https://www.iso.org/standard/72140.html).", "additionalProperties": false, "properties": { - "name": { - "title": "Name", - "description": "The name of the parameter.", - "type": "string" + "likelihood": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" }, - "value": { - "title": "Value", - "description": "The value of the parameter.", - "type": "string" + "impact": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" }, - "dataType": { - "title": "Data type", - "description": "The data type of the parameter.", - "type": "string" - } - } - } - } - }, - "cyclonedx-jss_X590_2023_10-2.0": { - "type": "null", - "title": "CycloneDX Model for JSON Signature Scheme (JSS)", - "description": "JSON Schema implementing ITU-T X.590 (10/2023) – JSON Signature Scheme (JSS). Defines the structure for digitally signing JSON objects while keeping the payload in JSON format. Supports single signatures, multiple independent signatures, and chained counter-signatures. Intended for use as a $defs import in CycloneDX 2.0.", - "$defs": { - "timestamp": { - "title": "Timestamp", - "description": "An RFC 3339 timestamp in the UTC+0 time zone. Must use the 'Z' suffix. Sub-second precision, when present, MUST be exactly three digits (millisecond precision). If no sub-second digits are included, the decimal point MUST NOT be present. Matches the pattern: yyyy-mm-ddThh:mm:ss[.sss]Z", - "$comment": "Normative source: ITU-T X.590 clause 6.1", - "type": "string", - "pattern": "^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](?:\\.[0-9]+)?Z$", - "examples": [ - "2023-10-29T13:56:08Z", - "2023-10-29T13:56:08.000Z", - "2023-11-15T08:30:00.123Z" - ] - }, - "identifier": { - "title": "Identifier", - "description": "A Universally Unique Identifier (UUID) conformant with RFC 4122. Used to uniquely identify a signature object. Signatures sharing the same 'id' are treated as versions of the same logical signature, differentiated by their 'modified' timestamp.", - "$comment": "Normative source: ITU-T X.590 clause 6.1", - "type": "string", - "format": "uuid", - "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", - "examples": [ - "f47ac10b-58cc-4372-a567-0e02b2c3d479" - ] - }, - "hashAlgorithm": { - "title": "Hash Algorithm", - "description": "This property identifies the hashing algorithm, as defined by the Internet Assigned Numbers Authority (IANA)…, that was used to hash the JCS version of the full JSON object (JSON Object + JSS Signature) and is a case-sensitive ASCII string. Implementations MAY use any current and widely accepted hashing algorithm (e.g., sha-256, sha-512) that is defined in the IANA registry. The actual signing process, defined in the algorithm property, sometimes uses an internal hashing algorithm inside the signing process itself, this property MAY identify the same hashing algorithm as the signing process or MAY identify a different hashing algorithm.", - "$comment": "Normative source: ITU-T X.590 clause 6.2.1", - "type": "string", - "pattern": "^[a-z0-9-]+$", - "examples": [ - "sha-256", - "sha-384", - "sha-512", - "sha3-256", - "sha3-512" - ] - }, - "algorithmVocabulary": { - "title": "Signature Algorithm Type Vocabulary (signature-algorithm-type-ov)", - "description": "NOTE – At the time of this writing quantum safe algorithms could come from those defined in XMSS [IETF RFC 8391] section 5.3 or LMS [IETF RFC 8554] section 5.1 and other algorithms could come from those defined in JWA [IETF RFC 7518] section 3.1 or [IETF RFC 8037] section 3.1 (see the table below for a list of values from those RFCs). While JWA [IETF RFC 7518] section 3.1 defines the following symmetric algorithms: HS256, HS384, and HS512, these algorithms SHOULD NOT be used. If one of these three symmetric algorithms is used, the sharing and transmission of those keys is out of scope for this Recommendation.", - "$comment": "Normative source: ITU-T X.590 clause 6.2.2 and Table 1", - "type": "string", - "enum": [ - "XMSS-SHA2_10_256", - "XMSS-SHA2_16_256", - "XMSS-SHA2_20_256", - "LMS_SHA256_M32_H5", - "LMS_SHA256_M32_H10", - "LMS_SHA256_M32_H15", - "LMS_SHA256_M32_H20", - "LMS_SHA256_M32_H25", - "RS256", - "RS384", - "RS512", - "ES256", - "ES384", - "ES512", - "PS256", - "PS384", - "PS512", - "Ed25519", - "Ed448" - ] - }, - "algorithm": { - "title": "Signing Algorithm", - "description": "This property identifies the algorithm that was used to sign the JSON data and is a case-sensitive ASCII string. The value for this property SHOULD come from the signature-algorithm-type-ov vocabulary (see clause 6.2.2) and SHOULD be a current and widely accepted quantum safe algorithm, but MAY use any currently accepted safe algorithm.", - "$comment": "Normative source: ITU-T X.590 clause 6.2.1", - "type": "string", - "anyOf": [ - { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithmVocabulary" + "score": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" }, - { + "detectability": { + "type": "object", + "title": "Detectability", + "additionalProperties": false, + "description": "The ease or likelihood of detecting the event before or as it is realized, used as a third axis by methodologies such as [FMEA](https://asq.org/quality-resources/fmea), whose risk priority number multiplies severity, occurrence, and detection.", + "properties": { + "score": { + "type": "number", + "minimum": 0, + "description": "The detection value on the scale defined by the methodology. For FMEA, a higher value indicates that the event is harder to detect and therefore riskier." + }, + "description": { + "type": "string", + "description": "A narrative explanation of the detectability assessment." + } + } + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "Confidence in this rating, expressed as a decimal from 0 to 1, where 1 is full confidence. Supports quantitative methods that reason over uncertainty." + }, + "rationale": { "type": "string", - "title": "Other algorithm identifier", - "description": "Any other current, widely accepted, safe algorithm identifier not present in the signature-algorithm-type-ov vocabulary (X.590 clause 6.2.2 makes that vocabulary a SHOULD, not a MUST)." + "title": "Rationale", + "description": "The justification for this rating, including the method and the evidence considered." } - ], - "examples": [ - "Ed25519", - "ES256", - "XMSS-SHA2_10_256", - "LMS_SHA256_M32_H5", - "PS512" - ] - }, - "publicKey": { - "title": "Public Key (PEM, header-stripped)", - "description": "This property contains a privacy enhanced mail (PEM) encoded public key without the header and footer for the algorithm selected in the algorithm property.", - "$comment": "Normative source: ITU-T X.590 clause 6.2.1", - "type": "string", - "pattern": "^[A-Za-z0-9+/]+={0,2}$", - "examples": [ - "MCowBQYDK2VwAyEAubMonBfU9pvIbj5RCiWQLD45Jvu6mKr+kQXjvjW8ZkU=" - ] - }, - "publicCertChain": { - "title": "Public Certificate Chain", - "description": "This property contains a public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.7 of [IETF RFC 7517] as quoted here. This property \"contains a chain (X.509 certificate chain) of one or more PKIX certificates [IETF RFC 5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (section 4 of [IETF RFC 4648] – not base64URL.encoded) DER [b-ITU-T X.690] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key.\" This property is called \"x5c\" in section 4.7 of [IETF RFC 7517].", - "$comment": "Normative source: ITU-T X.590 clause 6.2.1", - "type": "array", - "items": { - "type": "string", - "description": "Base64-encoded (standard, not base64URL) DER-encoded PKIX certificate value (RFC 5280)." - }, - "minItems": 1 - }, - "certUrl": { - "title": "Certificate URL", - "description": "This property contains a uniform resource identifier (URI) [IETF RFC 3986] that refers to a resource for an X.509 public key certificate or certificate chain [IETF RFC 5280] for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.6 of [IETF RFC 7517] as quoted here. \"The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [IETF RFC 5280] in PEM-encoded form, with each certificate delimited as specified in section 6.1 of RFC 4945 [IETF RFC 4945]. The key in the first certificate MUST match the public key. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [IETF RFC 2818] [IETF RFC 5246]; the identity of the server MUST be validated, as per section 6 of RFC 6125 [IETF RFC 6125].\" This property is called \"x5u\" in section 4.6 of [IETF RFC 7517].", - "$comment": "Normative source: ITU-T X.590 clause 6.2.1", - "type": "string", - "format": "uri", - "pattern": "^https://", - "examples": [ - "https://pki.example.com/certs/signing-cert.pem" - ] - }, - "thumbprint": { - "title": "Certificate Thumbprint", - "description": "This property contains a fingerprint of a public key or public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.9 of [IETF RFC 7517] as quoted here. This property \"is a base64URL.encoded SHA-256 thumbprint (a.k.a. digest, X.509 certificate SHA-256 thumbprint) of the DER encoding of an X.509 certificate [IETF RFC 5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key.\" This property is called \"x5t#S256\" in section 4.9 of [IETF RFC 7517].", - "$comment": "Normative source: ITU-T X.590 clause 6.2.1", - "type": "string", - "pattern": "^[A-Za-z0-9_-]{43}$", - "examples": [ - "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" - ] + } }, - "signatureObject": { - "title": "Signature Object", - "description": "A JSS signature object as defined in ITU-T X.590 clause 6.2. Captures the hashing algorithm, signing algorithm, public key material (in one of four forms), the base64URL-encoded digital signature value, and optional metadata. May nest a child 'signature' property to form a counter-signature chain.", - "$comment": "unevaluatedProperties: true is intentional. ITU-T X.590 clause 6.2 explicitly states that implementers MAY add additional properties to satisfy meta-data requirements for their application. The clause 6.3 properties (type, id, related_to, etc.) are themselves defined as non-exhaustive examples of such extensions.", + "likelihood": { "type": "object", + "required": [ + "level" + ], + "additionalProperties": false, "properties": { - "hash_algorithm": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/hashAlgorithm" - }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithm" - }, - "public_key": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicKey" - }, - "public_cert_chain": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicCertChain" - }, - "cert_url": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/certUrl" + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.", + "enum": [ + "very-low", + "low", + "medium", + "high", + "very-high", + "certain" + ], + "meta:enum": { + "very-low": "Very unlikely to occur (less than 10% probability).", + "low": "Unlikely to occur (10 to 30% probability).", + "medium": "Possible to occur (30 to 60% probability).", + "high": "Likely to occur (60 to 85% probability).", + "very-high": "Very likely to occur (85 to 99% probability).", + "certain": "Almost certain to occur (greater than 99% probability)." + } }, - "thumbprint": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/thumbprint" + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric likelihood score on the scale defined by the methodology." }, - "value": { - "title": "Signature Value", - "description": "A base64URL.encoded signature that was created using the signature algorithm defined in the algorithm property and a key. In pseudo code it is defined as: base64URL.encode(sign(algorithm, key, hash(jcs()))).", - "$comment": "Normative source: ITU-T X.590 clause 6.2.1", - "type": "string", - "pattern": "^[A-Za-z0-9_-]+={0,2}$" + "probability": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Probability as a decimal from 0 to 1." }, - "signature": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject", - "title": "Counter-Signature", - "description": "This property enables a signature to be countersigned, meaning a signature can be signed by another signature.", - "$comment": "Normative source: ITU-T X.590 clause 6.2.1" + "frequency": { + "type": "number", + "minimum": 0, + "title": "Frequency", + "description": "The expected number of events within the timeframe, for frequency-based methods such as the [FAIR](https://www.fairinstitute.org/) loss event frequency. Unlike a probability, a frequency may exceed 1." }, - "type": { - "title": "Type Indicator", - "description": "The value of this property MUST be jss.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1", + "timeframe": { "type": "string", - "const": "jss" - }, - "id": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/identifier", - "title": "Signature Identifier", - "description": "A value that uniquely identifies the signature. All signatures with the same ID are considered different versions of the same signature and the version of the signature is identified by its modified property.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1" + "title": "Timeframe", + "description": "The period over which the probability or frequency is assessed, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year." }, - "related_to": { - "title": "Related Object Reference", - "description": "A value that can identify the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1", - "type": "string" + "range": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/estimateRange", + "description": "A range for the probability or frequency, supporting quantitative methods that reason over distributions." }, - "related_version": { - "title": "Related Object Version", - "description": "A value that can identify the version of the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1", - "type": "string" + "factors": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor" + }, + "description": "The factors considered when determining the likelihood level." }, - "created": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp", - "title": "Created Timestamp", - "description": "The time at which this signature was originally created. The creator can use any time it deems most appropriate as the time the signature was created, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The created property MUST NOT be changed when creating a new version of the signature.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1", - "pattern": "^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$" + "rationale": { + "type": "string", + "description": "The justification for the likelihood rating." + } + } + }, + "likelihoodFactor": { + "type": "object", + "title": "Likelihood Factor", + "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment. It is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", + "required": [ + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.", + "minLength": 1 }, - "modified": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp", - "title": "Modified Timestamp", - "description": "The time that this particular version of the signature was last modified. The creator can use any time it deems most appropriate as the time that this version of the signature was modified, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The modified property MUST be later than or equal to the value of the created property. If the created and modified properties are the same, then this is the first version of the signature.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1. Cross-field invariant: 'modified' MUST be greater than or equal to 'created'. JSON Schema 2020-12 cannot compare two sibling property values, so this constraint is NOT enforced by this schema and MUST be validated by the consuming tool or conformance suite.", - "pattern": "^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$" + "type": { + "title": "Type", + "description": "The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", + "oneOf": [ + { + "title": "Predefined Likelihood Factor Type", + "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", + "type": "string", + "enum": [ + "attack-vector", + "contact-frequency", + "control-effectiveness", + "detectability", + "discoverability", + "exploit-maturity", + "exposure", + "motivation", + "opportunity", + "targeting", + "threat-capability", + "vulnerability" + ], + "meta:enum": { + "attack-vector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", + "contact-frequency": "How often the threat actor comes into contact with the target asset, independent of any intent to act. Aligns with the FAIR contact frequency factor.", + "control-effectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation. Corresponds to resistance strength in FAIR.", + "detectability": "Likelihood that the activity is detected before the risk is realized. Lower detectability increases the chance of a successful action. Aligns with the OWASP Risk Rating intrusion detection factor and the FMEA detection axis.", + "discoverability": "Ease with which the weakness or opportunity can be found by a potential actor. Aligns with the OWASP Risk Rating ease of discovery factor.", + "exploit-maturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", + "exposure": "Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.", + "motivation": "Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.", + "opportunity": "Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.", + "targeting": "Degree to which the threat actor specifically selects this asset or organization rather than acting opportunistically. Aligns with the NIST SP 800-30 targeting factor.", + "threat-capability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", + "vulnerability": "Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor." + } + }, + { + "title": "Custom Likelihood Factor Type", + "description": "A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the custom likelihood factor type.", + "minLength": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom likelihood factor type and how it contributes to likelihood assessment." + } + } + } + ] }, - "revoked": { - "title": "Revoked Flag", - "description": "A boolean that identifies if the signature creator deems that this signature is no longer valid. The default value is false.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1", - "type": "boolean", - "default": false + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.", + "enum": [ + "very-low", + "low", + "medium", + "high", + "very-high", + "certain" + ], + "meta:enum": { + "very-low": "This factor has minimal contribution to risk realization (less than 10% influence).", + "low": "This factor has limited contribution to risk realization (10 to 30% influence).", + "medium": "This factor moderately contributes to risk realization (30 to 60% influence).", + "high": "This factor strongly contributes to risk realization (60 to 85% influence).", + "very-high": "This factor very strongly contributes to risk realization (85 to 99% influence).", + "certain": "This factor almost certainly contributes to risk realization (greater than 99% influence)." + } }, - "signee": { - "title": "Signee", - "description": "An unstructured string value for the name of the entity or organization that produced this signature.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1", - "type": "string" + "score": { + "type": "number", + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to likelihood.", + "minimum": 0 }, - "valid_from": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp", - "title": "Valid From", - "description": "The time from which this signature is considered valid. If omitted, the signature is valid at all times or until the timestamp defined by valid_until. If the revoked property is true then this property MUST be ignored.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1" + "weight": { + "type": "number", + "title": "Weight", + "description": "The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.", + "minimum": 0, + "maximum": 1 }, - "valid_until": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp", - "title": "Valid Until", - "description": "The time at which this signature is no longer considered valid. If the valid_until property is omitted, then there is no constraint on the latest time for which the signature is valid. This property MUST be greater than the timestamp in the valid_from property if the valid_from property is defined. If the revoked property is true then this property MUST be ignored.", - "$comment": "Normative source: ITU-T X.590 clause 6.3.1. Cross-field invariant: when 'valid_from' is present, 'valid_until' MUST be greater than 'valid_from'. JSON Schema 2020-12 cannot compare two sibling property values, so this constraint is NOT enforced by this schema and MUST be validated by the consuming tool or conformance suite." + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } - }, + } + }, + "impact": { + "type": "object", "required": [ - "hash_algorithm", - "algorithm", - "value" + "level" ], - "anyOf": [ - { - "required": [ - "public_key" + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "negligible", + "low", + "moderate", + "major", + "catastrophic" ], - "description": "Public key material provided as PEM-encoded public key (header/footer stripped)." + "description": "The qualitative impact severity level.", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences.", + "low": "Minor impact with limited consequences.", + "moderate": "Moderate impact affecting some operations.", + "major": "Significant impact with serious consequences.", + "catastrophic": "Catastrophic impact with existential consequences." + } }, - { - "required": [ - "public_cert_chain" + "polarity": { + "type": "string", + "title": "Polarity", + "description": "Whether the impact represents a harm or a benefit. Benefits support modeling opportunities and positive risk.", + "enum": [ + "harm", + "benefit" ], - "description": "Public key material provided as a base64-encoded DER X.509 certificate chain." + "meta:enum": { + "harm": "A negative impact or downside.", + "benefit": "A positive impact or upside." + } }, - { - "required": [ - "cert_url" - ], - "description": "Public key material provided by reference to a TLS-accessible certificate URI." + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric impact score on the scale defined by the methodology." }, - { - "required": [ - "thumbprint" - ], - "description": "Public key material referenced by a base64URL-encoded SHA-256 certificate thumbprint." - } - ], - "unevaluatedProperties": true - }, - "signatures": { - "title": "Signatures Array", - "description": "A JSON array of one or more signature objects. MUST be located at the top-level of the signed JSON object. The property name used to hold this array SHOULD be 'signatures', but implementations MAY use a different name provided it does not conflict with any other top-level property name in the host JSON object. All signature objects in this array are independent parallel signatures over the same JSON object; for chained counter-signatures, use the nested 'signature' property within an individual signature object.", - "$comment": "Normative source: ITU-T X.590 clause 6 – 'The property that holds the signature MUST be a JSON list property and MUST be located at the top-level of the original JSON object.'", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject" - }, - "minItems": 1 - } - } - }, - "cyclonedx-license-2.0": { - "type": "null", - "title": "CycloneDX License Model", - "$defs": { - "licenseChoice": { - "title": "License Choice", - "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", - "type": "array", - "items": { - "oneOf": [ - { - "type": "object", - "title": "License", - "required": [ - "license" - ], - "additionalProperties": false, - "properties": { - "license": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/license" - } - } + "categories": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactCategory" }, - { - "title": "License Expression", - "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", - "type": "object", - "additionalProperties": false, - "required": [ - "expression" - ], - "properties": { - "expression": { - "type": "string", - "title": "SPDX License Expression", - "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", - "examples": [ - "Apache-2.0 AND (MIT OR GPL-2.0-only)", - "GPL-3.0-only WITH Classpath-exception-2.0" - ] - }, - "expressionDetails": { - "title": "Expression Details", - "description": "Details for parts of the `expression`.", - "type": "array", - "items": { - "type": "object", - "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", - "required": [ - "licenseIdentifier" - ], - "properties": { - "licenseIdentifier": { - "title": "License Identifier", - "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", - "type": "string", - "examples": [ - "Apache-2.0", - "GPL-3.0-only WITH Classpath-exception-2.0", - "LicenseRef-my-custom-license" - ] - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "text": { - "title": "License texts", - "description": "A way to include the textual content of the license.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { - "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", - "examples": [ - "https://www.apache.org/licenses/LICENSE-2.0.txt" - ], - "format": "iri-reference" - } - }, - "additionalProperties": false - } - }, - "acknowledgement": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "licensing": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - } - ] + "description": "The categories of impact, including harms relevant to AI and societal risk." + }, + "factors": { + "type": "array", + "title": "Factors", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactFactor" + }, + "description": "The factors considered when determining the impact, allowing methodologies that derive impact from multiple weighted dimensions to record the breakdown." + }, + "range": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/estimateRange", + "description": "A range for the impact score, supporting quantitative methods that reason over distributions." + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + }, + "description": "The risk attributes affected." + }, + "quantification": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification" + }, + "description": { + "type": "string", + "description": "A description of the potential impact." + } } }, - "license": { - "type": "object", - "title": "License", - "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", + "impactCategory": { + "title": "Impact Category", + "description": "A category of impact, including harms relevant to AI and societal risk. Use the custom option for categories specific to an organization's risk taxonomy.", "oneOf": [ { - "required": [ - "id" - ] + "title": "Predefined Impact Category", + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic", + "bias", + "discrimination", + "fairness", + "human-rights", + "environmental", + "societal", + "psychological", + "physical", + "health" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality.", + "integrity": "Impact on data or system integrity.", + "availability": "Impact on service availability.", + "financial": "Financial loss or impact.", + "reputation": "Reputational damage.", + "regulatory": "Regulatory compliance impact.", + "safety": "Human safety impact.", + "privacy": "Privacy violation impact.", + "operational": "Operational disruption.", + "strategic": "Strategic business impact.", + "bias": "Systematic bias in automated outputs or decisions.", + "discrimination": "Unfair treatment of individuals or groups, including on the basis of protected attributes.", + "fairness": "Impact on the fair and equitable treatment of affected groups.", + "human-rights": "Impact on fundamental human rights, including autonomy and dignity.", + "environmental": "Environmental impact, including energy use and carbon emissions.", + "societal": "Impact on society, communities, or civic processes.", + "psychological": "Psychological or emotional harm.", + "physical": "Physical harm to people or property.", + "health": "Impact on physical or mental health." + } }, { + "title": "Custom Impact Category", + "type": "object", "required": [ "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom impact category." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom impact category." + } + } + } + ] + }, + "impactFactor": { + "type": "object", + "title": "Impact Factor", + "description": "An individual contributing factor used to determine the overall impact of a risk or scenario. Methodologies such as OWASP Risk Rating, DREAD, and OCTAVE Allegro derive impact from several weighted dimensions, and each factor captures one dimension with its own rating.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the impact factor being evaluated, such as 'Financial damage' or 'Reputation damage'." + }, + "category": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactCategory", + "description": "The impact dimension this factor measures." + }, + "score": { + "type": "number", + "minimum": 0, + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to impact." + }, + "weight": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Weight", + "description": "The relative importance of this factor in the overall impact calculation, expressed as a decimal from 0 to 1. OCTAVE Allegro, for example, ranks impact areas and multiplies the ranking by the factor value." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated and how it contributes to the overall impact assessment." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "estimateRange": { + "type": "object", + "title": "Estimate Range", + "description": "A three-point estimate, supporting quantitative methods such as FAIR that reason over distributions rather than single values.", + "additionalProperties": false, + "properties": { + "minimum": { + "type": "number", + "description": "The minimum, or lower bound, estimate." + }, + "mostLikely": { + "type": "number", + "description": "The most likely estimate." + }, + "maximum": { + "type": "number", + "description": "The maximum, or upper bound, estimate." + } + } + }, + "impactQuantification": { + "type": "object", + "additionalProperties": false, + "properties": { + "financialLoss": { + "type": "number", + "description": "The estimated financial loss, in the units given by currency." + }, + "currency": { + "type": "string", + "pattern": "^[A-Z]{3}$", + "description": "The currency of the financial values, as an [ISO 4217](https://www.iso.org/iso-4217-currency-codes.html) code." + }, + "affectedUsers": { + "type": "integer", + "description": "The number of affected users." + }, + "downtime": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "The expected downtime, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration." + }, + "dataRecords": { + "type": "integer", + "description": "The number of data records affected." + }, + "recovery": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "The recovery time, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration." + }, + "financialLossRange": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/estimateRange", + "description": "A distribution of estimated financial loss, supporting quantitative methods such as FAIR that reason over ranges." + }, + "affectedGroups": { + "type": "integer", + "minimum": 0, + "description": "The number of distinct groups or populations affected." + } + } + }, + "riskScore": { + "type": "object", + "title": "Risk Score", + "description": "The overall risk score, expressed as a qualitative `level`, a numeric `score`, or both, with `vector` and `methodology` recording how it was derived. The scale of `score` is defined by the methodology, since rating systems differ. For example, [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) averages factors from 0 to 9, [DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) averages five 1 to 10 ratings, [FMEA](https://asq.org/quality-resources/fmea) multiplies three 1 to 10 axes into a 1 to 1000 risk priority number, and [FAIR](https://www.fairinstitute.org/) expresses probable loss in monetary terms.", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "info", + "low", + "medium", + "high", + "critical" + ], + "description": "The overall qualitative risk level.", + "meta:enum": { + "info": "Informational.", + "low": "Low risk.", + "medium": "Medium risk.", + "high": "High risk.", + "critical": "Critical risk." + } + }, + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric risk score on the scale defined by the methodology." + }, + "vector": { + "type": "string", + "description": "A textual representation of the metric values used to derive the score, in the format defined by the methodology." + }, + "methodology": { + "title": "Methodology", + "description": "The risk rating methodology used to derive this score. Only methodologies that define a scoring calculation are listed; governance frameworks such as [ISO 31000](https://www.iso.org/iso-31000-risk-management.html) are recorded as standards rather than as a score methodology. Use the custom option for methodologies not listed.", + "oneOf": [ + { + "title": "Predefined Risk Methodology", + "type": "string", + "enum": [ + "dread", + "fair", + "fmea", + "nist-sp-800-30", + "octave", + "owasp-risk-rating", + "qualitative-matrix" + ], + "meta:enum": { + "dread": "[DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) risk rating model, the average of five ratings (damage, reproducibility, exploitability, affected users, discoverability) each scored 1 to 10.", + "fair": "[Factor Analysis of Information Risk (FAIR)](https://www.fairinstitute.org/), a quantitative methodology expressing risk as loss event frequency multiplied by loss magnitude.", + "fmea": "[Failure Mode and Effects Analysis (FMEA)](https://asq.org/quality-resources/fmea), using a risk priority number of severity multiplied by occurrence multiplied by detection.", + "nist-sp-800-30": "[NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final) guide for conducting risk assessments, using its exemplary likelihood and impact scales.", + "octave": "[OCTAVE Allegro](https://www.sei.cmu.edu/documents/786/2007_005_001_14885.pdf), using its relative risk score.", + "owasp-risk-rating": "[OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), averaging likelihood and impact factors each scored 0 to 9.", + "qualitative-matrix": "A qualitative risk matrix that derives a risk level by plotting a likelihood band against an impact band, such as a five by five matrix producing a score from 1 to 25." + } + }, + { + "title": "Custom Risk Methodology", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk methodology." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk methodology." + } + } + } ] } + } + }, + "riskResponse": { + "type": "object", + "title": "Risk Response", + "description": "An action taken to modify a risk, pairing the chosen strategy with the controls that implement it. Covers the full set of dispositions, from avoiding or reducing a risk to accepting it or, for a positive risk, pursuing it.", + "required": [ + "bom-ref", + "strategy" ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference this response elsewhere using a bom-ref or bom-link." }, - "id": { - "$ref": "../spdx.schema.json", - "title": "License ID (SPDX)", - "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", - "examples": [ - "Apache-2.0" - ] + "strategy": { + "type": "string", + "title": "Strategy", + "description": "The disposition chosen for the risk.", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "exploit", + "enhance" + ], + "meta:enum": { + "avoid": "Eliminate the risk by removing its source or not proceeding with the activity.", + "reduce": "Lower the likelihood or impact of the risk through controls.", + "transfer": "Shift the risk to another party, for example through insurance or contract.", + "accept": "Take no further action and retain the risk.", + "exploit": "Pursue an opportunity so that a positive risk occurs.", + "enhance": "Increase the likelihood or benefit of a positive risk." + } }, - "name": { + "description": { "type": "string", - "title": "License Name", - "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", - "examples": [ - "Acme Software License" - ] + "title": "Description", + "description": "A description of the response." }, - "acknowledgement": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" + "controls": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that implement this response." }, - "text": { - "title": "License text", - "description": "A way to include the textual content of a license.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "status": { + "title": "Status", + "description": "The implementation status of the response.", + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/implementationStatus" }, - "url": { + "effectiveness": { + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/effectiveness" + }, + "cost": { "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", - "examples": [ - "https://www.apache.org/licenses/LICENSE-2.0.txt" + "title": "Cost", + "enum": [ + "trivial", + "low", + "medium", + "high", + "extreme" ], - "format": "iri-reference" + "meta:enum": { + "trivial": "Minimal cost and effort.", + "low": "Low cost and effort.", + "medium": "Moderate cost and effort.", + "high": "High cost and significant effort.", + "extreme": "Extreme cost and major effort." + } }, - "licensing": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + "priority": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" + }, + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for this response. May be an inline party object or a reference to a previously declared party." + }, + "targetDate": { + "type": "string", + "format": "date-time", + "title": "Target Date", + "description": "The date by which this response is targeted to be implemented." + }, + "addresses": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the items this response addresses, such as a threat, vulnerability, weakness, or another risk." + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "licenseAcknowledgementEnumeration": { - "title": "License Acknowledgement", - "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", - "type": "string", - "enum": [ - "declared", - "concluded" - ], - "meta:enum": { - "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", - "concluded": "Concluded licenses are verified and confirmed." - } - }, - "licensing": { + "assessment": { "type": "object", - "title": "Licensing information", - "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "required": [ + "bom-ref", + "type", + "cadence", + "timestamp" + ], "additionalProperties": false, "properties": { - "altIds": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "A human-readable name for the assessment." + }, + "type": { "type": "array", - "title": "Alternate License Identifiers", - "description": "License identifiers that may be used to manage licenses and their lifecycle", + "title": "Type", + "minItems": 1, + "uniqueItems": true, + "description": "The kinds of assessment performed, given as one or more named exercises or instruments. The type classifies the assessment exercise; the domains of risk evaluated are carried by the referenced risks rather than restated here. Use the custom option for kinds specific to an organization's process.", "items": { - "type": "string" + "oneOf": [ + { + "title": "Predefined Assessment Type", + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "safety", + "financial", + "environmental", + "supply-chain", + "compliance", + "data-protection-impact", + "fundamental-rights-impact", + "ai-impact", + "business-impact", + "third-party", + "threat", + "vulnerability", + "model-risk", + "fraud" + ], + "meta:enum": { + "security": "Security risk assessment, evaluating threats to the confidentiality, integrity, and availability of a subject.", + "privacy": "Privacy risk assessment, evaluating risks to individuals arising from the processing of personal data.", + "operational": "Operational risk assessment, evaluating risks to ongoing operations and continuity.", + "safety": "Safety risk assessment, evaluating risks of harm to people or property.", + "financial": "Financial risk assessment, evaluating exposure to financial loss, such as credit, market, or liquidity risk.", + "environmental": "Environmental risk assessment, evaluating the effect of an activity on the natural environment, including energy use and emissions.", + "supply-chain": "Supply chain risk assessment, evaluating risks across the chain that delivers a product or service, including software and hardware provenance, for example following [NIST SP 800-161](https://csrc.nist.gov/pubs/sp/800/161/r1/final).", + "compliance": "Compliance assessment, evaluating conformance with applicable laws, regulations, policies, or standards.", + "data-protection-impact": "Data protection impact assessment (DPIA), assessing high-risk processing of personal data, for example as described under Article 35 of the [GDPR](https://gdpr-info.eu/art-35-gdpr/).", + "fundamental-rights-impact": "Fundamental rights impact assessment (FRIA), evaluating the effect of a system on fundamental rights, for example as introduced for certain high-risk AI systems by the [EU AI Act](https://artificialintelligenceact.eu/).", + "ai-impact": "Artificial intelligence impact assessment, evaluating the risks and impacts of an AI system, for example following the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework).", + "business-impact": "Business impact analysis (BIA), evaluating the operational and financial consequences of disruption to a business function.", + "third-party": "Third-party risk assessment, evaluating the risk arising from a specific external party relationship, such as a vendor, supplier, or service provider, as distinct from the broader supply chain.", + "threat": "Threat assessment, evaluating the threats and threat actors relevant to a subject.", + "vulnerability": "Vulnerability assessment, evaluating weaknesses that could be exploited.", + "model-risk": "Model risk assessment, evaluating the risk that a decision or quantitative model is incorrect or misused, including model validation.", + "fraud": "Fraud risk assessment, evaluating exposure to fraudulent activity and the controls that detect or prevent it." + } + }, + { + "title": "Custom Assessment Type", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assessment type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assessment type." + } + } + } + ] } }, - "licensor": { - "title": "Licensor", - "description": "The individual or organization that grants a license to another individual or organization", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensor (Organization)", - "description": "The organization that granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Licensor (Individual)", - "description": "The individual, not associated with an organization, that granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, + "cadence": { + "title": "Cadence", + "description": "The temporal cadence or occasion on which the assessment is performed. Use the custom option for patterns specific to an organization's process.", "oneOf": [ { - "required": [ - "organization" - ] + "title": "Predefined Assessment Cadence", + "type": "string", + "enum": [ + "initial", + "periodic", + "continuous", + "triggered", + "ad-hoc" + ], + "meta:enum": { + "initial": "Initial, baseline assessment performed once at the outset.", + "periodic": "Scheduled, recurring assessment.", + "continuous": "Continuous, automated monitoring, as in a GRC engineering or continuous controls monitoring practice.", + "triggered": "Assessment triggered by a specific event, such as a change or an incident.", + "ad-hoc": "Unplanned, one-off assessment, neither scheduled nor triggered by a defined event." + } }, { + "title": "Custom Assessment Cadence", + "type": "object", "required": [ - "individual" - ] + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assessment cadence." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assessment cadence." + } + } } ] }, - "licensee": { - "title": "Licensee", - "description": "The individual or organization for which a license was granted to", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensee (Organization)", - "description": "The organization that was granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Licensee (Individual)", - "description": "The individual, not associated with an organization, that was granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } - ] + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the assessment was performed." }, - "purchaser": { - "title": "Purchaser", - "description": "The individual or organization that purchased the license", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Purchaser (Organization)", - "description": "The organization that purchased the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Purchaser (Individual)", - "description": "The individual, not associated with an organization, that purchased the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, + "scope": { + "type": "string", + "title": "Scope", + "description": "The scope of the assessment, including the systems, boundaries, and what is in or out of scope." + }, + "status": { + "title": "Status", + "description": "The lifecycle status of the assessment. Use the custom option for a status specific to an organization's process.", "oneOf": [ { - "required": [ - "organization" - ] + "title": "Predefined Assessment Status", + "type": "string", + "enum": [ + "draft", + "in-progress", + "completed", + "approved", + "superseded" + ], + "meta:enum": { + "draft": "The assessment is being prepared.", + "in-progress": "The assessment is underway.", + "completed": "The assessment is finished.", + "approved": "The assessment has been reviewed and approved.", + "superseded": "The assessment has been replaced by a later one." + } }, { + "title": "Custom Assessment Status", + "type": "object", "required": [ - "individual" - ] + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } } ] }, - "purchaseOrder": { - "type": "string", - "title": "Purchase Order", - "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" - }, - "licenseTypes": { + "assessors": { "type": "array", - "title": "License Type", - "description": "The type of license(s) that was granted to the licensee.", + "title": "Assessors", "items": { - "type": "string", - "enum": [ - "academic", - "appliance", - "client-access", - "concurrent-user", - "core-points", - "custom-metric", - "device", - "evaluation", - "named-user", - "node-locked", - "oem", - "perpetual", - "processor-points", - "subscription", - "user", - "other" - ], - "meta:enum": { - "academic": "A license that grants use of software solely for the purpose of education or research.", - "appliance": "A license covering use of software embedded in a specific piece of hardware.", - "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", - "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", - "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", - "custom-metric": "A license for which consumption is measured by non-standard metrics.", - "device": "A license that covers a defined number of installations on computers and other types of devices.", - "evaluation": "A license that grants permission to install and use software for trial purposes.", - "named-user": "A license that grants access to the software to one or more pre-defined users.", - "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", - "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", - "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", - "processor-points": "A license where each installation consumes points per processor.", - "subscription": "A license where the licensee pays a fee to use the software or service.", - "user": "A license that grants access to the software or service by a specified number of users.", - "other": "Another license type." - } - } - }, - "lastRenewal": { - "type": "string", - "format": "date-time", - "title": "Last Renewal", - "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" + }, + "description": "The parties that performed the assessment. Each may be an inline party or a reference to a previously declared party, and may be a person or an automated system, agent, or tool. Automated assessors support continuous and automated assessment, as in a GRC engineering practice. A party's `roles` should include `auditor` or `assessor`." }, - "expiration": { - "type": "string", - "format": "date-time", - "title": "Expiration", - "description": "The timestamp indicating when the current license expires (if applicable)." - } - } - } - } - }, - "cyclonedx-metadata-2.0": { - "type": "null", - "title": "CycloneDX Metadata Model", - "$defs": { - "metadata": { - "type": "object", - "title": "BOM Metadata", - "description": "Provides additional information about a BOM.", - "additionalProperties": false, - "properties": { - "timestamp": { + "summary": { "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the BOM was created." + "description": "An executive summary of the assessment." }, - "lifecycles": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + "risks": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to risk entries evaluated in this assessment." }, - "tools": { + "overallRisk": { "type": "object", - "title": "Tools", - "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "required": [ + "method", + "score" + ], "additionalProperties": false, "properties": { - "components": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/components", - "description": "A list of software and hardware components used as tools." + "method": { + "title": "Method", + "description": "The aggregation method used to derive the overall risk from the assessed risks. Use the custom option for methods not listed, such as a quantitative roll-up of loss distributions under FAIR.", + "oneOf": [ + { + "title": "Predefined Aggregation Method", + "type": "string", + "enum": [ + "maximum", + "sum", + "average", + "weighted-average" + ], + "meta:enum": { + "maximum": "The overall risk equals the highest individual risk.", + "sum": "The overall risk is the sum of the individual risks, representing total exposure.", + "average": "The overall risk is the mean of the individual risks.", + "weighted-average": "The overall risk is a weighted mean of the individual risks." + } + }, + { + "title": "Custom Aggregation Method", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom aggregation method." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom aggregation method." + } + } + } + ] }, - "services": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/services", - "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + "score": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "description": { + "type": "string", + "description": "An optional explanation for custom aggregation approaches." } - } - }, - "manufacturer": { - "title": "BOM Manufacturer", - "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "description": "The aggregated risk result for this assessment." }, - "authors": { + "assumptions": { "type": "array", - "title": "BOM Authors", - "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", + "title": "Assumptions", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } + "type": "string" + }, + "description": "The assumptions, constraints, and limitations under which the assessment was made, to be re-evaluated when they change." }, - "component": { - "description": "The component that the BOM describes.", - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + "recommendations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Recommendations from the assessment." }, - "supplier": { - "title": "Supplier", - "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When the next review should occur." }, - "licenses": { - "title": "BOM License(s)", - "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice" + "riskAppetites": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risk appetites, declared under the risks collection, that applied for this assessment." }, - "distributionConstraints": { - "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints" + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "distributionConstraints": { - "title": "Distribution Constraints", - "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", - "type": "object", - "properties": { - "tlp": { - "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification", - "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." - } + "priority": { + "type": "string", + "enum": [ + "none", + "low", + "medium", + "high", + "critical" + ], + "description": "Priority level.", + "meta:enum": { + "none": "No priority.", + "low": "Low priority.", + "medium": "Medium priority.", + "high": "High priority.", + "critical": "Critical priority." } }, - "tlpClassification": { - "title": "Traffic Light Protocol (TLP) Classification", - "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", + "criticality": { "type": "string", - "default": "CLEAR", "enum": [ - "CLEAR", - "GREEN", - "AMBER", - "AMBER_AND_STRICT", - "RED" + "minimal", + "low", + "moderate", + "high", + "critical" ], + "description": "Business criticality level.", "meta:enum": { - "CLEAR": "The information is not subject to any restrictions as regards the sharing.", - "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", - "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", - "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", - "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." + "minimal": "Minimal impact on business operations.", + "low": "Low impact with minor inconvenience.", + "moderate": "Moderate impact affecting some operations.", + "high": "High impact affecting critical operations.", + "critical": "Critical impact with severe business consequences." + } + }, + "appetiteLevel": { + "type": "string", + "description": "A qualitative risk appetite level, ranging from risk-averse to risk-seeking.", + "enum": [ + "averse", + "minimal", + "cautious", + "open", + "hungry" + ], + "meta:enum": { + "averse": "Avoidance of risk is the priority, and only the lowest-risk options are acceptable.", + "minimal": "A preference for very low risk, accepting risk only where it is unavoidable.", + "cautious": "A preference for safe options, accepting limited and well-understood risk for reward.", + "open": "A willingness to accept higher risk where the potential reward justifies it.", + "hungry": "An active willingness to seek risk in pursuit of greater reward, within defined control limits." + } + }, + "riskAppetite": { + "type": "object", + "title": "Risk Appetite", + "description": "The amount and type of risk a party is willing to pursue or retain, stated explicitly so that it is not left implicit in individual target ratings. An appetite may be attributed to a specific party through `party`, so a single document can record the appetites of more than one party, and it may be stated overall and refined per risk domain. Quantitative tolerances for a specific risk are expressed through that risk's target rating, and measurement of actual risk against the appetite is recorded through assessments.", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference this risk appetite elsewhere, such as from an assessment." + }, + "party": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party whose risk appetite this is. Set this when a single document captures the appetites of more than one party. May be an inline party object or a reference to a previously declared party." + }, + "level": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/appetiteLevel", + "description": "The overall risk appetite level." + }, + "statement": { + "type": "string", + "title": "Statement", + "description": "A narrative statement of the overall risk appetite, including any qualifications or context." + }, + "rationale": { + "type": "string", + "description": "The justification for this appetite, such as the strategic objective or regulatory obligation that informs it." + }, + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for setting and approving this appetite, such as a board or risk committee. May be an inline party object or a reference to a previously declared party." + }, + "horizon": { + "type": "string", + "description": "The time horizon over which this appetite applies, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year." + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When this appetite is next due for review, since appetite changes with strategy, market conditions, and the threat landscape." + }, + "categories": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "domain", + "level" + ], + "additionalProperties": false, + "properties": { + "domain": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain", + "description": "The risk domain this appetite entry applies to." + }, + "level": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/appetiteLevel", + "description": "The appetite level for this risk domain." + }, + "statement": { + "type": "string", + "description": "A narrative statement of the appetite for this risk domain." + }, + "rationale": { + "type": "string", + "description": "The justification for the appetite for this risk domain." + } + } + }, + "description": "Per-domain appetite, refining the overall appetite for specific risk domains such as security, privacy, or financial." + } } } } }, - "cyclonedx-party-2.0": { + "cyclonedx-service-2.0": { "type": "null", - "title": "CycloneDX Party Model", + "title": "CycloneDX Service Model", "$defs": { - "party": { + "services": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true, + "title": "Services" + }, + "service": { "type": "object", - "title": "Party", - "description": "Identifies an organization, individual, system, or abstract archetype that participates in supplying, producing, attesting, operating, owning, regulating, or otherwise relating to the subject. Each party plays one or more named roles. Roles may carry preference order (`role.order`) to express primary, alternate, and secondary rankings among parties sharing the same role.\n\nExactly one identity sub-shape (`organization`, `person`, `system`, or `persona`) shall be present. Optional sub-objects layer inter-party relationships and standard extension data.", + "title": "Service", "required": [ - "roles" + "name" ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "roles": { + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": [ + "com.acme" + ] + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "examples": [ + "ticker-service" + ] + }, + "version": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", + "title": "Service Version", + "description": "The service version." + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { "type": "array", - "minItems": 1, - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/role" + "type": "string", + "format": "iri-reference" }, - "title": "Roles", - "description": "One or more roles the party fulfils. Each role may carry an `order` indicating preference among parties sharing the same role (for example, primary versus alternate supplier)." + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "examples": [ + "https://example.com/api/v1/ticker" + ] }, - "organization": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/organization", - "description": "Identity attributes valid when the party is an organization, company, government body, or other collective." + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." }, - "person": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/person", - "description": "Identity attributes valid when the party is an individual person." + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." }, - "system": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/system", - "title": "System", - "description": "Identity attributes valid when the party is a software system, hardware system, service account, automation, or autonomous agent." + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." }, - "persona": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/persona", - "title": "Persona", - "description": "Identity attributes valid when the party is an abstract archetype rather than a specific named instance." + "data": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/serviceData" + }, + "title": "Data", + "description": "Specifies information about the data including the directional flow of data and the data classification." }, - "relations": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyRelations", - "title": "Relations", - "description": "Links from this party to other parties." + "licenses": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", + "title": "Service License(s)" }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags" + "patentAssertions": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions", + "title": "Service Patent(s)" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "services": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "person" - ] - }, - { - "required": [ - "system" - ] + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" }, - { - "required": [ - "persona" - ] + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" } - ] - }, - "parties": { - "type": "array", - "title": "Parties", - "description": "Parties associated with the subject. Each item identifies an organization, individual, system, or abstract archetype playing one or more named roles such as manufacturer, supplier, author, integrator, quality-control, or any custom role. The same party can hold multiple roles, each independently ranked via `role.order` to express preference (for example, primary supplier with order 1 and alternate supplier with order 2). Items may be inline party objects or references to parties declared elsewhere.", - "items": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" } }, - "partyChoice": { - "title": "Party Choice", - "description": "A party represented either as a complete object or as a reference to a previously declared party.", - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/party" - }, - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "A refLinkType pointing to a previously declared party." - } - ] - }, - "role": { - "title": "Role", - "description": "A role that a party fulfils. May be a predefined role from the CycloneDX role taxonomy or a custom role definition. The optional `order` property ranks parties that share the same role, supporting use cases such as primary versus alternate suppliers in hardware manufacturing supply chains.", - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/preDefinedRole" - }, - { - "title": "Custom Role", - "type": "object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "minLength": 1, - "title": "Name", - "description": "The name of the custom role.", - "examples": [ - "Chief Executive Officer", - "Data Protection Officer", - "Release Manager" - ] - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the custom role, including its responsibilities and scope." - }, - "order": { - "type": "integer", - "minimum": 1, - "title": "Order", - "description": "Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked." - } - } - } - ] - }, - "preDefinedRole": { - "title": "Pre-Defined Role", + "serviceData": { "type": "object", + "title": "Hash Objects", "required": [ - "role" + "flow", + "classification" ], "additionalProperties": false, "properties": { - "role": { + "flow": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "name": { "type": "string", - "title": "Role", - "description": "A predefined role from the CycloneDX role taxonomy.", - "enum": [ - "agent", - "assembler", - "asserter", - "attacker", - "auditor", - "author", - "broker", - "carrier", - "certificate-authority", - "committer", - "competitor", - "consignee", - "consignor", - "contributor", - "customer", - "custodian", - "customs-broker", - "data-controller", - "data-processor", - "data-recipient", - "data-subject", - "delegate", - "developer", - "distributor", - "end-user", - "engineer", - "exporter", - "freight-forwarder", - "holder", - "importer", - "insider-threat", - "inspector", - "insurer", - "integrator", - "issuer", - "key-escrow-agent", - "legal-contact", - "licensee", - "licensor", - "maintainer", - "manufacturer", - "operator", - "owner", - "packager", - "partner", - "principal", - "publisher", - "purchaser", - "quality-control", - "regulator", - "relying-party", - "repackager", - "researcher", - "reviewer", - "security-contact", - "signatory", - "steward", - "subject", - "supplier", - "support-contact", - "third-party-logistics", - "timestamp-authority", - "validation-authority", - "verifier", - "warehouse-operator" - ], - "meta:enum": { - "agent": "Software or AI agent acting autonomously or semi-autonomously, typically on behalf of a principal.", - "assembler": "The party that assembles or integrates constituent parts into the subject. Common in hardware manufacturing and software build pipelines.", - "asserter": "The party making assertions about the subject, such as patent ownership or compliance claims.", - "attacker": "A hostile party targeting the subject.", - "auditor": "The party that conducted an audit or assessment of the subject.", - "author": "The party that created the subject. Common when the subject is created through manual processes.", - "broker": "The party that acts as an intermediary in commercial transactions.", - "carrier": "The party that physically transports goods, such as shipping lines, airlines, or trucking companies.", - "certificate-authority": "The party that issues, signs, and manages digital certificates within a public key infrastructure.", - "committer": "The party who committed or pushed changes to a version control system.", - "competitor": "A competing party in the same market or domain as the subject's organization.", - "consignee": "The party designated to receive a shipment of goods.", - "consignor": "The party that sends or ships goods to a consignee.", - "contributor": "A party that contributed to the development of the subject without being the primary author.", - "customer": "Customer of the organization that owns the subject.", - "custodian": "The party responsible for the safe custody, transport, and storage of the subject.", - "customs-broker": "The party that facilitates the clearance of goods through customs barriers.", - "data-controller": "The party that determines the purposes and means of processing personal data.", - "data-processor": "The party that processes personal data on behalf of a data controller.", - "data-recipient": "The party to which personal data is disclosed.", - "data-subject": "The natural person whose personal data is processed.", - "delegate": "A party exercising authority on behalf of another party identified via relations.delegatedBy.", - "developer": "Software developer or platform engineer.", - "distributor": "The party that distributes the subject to downstream consumers or customers.", - "end-user": "The end user of a system, service, or product.", - "engineer": "Engineer responsible for designing, implementing, or operating a system.", - "exporter": "The party that sends goods to another country for trade or sale.", - "freight-forwarder": "The party that arranges the shipment and logistics of goods on behalf of shippers.", - "holder": "The party that holds a verifiable credential, claim, or asset.", - "importer": "The party that brings goods into a country from abroad for trade or sale.", - "insider-threat": "A hostile or negligent party with legitimate access.", - "inspector": "The party that inspects goods for quality, safety, or regulatory compliance.", - "insurer": "The party that provides insurance coverage.", - "integrator": "The party that integrates the subject into a larger system or product.", - "issuer": "The party that issues a credential, claim, identifier, or asset.", - "key-escrow-agent": "The party that holds copies of cryptographic keys in escrow.", - "legal-contact": "The designated party to contact for legal matters.", - "licensee": "The party to which a license for the subject has been granted.", - "licensor": "The party that grants a license for the subject.", - "maintainer": "The party responsible for ongoing maintenance, including updates, patches, and security fixes.", - "manufacturer": "The party that manufactured or produced the subject. Common when the subject is produced through automated processes.", - "operator": "The party responsible for operating or running the subject in a production environment.", - "owner": "The party that holds ownership rights over the subject.", - "packager": "The party that packages goods for storage, shipment, or retail sale.", - "partner": "Business partner with a defined relationship.", - "principal": "The party on whose behalf another party acts, paired with delegate.", - "publisher": "The party that published the subject, making it available for consumption.", - "purchaser": "The party that purchased the subject or a license for its use.", - "quality-control": "The party responsible for quality control activities, including inspection, testing, and verification.", - "regulator": "Government or industry regulator with administrative authority over the subject.", - "relying-party": "The party that relies on credentials, claims, or attestations issued by another party.", - "repackager": "The party that repackages the subject, potentially combining it with other components.", - "researcher": "Security researcher, bug bounty hunter, or academic conducting authorized study.", - "reviewer": "The party that reviewed the subject or its associated evidence.", - "security-contact": "The designated party to contact in the event of a security incident.", - "signatory": "The party authorized to sign on behalf of an organization, affirming the validity or accuracy of statements or attestations.", - "steward": "The party responsible for the content, context, and associated business rules of the subject.", - "subject": "The party to whom an issued credential, claim, or identifier is bound.", - "supplier": "The party that supplied the subject. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "support-contact": "The designated party to contact for technical support.", - "third-party-logistics": "The party that provides outsourced logistics services.", - "timestamp-authority": "The party that issues trusted timestamps.", - "validation-authority": "The party that provides certificate validation services.", - "verifier": "The party that verifies credentials, claims, or attestations.", - "warehouse-operator": "The party responsible for storing, handling, and managing inventory within a warehouse or distribution centre." - } + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" + ] }, - "order": { - "type": "integer", - "minimum": 1, - "title": "Order", - "description": "Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked. For example, a primary supplier may have `order: 1` while an alternate supplier has `order: 2`.", + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", "examples": [ - 1, - 2, - 3 + "Credit card information being exchanged in between the web app and the database" ] + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + }, + "source": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" } } + } + } + }, + "cyclonedx-standard-2.0": { + "type": "null", + "title": "CycloneDX Standard Model", + "$defs": { + "standards": { + "type": "array", + "title": "Standards", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standard" + } }, - "organization": { + "standard": { "type": "object", - "title": "Organization Identity", - "description": "Identity attributes for a party that is an organization, company, government body, or other collective.", + "title": "Standard", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, "name": { "type": "string", "title": "Name", - "description": "The common display or trading name of the organization. Use when the registered legal name is unknown or when the everyday name differs from the legal one.", - "examples": [ - "Acme", - "Globex" - ] + "description": "The name of the standard. This will often be a shortened, single name of the standard." }, - "legalName": { + "version": { "type": "string", - "title": "Legal Name", - "description": "The registered legal name of the organization, including any suffix such as Inc., S.r.l., GmbH, or LLC.", - "examples": [ - "Acme Microcontrollers S.r.l.", - "Acme Holdings, Inc." - ] + "title": "Version", + "description": "The version of the standard." }, "description": { "type": "string", "title": "Description", - "description": "A description of the organization itself, distinct from any role-specific or contextual description applied at the party wrapper level." + "description": "The description of the standard." }, - "logo": { + "owner": { "type": "string", - "format": "iri-reference", - "title": "Logo", - "description": "URL to an image representing the organization. Useful for catalog, datasheet, and user interface views." + "title": "Owner", + "description": "The owner of the standard, often the entity responsible for its release." }, - "foundingDate": { - "type": "string", - "format": "date", - "title": "Founding Date", - "description": "The date the organization was founded. Supports supplier due diligence and age-of-organization signals." + "requirements": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirements" }, - "dissolutionDate": { + "levels": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/levels" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signatures": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + } + } + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirements comprising the standard.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirement" + } + }, + "requirement": { + "type": "object", + "title": "Requirement", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "identifier": { "type": "string", - "format": "date", - "title": "Dissolution Date", - "description": "The date the organization was dissolved or wound down. When present, the organization is no longer active." + "title": "Identifier", + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." }, - "jurisdiction": { + "title": { "type": "string", - "title": "Jurisdiction", - "description": "Country of registration as an ISO 3166-1 alpha-2 or alpha-3 code, optionally followed by an ISO 3166-2 subdivision separated by a hyphen.", - "examples": [ - "US-DE", - "IT-BO", - "CHE" - ] + "title": "Title", + "description": "The title of the requirement." }, - "identifiers": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/identifier" - }, - "title": "Identifiers", - "description": "Identifiers issued to or associated with the organization. May include legal and registration identifiers (LEI, DUNS, CAGE, NCAGE, EORI, VAT, tax identifiers) and non-legal identifiers such as workload or machine identities." + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement." }, - "formerNames": { + "descriptions": { "type": "array", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", "items": { "type": "string" - }, - "title": "Former Names", - "description": "Prior names of the organization. Use when the entity has been renamed, merged, or acquired. Distinct from `aliases`, which captures concurrent alternate designations.", - "examples": [ - [ - "Atmel Corporation" - ] - ] + } }, - "aliases": { + "openCre": { "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", "items": { - "type": "string" - }, - "uniqueItems": true, - "title": "Aliases", - "description": "Concurrent alternate designations for the organization. Distinct from `formerNames`, which captures historical names. Common when modeling tracked threat-actor groups that are known by different designations across threat-intelligence vendors.", - "examples": [ - [ - "Fancy Bear", - "STRONTIUM", - "Sofacy", - "Sednit", - "Pawn Storm" + "type": "string", + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ + "CRE:764-507" ] - ] - }, - "url": { - "type": "array", - "title": "URLs", - "description": "URLs associated with the organization. Each entry carries a `name` label and a `url` value so producers can describe homepage, support portal, press, status, code repository, and similar without ambiguity.", - "items": { - "type": "object", - "required": [ - "url" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "Label describing the URL, such as `homepage`, `support`, `press`, `status`, or `repository`.", - "examples": [ - "homepage", - "support", - "press", - "status", - "repository" - ] - }, - "url": { - "type": "string", - "format": "iri-reference", - "title": "URL" - } - } } }, - "addresses": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/postalAddress" - }, - "title": "Addresses", - "description": "Physical addresses associated with the organization." + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Parent BOM Reference", + "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } } }, - "person": { - "type": "object", - "title": "Person Identity", - "description": "Identity attributes for a party that is an individual person. The name model is intentionally unstructured: a single freeform `name` captures the full name as the person wishes to be known, accommodating the wide variation of naming conventions across cultures. See https://www.w3.org/International/questions/qa-personal-names for background.", + "levels": { + "type": "array", + "title": "Levels", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/level" + } + }, + "level": { + "type": "object", + "title": "Level", "additionalProperties": false, "properties": { - "name": { - "type": "string", - "minLength": 1, - "title": "Name", - "description": "The person's full name as they wish to be known. A single freeform string. No assumption is made about given-versus-family ordering, mononym versus multi-component names, patronymics, or honorific embedding. Producers should use the form the person uses themselves.", - "examples": [ - "Ada Lovelace", - "Suharto", - "Maria del Carmen García López", - "Nguyá»…n Văn An" - ] - }, - "sortName": { - "type": "string", - "title": "Sort Name", - "description": "Optional sortable form of the name for catalog and index views. Use when the natural form of `name` does not sort intuitively, for example a comma-separated last-name-first form.", - "examples": [ - "Lovelace, Ada", - "García López, Maria del Carmen" - ] - }, - "honorificPrefix": { - "type": "string", - "title": "Honorific Prefix", - "description": "Honorific or title preceding the name, used in forms of address. Distinct from the name itself.", - "examples": [ - "Dr.", - "Prof." - ] + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "honorificSuffix": { + "identifier": { "type": "string", - "title": "Honorific Suffix", - "description": "Honorific or post-nominal letters following the name, used in forms of address. Distinct from the name itself.", - "examples": [ - "PhD", - "Esq." - ] + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level." }, - "jobTitle": { + "title": { "type": "string", - "title": "Job Title", - "description": "The person's job title. Useful for credit lines and attribution.", - "examples": [ - "Chief Information Security Officer", - "Data Protection Officer", - "Senior Software Engineer" - ] + "title": "Title", + "description": "The title of the level." }, "description": { "type": "string", "title": "Description", - "description": "A description of the person, distinct from any role-specific or contextual description applied at the party wrapper level." + "description": "The description of the level." }, - "email": { + "requirements": { "type": "array", - "title": "Email", - "description": "Email addresses associated with the person. Each entry carries a `name` label and an `address` value so producers can describe work, personal, support, and similar contexts without ambiguity.", + "title": "Requirements", + "description": "The list of requirement `bom-ref`s that comprise the level.", "items": { - "type": "object", - "required": [ - "address" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "Label describing the email, such as `work`, `personal`, `support`, or `security`.", - "examples": [ - "work", - "personal", - "support", - "security" - ] - }, - "address": { - "type": "string", - "format": "idn-email", - "title": "Address" - } - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" } + } + } + } + } + }, + "cyclonedx-threat-2.0": { + "type": "null", + "title": "CycloneDX Threat Model", + "$defs": { + "threats": { + "type": "object", + "title": "Threats", + "description": "Threat-modelling content, including the documented threats, the scenarios that realize them, the attack patterns and attack trees that describe how they are carried out, and the trust boundaries they cross.", + "additionalProperties": false, + "properties": { + "threats": { + "type": "array", + "title": "Threats", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threat" + }, + "description": "The documented threats. Each describes what can go wrong, independent of any specific actor or occurrence." }, - "phone": { + "scenarios": { "type": "array", - "title": "Phone", - "description": "Phone numbers associated with the person. Each entry carries a `name` label and a `number` value. Numbers should be expressed in E.164 form where possible.", + "title": "Scenarios", + "uniqueItems": true, "items": { - "type": "object", - "required": [ - "number" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "Label describing the phone, such as `office`, `mobile`, `fax`, or `pager`.", - "examples": [ - "office", - "mobile", - "fax", - "pager" - ] - }, - "number": { - "type": "string", - "title": "Number", - "examples": [ - "+1-555-0100", - "+44 20 7946 0958" - ] - } - } - } + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatScenario" + }, + "description": "The threat scenarios, each realizing one or more documented threats in a specific way." }, - "url": { + "attackPatterns": { "type": "array", - "title": "URLs", - "description": "URLs associated with the person. Each entry carries a `name` label and a `url` value so producers can describe homepage, social profiles, code repositories, and similar without ambiguity.", + "title": "Attack Patterns", + "uniqueItems": true, "items": { - "type": "object", - "required": [ - "url" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "Label describing the URL, such as `homepage`, `github`, `linkedin`, `mastodon`, or `orcid`.", - "examples": [ - "homepage", - "github", - "linkedin", - "orcid" - ] - }, - "url": { - "type": "string", - "format": "iri-reference", - "title": "URL" - } - } - } + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPattern" + }, + "description": "A library of attack patterns, typically aligned with CAPEC, that threats and scenarios can reference." }, - "address": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/postalAddress", - "title": "Address" + "attackTrees": { + "type": "array", + "title": "Attack Trees", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackTree" + }, + "description": "Attack trees that decompose attacker goals into sub-goals and techniques." }, - "affiliation": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Affiliation", - "description": "Reference using bom-link or bom-ref to an organization party with which the person is affiliated." - } - } - }, - "system": { - "type": "object", - "title": "System Identity", - "description": "Identity attributes for a party that is a software system, hardware system, service account, automation, or autonomous agent.", - "additionalProperties": false, - "properties": { - "kind": { - "title": "Kind", - "description": "The kind of system the party represents. May be a predefined kind from the CycloneDX system-kind taxonomy expressed as a plain string, or a custom kind expressed as an object with `name` and optional `description`.", - "oneOf": [ - { - "title": "Pre-Defined Kind", - "type": "string", - "enum": [ - "software-system", - "hardware-system", - "service-account", - "machine-identity", - "automation", - "agent", - "bot", - "oracle", - "smart-contract", - "device", - "robot" - ], - "meta:enum": { - "software-system": "Application, service, or platform that performs actions as itself.", - "hardware-system": "Physical device or appliance that performs actions. Includes vehicles, drones, satellites, medical devices, network equipment, and industrial controllers unless a more specific kind applies.", - "service-account": "Non-human identity used by automation to authenticate.", - "machine-identity": "Cryptographic identity such as a certificate principal or workload identity.", - "automation": "Pipeline, job, or scheduled task that performs actions deterministically.", - "agent": "Autonomous or semi-autonomous agent that can plan and execute. Includes AI agents.", - "bot": "Scripted automation that interacts with an interface. Includes chatbots, robotic process automation bots, and scraping bots.", - "oracle": "External data feed or oracle, including blockchain oracles that bridge off-chain data into on-chain systems.", - "smart-contract": "On-chain program that executes deterministically.", - "device": "Physical end user device such as a phone or IoT device acting as a party in its own right.", - "robot": "Physical robot or autonomous mechanical system. For software-only counterparts, see `bot`, `agent`, or `automation`." - } - }, - { - "title": "Custom Kind", - "type": "object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "minLength": 1, - "title": "Name", - "description": "The name of the custom kind." - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the custom kind." - } - } - } - ] + "attackPaths": { + "type": "array", + "title": "Attack Paths", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPath" + }, + "description": "Attack paths that describe the ordered progression of an attack across elements and trust boundaries, including lateral movement." }, - "ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "Reference to any bom-ref'd object that represents this system. The referenced object provides the underlying identity (component, service, blueprint asset, or other object type). Use to associate the party with its concrete representation declared elsewhere." + "abuseCases": { + "type": "array", + "title": "Abuse Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that describe how the system can be exercised by an adversary." }, - "identifiers": { + "trustBoundaries": { "type": "array", + "title": "Trust Boundaries", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-party-2.0/$defs/identifier" + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/trustBoundary" }, - "title": "Identifiers", - "description": "Machine identifiers for the system, such as service principal, workload identity, certificate subject, or device serial." + "description": "The trust boundaries of the system, extending the architectural boundaries defined in a blueprint with trust semantics." }, - "permissions": { + "methodologies": { "type": "array", + "title": "Methodologies", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/methodology" }, - "uniqueItems": true, - "title": "Permissions", - "description": "Capabilities or duties the system possesses." + "description": "The threat modeling methodologies applied to produce this threat model, such as STRIDE, LINDDUN, PASTA, or attack trees." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "persona": { - "type": "object", - "title": "Persona Identity", - "description": "Identity attributes for a party that is an abstract archetype rather than a specific named instance. Use for generic users, generic suppliers, or hypothesized attackers when a specific party is intentionally not named. When the specific instance is known (for example a tracked APT group), use `organization` instead.", - "additionalProperties": false, - "properties": { - "description": { - "type": "string", - "title": "Description", - "description": "Free-text description of the persona instance. Use to refine the archetype with details relevant to the threat model, such as the persona's assumed context, history, or behavioral pattern.", - "examples": [ - "Disgruntled administrator with elevated access to the payment gateway and motive driven by recent performance review." - ] - }, - "archetype": { - "title": "Archetype", - "description": "The persona archetype. May be a predefined archetype from the CycloneDX persona-archetype taxonomy expressed as a plain string, or a custom archetype expressed as an object with `name` and optional `description`.", - "oneOf": [ - { - "title": "Pre-Defined Archetype", - "type": "string", - "enum": [ - "end-user", - "power-user", - "administrator", - "developer", - "operator", - "internal", - "external", - "anonymous", - "guest", - "customer", - "partner", - "supplier", - "vendor", - "contractor", - "third-party", - "auditor", - "researcher", - "regulator", - "law-enforcement", - "attacker", - "insider-threat", - "hacktivist", - "nation-state", - "organized-crime", - "competitor", - "public" - ], - "meta:enum": { - "end-user": "Typical end user of the system.", - "power-user": "Advanced user with higher than average privileges.", - "administrator": "Administrative or privileged user.", - "developer": "Application developer or platform engineer.", - "operator": "Operational staff running the system.", - "internal": "Generic internal party.", - "external": "Generic external party without an account or operational relationship.", - "anonymous": "Unauthenticated visitor interacting with the system.", - "guest": "Semi-authenticated user with restricted privileges.", - "customer": "Customer of the organization that owns the subject.", - "partner": "Business partner with a defined relationship.", - "supplier": "Generic supplier providing goods or services on a transactional basis.", - "vendor": "Vendor delivering and operating goods or services with operational access to the subject.", - "contractor": "Third party with operational access under contract.", - "third-party": "Generic third party that does not fit partner, supplier, vendor, or contractor.", - "auditor": "External auditor or assessor.", - "researcher": "Security researcher, bug bounty hunter, or academic. Authorized probing party.", - "regulator": "Government or industry regulator with administrative authority over the subject.", - "law-enforcement": "Law enforcement entity with investigative authority.", - "attacker": "Generic hostile external party.", - "insider-threat": "Hostile or negligent party with legitimate access.", - "hacktivist": "Hostile party motivated by ideology or activism.", - "nation-state": "Hostile party sponsored or directed by a national government.", - "organized-crime": "Hostile party operating as part of an organized criminal enterprise.", - "competitor": "Generic competitor.", - "public": "General public not in direct interaction with the subject." - } - }, - { - "title": "Custom Archetype", - "type": "object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "minLength": 1, - "title": "Name" - }, - "description": { - "type": "string", - "title": "Description" - } - } - } - ] - }, - "scope": { + "methodology": { + "title": "Threat Modeling Methodology", + "description": "A threat modeling methodology applied to produce this threat model. Use the custom option for methodologies not covered by the enumeration.", + "oneOf": [ + { "type": "string", - "title": "Scope", + "title": "Predefined Threat Modeling Methodology", "enum": [ - "internal", - "external", - "mixed" + "STRIDE", + "LINDDUN", + "PASTA", + "MAESTRO", + "OWASP", + "TRIKE", + "VAST", + "ATFAA", + "attack-tree" ], "meta:enum": { - "internal": "Persona is internal to the organization that owns the subject.", - "external": "Persona is external to the organization that owns the subject.", - "mixed": "Persona may appear in either internal or external contexts." + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.", + "PASTA": "Process for Attack Simulation and Threat Analysis.", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome.", + "OWASP": "OWASP threat modelling methodology.", + "TRIKE": "Risk-based threat modelling methodology.", + "VAST": "Visual, Agile, and Simple Threat modelling.", + "ATFAA": "Advanced Threat Framework for Autonomous AI Agents.", + "attack-tree": "Attack tree methodology, decomposing attacker goals into sub-goals and techniques." } }, - "permissions": { - "type": "array", - "items": { - "type": "string" - }, - "uniqueItems": true, - "title": "Permissions", - "description": "Capabilities the persona is assumed to hold." - }, - "assumedPosture": { - "type": "string", - "title": "Assumed Security Posture", - "description": "Assumed security posture of the persona in this context.", - "examples": [ - "authenticated", - "unauthenticated", - "authorized", - "privileged" - ] + { + "type": "object", + "title": "Custom Threat Modeling Methodology", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom threat modeling methodology." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom threat modeling methodology." + } + } } - } + ] }, - "partyRelations": { + "threat": { "type": "object", - "title": "Party Relations", - "description": "Links from this party to other parties. Captures hierarchical, organizational, and delegation relationships. Order ranking is on the role itself (`role.order`), not here.", + "title": "Threat", + "description": "A documented threat, describing what can go wrong independent of any specific actor or occurrence. A threat can be catalogued on its own; a threat scenario references it to describe a specific realization.", "additionalProperties": false, - "properties": { - "parent": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Parent", - "description": "Reference to a parent party. Models organizational hierarchy, group membership, and corporate parent or subsidiary relationships." - }, - "delegatedBy": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Delegated By", - "description": "Reference to another party that delegated authority to this one. Models situations such as an autonomous agent acting on behalf of a human user, a contractor acting on behalf of a principal, or a service account assuming a role." - } - } - }, - "identifier": { - "type": "object", - "title": "Identifier", - "description": "An identifier issued by a recognized authority. Includes legal and registration identifiers as well as machine and workload identities.", "required": [ - "scheme", - "value" + "bom-ref", + "name" ], - "additionalProperties": false, "properties": { - "scheme": { - "title": "Scheme", - "description": "The identifier scheme. May be a predefined scheme from the CycloneDX identifier-scheme taxonomy expressed as a plain string, or a custom scheme expressed as an object with `name` and optional `description` and `url`.", + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the threat elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the threat." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the threat." + }, + "source": { + "type": "string", + "title": "Source", + "description": "The source of the threat, such as a threat intelligence feed, a threat catalogue, or an analysis activity." + }, + "origin": { + "title": "Origin", + "description": "The nature of the threat source that gives rise to this threat, following the threat source types of [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final). Use the custom option for an origin not covered by the enumeration.", "oneOf": [ - { - "title": "Pre-Defined Scheme", - "type": "string", - "enum": [ - "lei", - "duns", - "ncage", - "cage", - "eori", - "vat", - "gst", - "ein", - "tin", - "ruc", - "bvd", - "swift-bic", - "sec-cik", - "isin", - "figi", - "opencorporates", - "gln", - "gtin", - "iso6523", - "ofac-sdn", - "un-lm", - "oidc-sub", - "spiffe", - "did", - "vc-id" - ], - "meta:enum": { - "lei": "Legal Entity Identifier per ISO 17442.", - "duns": "Dun and Bradstreet D-U-N-S Number.", - "ncage": "NATO Commercial and Government Entity code.", - "cage": "United States Commercial and Government Entity code.", - "eori": "Economic Operator Registration and Identification number used in European Union customs.", - "vat": "Value Added Tax registration number.", - "gst": "Goods and Services Tax registration number.", - "ein": "United States Employer Identification Number.", - "tin": "Generic Taxpayer Identification Number.", - "ruc": "Registro Unico de Contribuyentes used in several Latin American countries.", - "bvd": "Bureau van Dijk identifier.", - "swift-bic": "Business Identifier Code per ISO 9362.", - "sec-cik": "United States Securities and Exchange Commission Central Index Key.", - "isin": "International Securities Identification Number per ISO 6166.", - "figi": "Financial Instrument Global Identifier.", - "opencorporates": "OpenCorporates company identifier.", - "gln": "GS1 Global Location Number.", - "gtin": "GS1 Global Trade Item Number when the party is also a registered trade entity.", - "iso6523": "ISO 6523 organization identifier. The value should encode the four-digit International Code Designator (ICD) followed by the organization identifier per the registry referenced by the ICD.", - "ofac-sdn": "United States Office of Foreign Assets Control Specially Designated Nationals list identifier.", - "un-lm": "United Nations Locode for a specific facility or jurisdiction.", - "oidc-sub": "OpenID Connect subject identifier for a machine or service identity.", - "spiffe": "SPIFFE ID for a workload identity.", - "did": "W3C Decentralized Identifier (DID) per https://www.w3.org/TR/did-core/. Common for autonomous agents, federated services, and verifiable-credential subjects.", - "vc-id": "W3C Verifiable Credential identifier per https://www.w3.org/TR/vc-data-model/." + { + "type": "string", + "title": "Predefined Origin", + "enum": [ + "adversarial", + "accidental", + "structural", + "environmental" + ], + "meta:enum": { + "adversarial": "An adversary acting with intent, such as an individual, group, organization, or nation state.", + "accidental": "An erroneous action taken without malicious intent, such as a mistake by a privileged user or administrator.", + "structural": "A failure of equipment, software, or environmental controls, such as resource exhaustion or expiry of a component.", + "environmental": "A natural or human-made event outside the control of the organization, such as a fire, flood, or wide-area infrastructure outage." } }, { - "title": "Custom Scheme", "type": "object", + "title": "Custom Origin", "required": [ "name" ], @@ -7089,1296 +14147,1653 @@ "name": { "type": "string", "minLength": 1, - "title": "Name" + "title": "Name", + "description": "The name of the custom origin." }, "description": { "type": "string", - "title": "Description" - }, - "url": { - "type": "string", - "format": "iri-reference", - "title": "URL", - "description": "URL of the scheme registry or specification." + "title": "Description", + "description": "A description of the custom origin." } } } ] }, - "schemeVersion": { - "type": "string", - "title": "Scheme Version", - "description": "The version of the scheme that issued this identifier, if applicable." + "categories": { + "type": "array", + "title": "Categories", + "uniqueItems": true, + "description": "The methodology-specific categories that this threat falls under. A threat may be categorized under more than one methodology, for example STRIDE and MAESTRO. The methodology is one of the supported threat-modelling methodologies, and it determines which category values are permitted.", + "items": { + "type": "object", + "title": "Threat Category", + "description": "A threat category. The taxonomy determines the permitted category values.", + "additionalProperties": false, + "required": [ + "taxonomy", + "category" + ], + "properties": { + "taxonomy": { + "type": "string", + "title": "Taxonomy", + "description": "The threat classification taxonomy that the category is drawn from.", + "enum": [ + "STRIDE", + "LINDDUN", + "MAESTRO", + "MITRE-ATTACK" + ], + "meta:enum": { + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome, whose categories are its seven architectural layers.", + "MITRE-ATTACK": "The MITRE ATT&CK framework, whose categories are its Enterprise tactics." + } + }, + "category": { + "type": "string", + "minLength": 1, + "title": "Category", + "description": "The category within the taxonomy. The permitted values are determined by the taxonomy." + } + }, + "allOf": [ + { + "if": { + "required": [ + "taxonomy" + ], + "properties": { + "taxonomy": { + "const": "STRIDE" + } + } + }, + "then": { + "properties": { + "category": { + "enum": [ + "spoofing", + "tampering", + "repudiation", + "information-disclosure", + "denial-of-service", + "elevation-of-privilege" + ], + "meta:enum": { + "spoofing": "Impersonating something or someone, violating authenticity.", + "tampering": "Modifying data or code, violating integrity.", + "repudiation": "Denying having performed an action, violating non-repudiation.", + "information-disclosure": "Exposing information to unauthorized parties, violating confidentiality.", + "denial-of-service": "Denying or degrading service to legitimate users, violating availability.", + "elevation-of-privilege": "Gaining capabilities without proper authorization, violating authorization." + } + } + } + } + }, + { + "if": { + "required": [ + "taxonomy" + ], + "properties": { + "taxonomy": { + "const": "LINDDUN" + } + } + }, + "then": { + "properties": { + "category": { + "enum": [ + "linkability", + "identifiability", + "non-repudiation", + "detectability", + "disclosure-of-information", + "unawareness", + "non-compliance" + ], + "meta:enum": { + "linkability": "Linking data items to learn more about an individual.", + "identifiability": "Identifying an individual from data.", + "non-repudiation": "Being unable to deny a claim, harming plausible deniability.", + "detectability": "Detecting that an item of interest exists.", + "disclosure-of-information": "Revealing personal data, violating confidentiality.", + "unawareness": "Individuals being unaware of the processing of their data.", + "non-compliance": "Deviating from policy, regulation, or best practice." + } + } + } + } + }, + { + "if": { + "required": [ + "taxonomy" + ], + "properties": { + "taxonomy": { + "const": "MAESTRO" + } + } + }, + "then": { + "properties": { + "category": { + "enum": [ + "foundation-models", + "data-operations", + "agent-frameworks", + "deployment-and-infrastructure", + "evaluation-and-observability", + "security-and-compliance", + "agent-ecosystem" + ], + "meta:enum": { + "foundation-models": "Layer 1. The core models that provide the agent's capabilities.", + "data-operations": "Layer 2. Storage, retrieval, and processing of the agent's data.", + "agent-frameworks": "Layer 3. The frameworks and tools that build and run agents.", + "deployment-and-infrastructure": "Layer 4. The infrastructure on which agents are deployed and scaled.", + "evaluation-and-observability": "Layer 5. Evaluation, monitoring, and observability of agent behaviour.", + "security-and-compliance": "Layer 6. The cross-cutting security and compliance controls.", + "agent-ecosystem": "Layer 7. The applications and marketplace where agents deliver value to end-users." + } + } + } + } + }, + { + "if": { + "required": [ + "taxonomy" + ], + "properties": { + "taxonomy": { + "const": "MITRE-ATTACK" + } + } + }, + "then": { + "properties": { + "category": { + "enum": [ + "reconnaissance", + "resource-development", + "initial-access", + "execution", + "persistence", + "privilege-escalation", + "defense-evasion", + "credential-access", + "discovery", + "lateral-movement", + "collection", + "command-and-control", + "exfiltration", + "impact" + ] + } + } + } + } + ] + } }, - "value": { - "type": "string", - "title": "Value", - "description": "The value of the identifier." + "weaknesses": { + "$ref": "#/$defs/cyclonedx-weakness-2.0/$defs/weaknesses", + "description": "The weaknesses, such as CWE classifications, that this threat exploits." }, - "issuedDate": { - "type": "string", - "format": "date", - "title": "Issued Date" + "relatedVulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities that this threat exploits or that inform it." }, - "expirationDate": { - "type": "string", - "format": "date", - "title": "Expiration Date" + "attackPatterns": { + "type": "array", + "title": "Attack Patterns", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the attack patterns by which this threat is carried out." }, - "issuer": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Issuer", - "description": "Reference using bom-link or bom-ref to the party that issued the identifier." + "attackTrees": { + "type": "array", + "title": "Attack Trees", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the attack trees that decompose this threat." + }, + "abuseCases": { + "type": "array", + "title": "Abuse Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the abuse cases that illustrate how this threat can be exercised." + }, + "killChainPhase": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/killChainPhase", + "description": "The phase of the cyber kill chain at which this threat operates." + }, + "behaviors": { + "type": "array", + "title": "Behaviors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the declared behaviors that constitute the intent of this threat, drawn from the behavior taxonomy." + }, + "indicators": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/indicators" + }, + "affectedAssets": { + "type": "array", + "title": "Affected Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the kinds of assets this threat affects." + }, + "relatedBusinessObjectives": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this threat endangers." + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this threat." + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "postalAddress": { + "threatScenario": { "type": "object", - "title": "Postal Address", - "description": "An address used to identify a contactable or operational location.", + "title": "Threat Scenario", + "description": "A specific realization of a threat, in which an actor seeks to cause harm. The scenario references the threat it realizes, supplies the actor by reference to a party, and carries the scenario-specific traits and risk assessment, such as motivation, intent, access level, likelihood, and impact.", "additionalProperties": false, + "required": [ + "bom-ref", + "name", + "threats" + ], "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Reference Identifier", - "description": "An optional identifier that can be used to reference the address from elsewhere. Every bom-ref shall be unique within the containing instance. The value should not start with the prefix 'urn:cdx:' to avoid conflicts with BOM-Link identifiers." + "description": "An identifier which can be used to reference the threat scenario elsewhere using a bom-ref or bom-link." }, - "country": { + "name": { "type": "string", - "title": "Country", - "description": "The country name or the two-letter ISO 3166-1 country code. When the isoCode property is present, the value of isoCode is authoritative." + "minLength": 1, + "title": "Name", + "description": "The name of the threat scenario." }, - "region": { + "description": { "type": "string", - "title": "Region", - "description": "The region or state in the country. When the isoCode property carries an ISO 3166-2 subdivision, the value of isoCode is authoritative.", - "examples": [ - "Texas" - ] + "title": "Description", + "description": "A description of the threat scenario." }, - "isoCode": { - "type": "string", - "pattern": "^[A-Z]{2}(-[A-Z0-9]{1,3})?$", - "title": "ISO Code", - "description": "An ISO 3166-1 alpha-2 country code, optionally followed by an ISO 3166-2 subdivision code separated by a hyphen. When present, this property is authoritative over the free-text country and region properties.", - "examples": [ - "IT-BO", - "US-CA", - "DE-BY" - ] + "threats": { + "type": "array", + "title": "Threats", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this scenario realizes. A scenario realizes one or more threats." }, - "locality": { + "actor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party that is the actor in this scenario. Named adversary groups are organizations and abstract attacker classes are personas." + }, + "threatProfile": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to a reusable threat profile that describes the durable capabilities of the actor." + }, + "motivation": { + "type": "array", + "title": "Motivation", + "uniqueItems": true, + "description": "The motivations of the actor in this scenario.", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ], + "meta:enum": { + "financial": "Motivated by financial gain.", + "political": "Motivated by political objectives.", + "personal": "Motivated by personal reasons.", + "ideological": "Motivated by ideology or belief.", + "espionage": "Motivated by intelligence gathering.", + "destruction": "Motivated by the desire to destroy.", + "disruption": "Motivated by the desire to disrupt operations.", + "reputation": "Motivated by reputational gain or harm.", + "curiosity": "Motivated by curiosity.", + "competitive": "Motivated by competitive advantage.", + "revenge": "Motivated by revenge.", + "activism": "Motivated by activism." + } + } + }, + "intent": { "type": "string", - "title": "Locality", - "description": "The locality or city within the country.", - "examples": [ - "Austin" - ] + "title": "Intent", + "description": "The intent of the actor in this scenario.", + "enum": [ + "accidental", + "opportunistic", + "targeted", + "persistent" + ], + "meta:enum": { + "accidental": "The harm is caused without intent.", + "opportunistic": "The actor takes advantage of an opportunity as it arises.", + "targeted": "The actor deliberately targets the subject.", + "persistent": "The actor pursues the target persistently over time." + } }, - "postOfficeBoxNumber": { + "accessLevel": { "type": "string", - "title": "Post Office Box Number", - "description": "The post office box number.", - "examples": [ - "901" - ] + "title": "Access Level", + "description": "The level of access the actor is assumed to have in this scenario.", + "enum": [ + "none", + "external", + "internal", + "privileged", + "physical" + ], + "meta:enum": { + "none": "No access.", + "external": "External access only.", + "internal": "Internal access, such as that of an ordinary user.", + "privileged": "Privileged or administrative access.", + "physical": "Physical access to the target." + } + }, + "attackVector": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackVector" + }, + "exploitability": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/exploitability" + }, + "likelihood": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "title": "Risk Attributes", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + }, + "description": "The security and privacy attributes that this threat would compromise if realized." + }, + "affectedAssets": { + "type": "array", + "title": "Affected Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets affected in this scenario." + }, + "relatedRisks": { + "type": "array", + "title": "Related Risks", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risks that this scenario contributes to." }, - "postalCode": { - "type": "string", - "title": "Postal Code", - "description": "The postal code.", - "examples": [ - "78758" - ] + "relatedVulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities exploited in this scenario." }, - "streetAddress": { - "type": "string", - "title": "Street Address", - "description": "The street address. Multi-line addresses are expressed as a single string with line breaks (`\\n`) between lines. Implementations and serialization formats are not required to preserve the order of elements in an array, so a multi-line address shall not be modeled as an array.", - "examples": [ - "100 Main Street", - "Acme Tower\nSuite 1200\n100 Main Street" - ] + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" }, - "coordinates": { - "type": "object", - "title": "Geographic Coordinates", - "description": "Geographic coordinates of the address.", - "additionalProperties": false, - "required": [ - "latitude", - "longitude" - ], - "properties": { - "latitude": { - "type": "number", - "minimum": -90, - "maximum": 90, - "title": "Latitude", - "description": "Latitude in decimal degrees. Four or more decimal places are recommended for facility-level precision." - }, - "longitude": { - "type": "number", - "minimum": -180, - "maximum": 180, - "title": "Longitude", - "description": "Longitude in decimal degrees. Four or more decimal places are recommended for facility-level precision." - }, - "altitude": { - "type": "number", - "title": "Altitude", - "description": "Altitude in meters above the reference ellipsoid identified by the datum property." - }, - "datum": { - "type": "string", - "title": "Datum", - "description": "The geodetic datum used for the coordinates. WGS84 is assumed when omitted.", - "default": "WGS84", - "examples": [ - "WGS84", - "NAD83", - "ETRS89" - ] - } - } + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } - } - } - }, - "cyclonedx-patent-2.0": { - "type": "null", - "title": "CycloneDX Patent Model", - "$defs": { - "patents": { + }, + "threatProfiles": { "type": "array", - "title": "Patents", - "description": "The list of either individual patents or patent families.", + "title": "Threat Profiles", + "uniqueItems": true, "items": { - "anyOf": [ - { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patent" - }, - { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFamily" - } - ] - } + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatProfile" + }, + "description": "Reusable threat profiles, each describing the durable characteristics of an actor that may pose a threat." }, - "patent": { + "threatProfile": { "type": "object", - "title": "Patent", - "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", + "title": "Threat Profile", + "description": "A durable, actor-level characterization of the capability to pose a threat, capturing attributes that persist across scenarios. Scenario-specific attributes, such as motivation, intent, and access level, belong on a threat scenario rather than on this profile.", + "additionalProperties": false, "required": [ - "patentNumber", - "jurisdiction", - "patentLegalStatus" + "bom-ref" ], - "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "description": "An identifier which can be used to reference this threat profile elsewhere using a bom-ref or bom-link." }, - "patentNumber": { + "name": { "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Number", - "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", - "examples": [ - "US987654321", - "EP1234567B1" - ] - }, - "applicationNumber": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" - }, - "jurisdiction": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" - }, - "priorityApplication": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + "minLength": 1, + "title": "Name", + "description": "The name of the threat profile." }, - "publicationNumber": { + "description": { "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Publication Number", - "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + "title": "Description", + "description": "A description of the threat profile." }, - "title": { + "sophistication": { "type": "string", - "title": "Patent Title", - "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + "title": "Sophistication", + "description": "The level of technical sophistication an actor characterized by this profile is assumed to possess.", + "enum": [ + "none", + "minimal", + "intermediate", + "advanced", + "expert" + ], + "meta:enum": { + "none": "No technical sophistication.", + "minimal": "Minimal sophistication, relying on readily available tools and techniques.", + "intermediate": "Intermediate technical skills.", + "advanced": "Advanced skills consistent with a persistent and well-resourced actor.", + "expert": "Expert skills consistent with the most capable actors." + } }, - "abstract": { + "resources": { "type": "string", - "title": "Patent Abstract", - "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + "title": "Resources", + "description": "The level of resources an actor characterized by this profile is assumed to have available.", + "enum": [ + "minimal", + "limited", + "moderate", + "substantial", + "unlimited" + ], + "meta:enum": { + "minimal": "Minimal resources.", + "limited": "Limited resources.", + "moderate": "Moderate resources.", + "substantial": "Substantial resources.", + "unlimited": "Effectively unlimited resources." + } }, - "filingDate": { - "type": "string", - "format": "date", - "title": "Filing Date", - "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + "skillSet": { + "type": "array", + "title": "Skill Set", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The specific skills an actor characterized by this profile is assumed to possess." }, - "grantDate": { + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "attackVector": { + "type": "object", + "title": "Attack Vector", + "description": "The conditions under which an attack is possible, following the convention of common vulnerability scoring systems.", + "additionalProperties": false, + "properties": { + "type": { "type": "string", - "format": "date", - "title": "Grant Date", - "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + "title": "Type", + "description": "The context by which an attack is possible.", + "enum": [ + "network", + "adjacent", + "local", + "physical" + ], + "meta:enum": { + "network": "Remotely exploitable via a network.", + "adjacent": "Exploitable from an adjacent network.", + "local": "Requires local access.", + "physical": "Requires physical access." + } }, - "patentExpirationDate": { + "complexity": { "type": "string", - "format": "date", - "title": "Expiration Date", - "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." + "title": "Complexity", + "description": "The complexity of the attack.", + "enum": [ + "low", + "high" + ], + "meta:enum": { + "low": "The attack has low complexity.", + "high": "The attack has high complexity." + } }, - "patentLegalStatus": { + "privileges": { "type": "string", - "title": "Legal Status", - "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", + "title": "Privileges", + "description": "The level of privileges required to carry out the attack.", "enum": [ - "pending", - "granted", - "revoked", - "expired", - "lapsed", - "withdrawn", - "abandoned", - "suspended", - "reinstated", - "opposed", - "terminated", - "invalidated", - "in-force" + "none", + "low", + "high" ], "meta:enum": { - "pending": "The patent application has been filed but not yet examined or granted.", - "granted": "The patent application has been examined and a patent has been issued.", - "revoked": "The patent has been declared invalid through a legal or administrative process.", - "expired": "The patent has reached the end of its enforceable term.", - "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", - "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", - "abandoned": "The patent application was abandoned, often due to lack of action or response.", - "suspended": "Processing of the patent application has been temporarily halted.", - "reinstated": "A previously abandoned or lapsed patent has been reinstated.", - "opposed": "The patent application or granted patent is under formal opposition proceedings.", - "terminated": "The patent or application has been officially terminated.", - "invalidated": "The patent has been invalidated, either in part or in full.", - "in-force": "The granted patent is active and enforceable." + "none": "No privileges are required.", + "low": "Low privileges are required.", + "high": "High privileges are required." } }, - "patentAssignee": { - "type": "array", - "title": "Patent Assignees", - "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", - "items": { - "oneOf": [ - { - "title": "Person", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - }, - { - "title": "Organizational Entity", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - } - ] + "userInteraction": { + "type": "string", + "title": "User Interaction", + "description": "Whether the attack requires interaction from a user other than the attacker.", + "enum": [ + "none", + "required" + ], + "meta:enum": { + "none": "No user interaction is required.", + "required": "User interaction is required." } }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "scope": { + "type": "string", + "title": "Scope", + "description": "Whether a successful attack affects resources beyond the vulnerable component.", + "enum": [ + "unchanged", + "changed" + ], + "meta:enum": { + "unchanged": "The attack affects only the vulnerable component.", + "changed": "The attack affects resources beyond the vulnerable component." + } } } }, - "patentFamily": { + "attackPattern": { "type": "object", - "title": "Patent Family", - "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", + "title": "Attack Pattern", + "description": "A description of the common attributes and approach of an attack, typically aligned with CAPEC. Techniques are aligned with MITRE ATT&CK.", + "additionalProperties": false, "required": [ - "familyId" + "bom-ref", + "name" ], - "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." + "description": "An identifier which can be used to reference the attack pattern elsewhere using a bom-ref or bom-link." }, - "familyId": { - "type": "string", - "title": "Patent Family ID", - "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." + "capecId": { + "type": "integer", + "minimum": 1, + "title": "CAPEC Identifier", + "description": "The Common Attack Pattern Enumeration and Classification (CAPEC) identifier for this attack pattern." }, - "priorityApplication": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the attack pattern." }, - "members": { + "description": { + "type": "string", + "title": "Description", + "description": "A description of the attack pattern." + }, + "prerequisites": { "type": "array", - "title": "Family Members", - "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", + "title": "Prerequisites", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "BOM Reference", - "description": "A `bom-ref` linking to a patent or application object within the BOM." - } - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - } - } - }, - "patentAssertions": { - "type": "array", - "title": "Patent Assertions", - "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", - "items": { - "type": "object", - "title": "Patent Assertion", - "description": "An assertion linking a patent or patent family to this component or service.", - "required": [ - "assertionType", - "asserter" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." + "type": "string" }, - "assertionType": { - "type": "string", - "title": "Assertion Type", - "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", - "enum": [ - "ownership", - "license", - "third-party-claim", - "standards-inclusion", - "prior-art", - "exclusive-rights", - "non-assertion", - "research-or-evaluation" - ], - "meta:enum": { - "ownership": "The manufacturer asserts ownership of the patent or patent family.", - "license": "The manufacturer asserts they have a license to use the patent or patent family.", - "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", - "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", - "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", - "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", - "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", - "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." - } + "description": "The conditions that must hold for the attack to be possible." + }, + "techniques": { + "type": "array", + "title": "Techniques", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique" }, - "patentRefs": { - "type": "array", - "title": "Patent References", - "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - } + "description": "The techniques used to carry out the attack, typically aligned with MITRE ATT&CK." + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "asserter": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organizational Entity" - }, - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Person" - }, - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." - } - ] + "description": "References using bom-link or bom-ref to the controls that mitigate this attack pattern." + }, + "examples": { + "type": "array", + "title": "Examples", + "uniqueItems": true, + "items": { + "type": "string" }, - "notes": { - "type": "string", - "title": "Notes", - "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." - } + "description": "Real-world examples of the attack pattern." } } }, - "patentApplicationNumber": { - "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Application Number", - "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", - "examples": [ - "US20240000123", - "EP23123456" - ] - }, - "patentJurisdiction": { - "type": "string", - "title": "Jurisdiction", - "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", - "pattern": "^[A-Z]{2}$", - "examples": [ - "US", - "EP", - "JP" - ] - }, - "patentFilingDate": { - "type": "string", - "format": "date", - "title": "Filing Date", - "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." - }, - "priorityApplication": { + "technique": { "type": "object", - "title": "Priority Application", - "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", - "required": [ - "applicationNumber", - "jurisdiction", - "filingDate" - ], + "title": "Technique", + "description": "A specific technique used to carry out an attack, typically aligned with MITRE ATT&CK.", "additionalProperties": false, "properties": { - "applicationNumber": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + "id": { + "type": "string", + "title": "Identifier", + "description": "The identifier of the technique, such as a MITRE ATT&CK technique identifier." }, - "jurisdiction": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + "name": { + "type": "string", + "title": "Name", + "description": "The name of the technique." }, - "filingDate": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate" + "tactic": { + "type": "string", + "title": "Tactic", + "description": "The tactic that the technique supports, such as a MITRE ATT&CK tactic." + }, + "procedure": { + "type": "string", + "title": "Procedure", + "description": "The specific procedure by which the technique is carried out." } } - } - } - }, - "cyclonedx-perspective-2.0": { - "type": "null", - "title": "CycloneDX Perspective Model", - "$defs": { - "perspectives": { - "type": "array", - "title": "Perspectives", - "description": "Defines domain-specific views into the document, enabling different audiences to interpret and navigate the data through their own conceptual lens. Each perspective identifies relevant data types and may provide domain-specific terminology mappings.", - "items": { - "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/perspective" - } }, - "perspective": { + "attackTree": { "type": "object", - "title": "Perspective", - "description": "A domain-specific view that identifies the types of data relevant to a particular audience and provides optional terminology mappings to facilitate interpretation. Perspectives enable tooling to generate filtered views, translate terminology, and validate document completeness against audience-specific requirements.", + "title": "Attack Tree", + "description": "A decomposition of an attacker goal into sub-goals and techniques, expressed as a flat collection of nodes. Each node lists its child nodes by reference together with an operator that says how those children combine, so the tree is expressed without nesting. One node is the root, representing the attacker goal.", "additionalProperties": false, "required": [ - "name", - "mappings" + "bom-ref", + "nodes" ], "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the attack tree elsewhere using a bom-ref or bom-link." }, "name": { "type": "string", - "title": "Perspective Name", - "description": "The name of the perspective, typically indicating the target audience or domain.", - "examples": [ - "AI/ML Transparency", - "Device Manufacturing Regulatory Compliance", - "Minimum Elements of an SBOM" - ] + "title": "Name", + "description": "The name of the attack tree." }, "description": { "type": "string", "title": "Description", - "description": "A description of the perspective, its intended audience, and the use cases it supports." + "description": "A description of the attack tree." }, - "domains": { - "type": "array", - "title": "Domains", - "description": "The domains or disciplines to which this perspective applies. Allows selection of multiple pre-defined domains, custom domains, or a combination of both.", - "items": { - "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveDomainChoice" - } + "root": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Root BOM Reference", + "description": "Optional reference using bom-link or bom-ref to the root node within nodes, representing the attacker goal. When omitted, the root is the node that no other node lists as a child." }, - "mappings": { + "nodes": { "type": "array", - "title": "Data Type Mappings", - "description": "An array of mappings that identify the types of data relevant to this perspective using JSON path expressions. Each mapping may include domain-specific terminology.", - "minItems": 1, + "title": "Nodes", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveMapping" - } - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackTreeNode" + }, + "description": "The nodes of the attack tree. Each node references its child nodes, which are themselves entries in this array, forming the hierarchy without nesting." } } }, - "perspectiveMapping": { + "attackTreeNode": { "type": "object", - "title": "Perspective Mapping", - "description": "Maps a JSON path expression to domain-specific terminology, enabling audiences to interpret CycloneDX data using familiar nomenclature. Each mapping identifies a data type within the document structure and may provide alternative names and descriptions used by the target audience.", + "title": "Attack Tree Node", + "description": "A node in an attack tree, representing an attacker goal, sub-goal, or technique. A node references its child nodes and carries an operator that says how those children combine. The hierarchy is expressed by these references rather than by nesting.", "additionalProperties": false, "required": [ - "expression" + "bom-ref", + "name" ], "properties": { - "expression": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the node elsewhere using a bom-ref or bom-link." + }, + "name": { "type": "string", - "title": "Path Expression", - "description": "A [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression that identifies the types of data relevant to this perspective.", - "examples": [ - "$.components[*].pedigree", - "$.components[?(@.type=='machine-learning-model')].modelCard", - "$.components[?(@.type=='cryptographic-asset')]", - "$.vulnerabilities" - ] + "minLength": 1, + "title": "Name", + "description": "The goal, sub-goal, or technique that the node represents." }, - "nativeName": { + "description": { "type": "string", - "title": "Native Name", - "description": "The domain-specific term used by the target audience to describe the data identified by the expression.", - "examples": [ - "Foundation Models", - "Training Corpus", - "Cryptographic Inventory", - "Component Provenance" - ] + "title": "Description", + "description": "A description of the node." }, - "nativeDescription": { + "operator": { "type": "string", - "title": "Native Description", - "description": "A domain-specific description of the data type, explaining its significance within the context of the perspective." + "title": "Operator", + "description": "Specifies how the nodes listed in 'children' combine to achieve this node. A value of 'and' requires every child node; a value of 'or' requires any single child node. For example, a node whose children are a phishing node and a credential-stuffing node uses 'or' when either alone achieves it, or 'and' when both are needed together. A node with no children is a leaf and omits this property.", + "enum": [ + "and", + "or" + ], + "meta:enum": { + "and": "All child nodes are required to achieve this node.", + "or": "Any one child node is sufficient to achieve this node." + } }, - "relevance": { - "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveRelevance" + "children": { + "type": "array", + "title": "Children", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the child nodes that decompose this node. Each child node is a separate entry in the same nodes array, so the hierarchy is expressed without nesting. A child node may be shared by more than one parent." + }, + "attackPattern": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the attack pattern that this node represents." }, - "weight": { - "type": "number", - "title": "Weight", - "description": "Describes the importance of a field in relation to other fields. Values shall be between 0.0 and 1.0. This allows for relative ranking of mappings, where higher values indicate greater importance.", - "minimum": 0, - "maximum": 1 + "weakness": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the weakness that this node exploits." }, - "rationale": { + "cost": { "type": "string", - "title": "Rationale", - "description": "Explains why this data type is relevant to the perspective and how it should be interpreted or used." - } - } - }, - "perspectiveRelevance": { - "type": "string", - "title": "Perspective Relevance", - "description": "Indicates the importance of a data type to a perspective.", - "enum": [ - "required", - "recommended", - "optional", - "informative" - ], - "meta:enum": { - "required": "This data type is essential for the perspective and should always be present.", - "recommended": "This data type is highly relevant and should be included when available.", - "optional": "This data type provides supplementary information that may be useful.", - "informative": "This data type provides background context but is not directly actionable." - } - }, - "perspectiveDomainChoice": { - "title": "Perspective Domain Choice", - "description": "Allows selection of a pre-defined domain or specification of a custom domain.", - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-perspective-2.0/$defs/preDefinedPerspectiveDomain" + "title": "Cost", + "description": "The relative cost to an attacker of achieving this node.", + "enum": [ + "negligible", + "low", + "moderate", + "high", + "prohibitive" + ], + "meta:enum": { + "negligible": "Negligible cost.", + "low": "Low cost.", + "moderate": "Moderate cost.", + "high": "High cost.", + "prohibitive": "Prohibitive cost." + } }, - { - "type": "object", - "title": "Custom Domain", - "required": [ - "name" + "skill": { + "type": "string", + "title": "Skill", + "description": "The skill level required to achieve this node.", + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Domain Name", - "description": "The name of the custom domain." - }, - "description": { - "type": "string", - "title": "Domain Description", - "description": "A description of the custom domain, its scope, and the concerns it addresses." - } + "meta:enum": { + "none": "No special skill is required.", + "basic": "Basic skill is required.", + "intermediate": "Intermediate skill is required.", + "advanced": "Advanced skill is required.", + "expert": "Expert skill is required." + } + }, + "detectability": { + "type": "string", + "title": "Detectability", + "description": "How readily an attempt to achieve this node can be detected.", + "enum": [ + "undetectable", + "low", + "moderate", + "high" + ], + "meta:enum": { + "undetectable": "The attempt is effectively undetectable.", + "low": "The attempt is difficult to detect.", + "moderate": "The attempt is moderately detectable.", + "high": "The attempt is readily detectable." } + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this node." } - ] + } }, - "preDefinedPerspectiveDomain": { - "type": "string", - "title": "Pre-Defined Perspective Domain", - "description": "A pre-defined domain or discipline to which a perspective applies. Domains span security disciplines, safety engineering, industry verticals, technology areas, compliance frameworks, and cross-cutting concerns.", - "enum": [ - "application-security", - "cloud-security", - "container-security", - "cryptographic-security", - "cyber-security", - "data-security", - "endpoint-security", - "firmware-security", - "hardware-security", - "identity-access-management", - "network-security", - "operational-security", - "physical-security", - "supply-chain-security", - "web-security", - "automotive-safety", - "aviation-safety", - "environmental-safety", - "functional-safety", - "machinery-safety", - "maritime-safety", - "nuclear-safety", - "patient-safety", - "process-safety", - "railway-safety", - "aerospace-defense", - "automotive", - "building-automation", - "consumer-electronics", - "critical-infrastructure", - "education", - "energy-utilities", - "financial-services", - "government", - "healthcare", - "insurance", - "legal", - "manufacturing", - "media-entertainment", - "pharmaceuticals", - "retail", - "telecommunications", - "transportation", - "artificial-intelligence", - "edge-computing", - "embedded-systems", - "industrial-control-systems", - "industrial-iot", - "internet-of-things", - "machine-learning", - "medical-devices", - "mobile", - "operational-technology", - "robotics", - "scada", - "smart-grid", - "data-protection", - "export-control", - "intellectual-property", - "legal-compliance", - "licensing", - "privacy", - "regulatory-compliance", - "maintainability", - "performance", - "quality-assurance", - "reliability", - "testability", - "incident-response", - "penetration-testing", - "red-team", - "risk-management", - "threat-intelligence", - "threat-modeling", - "vulnerability-management", - "accessibility", - "ethics", - "human-factors", - "interoperability", - "resilience", - "sustainability", - "transparency" + "abuseCase": { + "type": "object", + "title": "Abuse Case", + "description": "A description of how an adversary can misuse the system to achieve a malicious goal. An abuse case is the security counterpart of a use case and reuses its flow structure.", + "additionalProperties": false, + "required": [ + "bom-ref", + "name" ], - "meta:enum": { - "application-security": "Security concerns related to software applications, including vulnerabilities, secure coding practices, input validation, and dependency management.", - "cloud-security": "Security concerns specific to cloud computing environments, including configuration, identity management, data protection, and shared responsibility models.", - "container-security": "Security concerns related to containerised applications, including image provenance, runtime protection, orchestration security, and supply chain integrity.", - "cryptographic-security": "Concerns related to cryptographic implementations, algorithm selection, key management, certificate handling, and post-quantum cryptography readiness.", - "cyber-security": "Broad security concerns encompassing threat detection, incident response, security operations, and defence-in-depth strategies.", - "data-security": "Concerns related to protecting data at rest, in transit, and in use, including encryption, access controls, and data loss prevention.", - "endpoint-security": "Security concerns for end-user devices including workstations, mobile devices, and peripherals, encompassing malware protection and device management.", - "firmware-security": "Security concerns specific to firmware, including secure boot, firmware updates, integrity verification, and protection against persistent threats.", - "hardware-security": "Security concerns related to physical hardware, including trusted platform modules, hardware security modules, side-channel attacks, and tamper resistance.", - "identity-access-management": "Concerns related to authentication, authorisation, identity lifecycle management, privileged access, and zero-trust architectures.", - "network-security": "Security concerns related to network infrastructure, including firewalls, intrusion detection, segmentation, and secure communications.", - "operational-security": "Security concerns related to the deployment, configuration, and day-to-day operation of systems in production environments.", - "physical-security": "Security concerns related to physical access controls, environmental protections, surveillance, and tamper evidence.", - "supply-chain-security": "Concerns related to the security, integrity, and trustworthiness of components, vendors, and processes throughout the supply chain.", - "web-security": "Security concerns specific to web applications and services, including OWASP Top 10 vulnerabilities, API security, and client-side protections.", - "automotive-safety": "Safety concerns for automotive systems aligned with ISO 26262, including hazard analysis, functional safety requirements, and ASIL classifications.", - "aviation-safety": "Safety concerns for aviation systems aligned with DO-178C, DO-254, and DO-326A, including design assurance levels and airworthiness requirements.", - "environmental-safety": "Concerns related to environmental protection, hazardous materials handling, emissions, and ecological impact assessment.", - "functional-safety": "Safety concerns aligned with IEC 61508 and derivative standards, focusing on systematic failures, safety integrity levels, and risk reduction.", - "machinery-safety": "Safety concerns for industrial machinery aligned with ISO 12100 and IEC 62443, including safeguarding, emergency stops, and risk assessment.", - "maritime-safety": "Safety concerns for maritime and offshore systems, including vessel automation, navigation systems, and compliance with maritime regulations.", - "nuclear-safety": "Safety concerns for nuclear facilities and systems, including defence-in-depth, safety classification, and regulatory compliance with nuclear standards.", - "patient-safety": "Safety concerns for medical devices and healthcare systems focusing on preventing harm to patients, including adverse event prevention and clinical risk management.", - "process-safety": "Safety concerns for industrial processes involving hazardous materials, including process hazard analysis, safety instrumented systems, and layers of protection.", - "railway-safety": "Safety concerns for railway systems aligned with EN 50126, EN 50128, and EN 50129, including signalling, train control, and safety cases.", - "aerospace-defense": "Concerns specific to aerospace and defence industries, including mission-critical systems, military standards, and classified information handling.", - "automotive": "Industry-specific concerns for automotive manufacturers and suppliers, including ISO/SAE 21434 cyber security and vehicle type approval.", - "building-automation": "Concerns related to building management systems, HVAC controls, access systems, and smart building infrastructure.", - "consumer-electronics": "Concerns specific to consumer electronic devices, including product safety, electromagnetic compatibility, and consumer protection regulations.", - "critical-infrastructure": "Concerns related to systems designated as critical infrastructure, including sector-specific requirements and national security considerations.", - "education": "Concerns specific to educational institutions and EdTech, including student data protection, FERPA compliance, and academic integrity.", - "energy-utilities": "Concerns specific to energy and utility sectors, including NERC CIP compliance, grid security, and operational continuity.", - "financial-services": "Concerns specific to financial institutions, including PCI DSS, SOX compliance, fraud prevention, and transaction integrity.", - "government": "Concerns specific to government agencies and contractors, including FedRAMP, FISMA, and public sector procurement requirements.", - "healthcare": "Concerns specific to healthcare organisations, including HIPAA compliance, electronic health records, and healthcare interoperability.", - "insurance": "Concerns specific to insurance industry, including actuarial data integrity, claims processing security, and regulatory compliance.", - "legal": "Concerns specific to legal industry, including attorney-client privilege, e-discovery, and legal hold requirements.", - "manufacturing": "Concerns specific to manufacturing environments, including production systems, quality management, and shop floor security.", - "media-entertainment": "Concerns specific to media and entertainment, including digital rights management, content protection, and broadcast systems.", - "pharmaceuticals": "Concerns specific to pharmaceutical industry, including FDA 21 CFR Part 11, GxP compliance, and drug safety systems.", - "retail": "Concerns specific to retail industry, including point-of-sale security, e-commerce platforms, and customer data protection.", - "telecommunications": "Concerns specific to telecommunications providers, including network infrastructure, subscriber data, and regulatory compliance.", - "transportation": "Concerns related to transportation systems beyond automotive and rail, including logistics, fleet management, and traffic control systems.", - "artificial-intelligence": "Concerns related to AI systems, including model transparency, algorithmic bias, explainability, and ethical considerations.", - "edge-computing": "Concerns specific to edge computing deployments, including distributed processing, local data handling, and remote device management.", - "embedded-systems": "Concerns specific to embedded systems development, including real-time constraints, resource limitations, and hardware-software integration.", - "industrial-control-systems": "Concerns specific to ICS environments, including PLCs, DCS, and industrial automation security aligned with IEC 62443.", - "industrial-iot": "Concerns specific to Industrial Internet of Things deployments, combining IT security with OT requirements and industrial protocols.", - "internet-of-things": "Concerns related to IoT devices and ecosystems, including device security, communication protocols, and fleet management.", - "machine-learning": "Concerns specific to ML models, including training data provenance, model lineage, performance metrics, and reproducibility.", - "medical-devices": "Concerns specific to medical device development aligned with IEC 62304, FDA guidance, and MDR/IVDR requirements.", - "mobile": "Concerns specific to mobile applications and devices, including app store requirements, mobile-specific vulnerabilities, and device management.", - "operational-technology": "Concerns specific to OT environments, bridging IT and industrial systems with focus on availability, safety, and legacy system integration.", - "robotics": "Concerns specific to robotic systems, including autonomous operation, human-robot interaction safety, and motion control security.", - "scada": "Concerns specific to Supervisory Control and Data Acquisition systems, including remote monitoring, control system security, and protocol vulnerabilities.", - "smart-grid": "Concerns specific to smart grid infrastructure, including advanced metering, grid automation, and distributed energy resource management.", - "data-protection": "Concerns related to data protection regulations such as GDPR, CCPA, and cross-border data transfer requirements.", - "export-control": "Concerns related to export control regulations, including EAR, ITAR, and dual-use technology restrictions.", - "intellectual-property": "Concerns related to patents, trade secrets, copyright, and other intellectual property rights and protections.", - "legal-compliance": "Regulatory and legal requirements, including contractual obligations, liability considerations, and legal holds.", - "licensing": "Concerns related to software licensing, licence compatibility, open source obligations, and commercial licensing terms.", - "privacy": "Concerns related to personal data protection, privacy by design, consent management, and individual rights.", - "regulatory-compliance": "Concerns related to compliance with industry-specific regulations, standards, and certification requirements.", - "maintainability": "Concerns related to the ease of maintaining, updating, and supporting software and systems over their lifecycle.", - "performance": "Concerns related to system performance, scalability, response times, and resource utilisation.", - "quality-assurance": "Concerns related to testing, validation, verification, and overall quality metrics and processes.", - "reliability": "Concerns related to system reliability, fault tolerance, mean time between failures, and degradation modes.", - "testability": "Concerns related to the ability to test components and systems, including test coverage, test automation, and test data management.", - "incident-response": "Concerns related to detecting, responding to, and recovering from security incidents and breaches.", - "penetration-testing": "Concerns related to authorised security testing, vulnerability assessment, and security validation activities.", - "red-team": "Concerns related to adversarial simulation, attack path analysis, and security control effectiveness testing.", - "risk-management": "Concerns related to risk identification, assessment, treatment, and ongoing risk monitoring.", - "threat-intelligence": "Concerns related to threat actor analysis, indicators of compromise, and proactive threat hunting.", - "threat-modeling": "Concerns related to identifying weaknesses, threats, countermeasures, attack surfaces, and trust boundaries.", - "vulnerability-management": "Concerns related to vulnerability identification, prioritisation, remediation tracking, and disclosure processes.", - "accessibility": "Concerns related to ensuring systems are usable by people with disabilities, including WCAG compliance.", - "ethics": "Concerns related to ethical considerations in technology development, including algorithmic fairness and responsible innovation.", - "human-factors": "Concerns related to human-system interaction, usability, operator error prevention, and ergonomic design.", - "interoperability": "Concerns related to the ability of systems to exchange and use information effectively across boundaries.", - "resilience": "Concerns related to system resilience, business continuity, disaster recovery, and graceful degradation.", - "sustainability": "Concerns related to environmental sustainability, energy efficiency, and responsible resource consumption.", - "transparency": "Concerns related to openness, auditability, and the ability for stakeholders to understand system behaviour and composition." + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the abuse case elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the abuse case, typically expressed as a malicious goal." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative describing how the system can be misused or abused." + }, + "abuser": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party that abuses the system, typically an attacker persona." + }, + "realizes": { + "type": "array", + "title": "Realizes", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this abuse case realizes." + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The conditions that must hold before the abuse case can begin." + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" + }, + "description": "The ordered steps the abuser follows." + }, + "targets": { + "type": "array", + "title": "Targets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets or flows targeted in this abuse case." + }, + "detectionOpportunities": { + "type": "array", + "title": "Detection Opportunities", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The signals, logs, or controls that present an opportunity to detect the abuse." + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this abuse case." + } } - } - } - }, - "cyclonedx-release-notes-2.0": { - "type": "null", - "title": "CycloneDX Release Notes Model", - "$defs": { - "releaseNotes": { + }, + "exploitability": { "type": "object", - "title": "Release notes", + "title": "Exploitability", + "description": "The degree to which a threat can be exploited in practice.", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "title": "Level", + "description": "The maturity of available exploitation capability.", + "enum": [ + "theoretical", + "proof-of-concept", + "functional", + "weaponized" + ], + "meta:enum": { + "theoretical": "Exploitation is theoretically possible but has not been demonstrated.", + "proof-of-concept": "A proof of concept exists.", + "functional": "A functional exploit exists.", + "weaponized": "A weaponized exploit is in use." + } + }, + "complexity": { + "type": "string", + "title": "Complexity", + "description": "The complexity of exploitation.", + "enum": [ + "trivial", + "low", + "medium", + "high", + "very-high" + ], + "meta:enum": { + "trivial": "Exploitation is trivial.", + "low": "Exploitation has low complexity.", + "medium": "Exploitation has medium complexity.", + "high": "Exploitation has high complexity.", + "very-high": "Exploitation has very high complexity." + } + }, + "skillRequired": { + "type": "string", + "title": "Skill Required", + "description": "The skill level required to exploit the threat.", + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" + ], + "meta:enum": { + "none": "No special skill is required.", + "basic": "Basic skill is required.", + "intermediate": "Intermediate skill is required.", + "advanced": "Advanced skill is required.", + "expert": "Expert skill is required." + } + }, + "automatable": { + "type": "boolean", + "title": "Automatable", + "description": "Whether exploitation can be automated." + } + } + }, + "indicators": { + "type": "object", + "title": "Indicators", + "description": "The observable indicators associated with a threat.", + "additionalProperties": false, + "properties": { + "compromise": { + "type": "array", + "title": "Indicators of Compromise", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The indicators that a compromise has occurred." + }, + "attack": { + "type": "array", + "title": "Indicators of Attack", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The indicators that an attack is under way." + }, + "signatures": { + "type": "array", + "title": "Signatures", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/signature" + }, + "description": "The detection signatures associated with the threat." + } + } + }, + "signature": { + "type": "object", + "title": "Signature", + "description": "A detection signature for a threat.", + "additionalProperties": false, "required": [ - "type" + "type", + "value" ], - "additionalProperties": false, "properties": { "type": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType", + "type": "string", "title": "Type", - "description": "The software versioning type the release note describes." + "description": "The type of signature.", + "enum": [ + "yara", + "snort", + "regex", + "hash", + "behavior" + ], + "meta:enum": { + "yara": "A YARA rule.", + "snort": "A Snort rule.", + "regex": "A regular expression.", + "hash": "A cryptographic hash.", + "behavior": "A behavioural signature." + } }, - "title": { + "value": { "type": "string", - "title": "Title", - "description": "The title of the release." + "minLength": 1, + "title": "Value", + "description": "The signature value or pattern." }, - "featuredImage": { + "description": { "type": "string", - "format": "iri-reference", - "title": "Featured image", - "description": "The URL to an image that may be prominently displayed with the release note." + "title": "Description", + "description": "A description of what the signature detects." }, - "socialImage": { + "confidence": { "type": "string", - "format": "iri-reference", - "title": "Social image", - "description": "The URL to an image that may be used in messaging on social media platforms." + "title": "Confidence", + "description": "The confidence level of a detection by this signature.", + "enum": [ + "low", + "medium", + "high" + ], + "meta:enum": { + "low": "Low confidence.", + "medium": "Medium confidence.", + "high": "High confidence." + } + } + } + }, + "trustBoundary": { + "type": "object", + "title": "Trust Boundary", + "description": "A security annotation marking an architectural boundary as one across which trust changes. It references a boundary defined in a blueprint, where the zones, type, and crossing requirements already live, and adds only the trust differential and the threats and controls at that boundary.", + "additionalProperties": false, + "required": [ + "bom-ref", + "boundary" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the trust boundary elsewhere using a bom-ref or bom-link." + }, + "boundary": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the blueprint boundary that this trust boundary annotates." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the trust boundary." }, "description": { "type": "string", "title": "Description", - "description": "A short description of the release." + "description": "A description of the trust boundary." }, - "timestamp": { + "trustLevel": { "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the release note was created." + "title": "Trust Level", + "description": "The trust level differential across the boundary.", + "enum": [ + "untrusted", + "semi-trusted", + "trusted", + "highly-trusted" + ], + "meta:enum": { + "untrusted": "The boundary separates an untrusted zone.", + "semi-trusted": "The boundary separates a semi-trusted zone.", + "trusted": "The boundary separates a trusted zone.", + "highly-trusted": "The boundary separates a highly trusted zone." + } }, - "aliases": { + "threatsAtBoundary": { "type": "array", + "title": "Threats At Boundary", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "title": "Aliases", - "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + "description": "References using bom-link or bom-ref to the threats that could exploit this boundary." }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" + "controlsAtBoundary": { + "type": "array", + "title": "Controls At Boundary", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls in place at this boundary. Intended primarily for referencing externally defined controls. Where the control and boundary are declared together, prefer the control's appliesTo property." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "killChainPhase": { + "type": "string", + "title": "Kill Chain Phase", + "description": "A phase of the cyber kill chain.", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target.", + "weaponization": "Creating a malicious payload.", + "delivery": "Transmitting the payload to the target.", + "exploitation": "Exploiting a vulnerability or weakness.", + "installation": "Installing malicious software or establishing a foothold.", + "command-and-control": "Establishing a command and control channel.", + "actions-on-objectives": "Achieving the goals of the attack." + } + }, + "attackPathStep": { + "type": "object", + "title": "Attack Path Step", + "description": "A single step in an attack path, describing one action in the progression of an attack.", + "required": [ + "description" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "A short name for the step." + }, + "description": { + "type": "string", + "minLength": 1, + "title": "Description", + "description": "The action the adversary performs in this step." + }, + "technique": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique", + "description": "The technique used in this step, typically aligned with MITRE ATT&CK." + }, + "attackPattern": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the attack pattern applied in this step." + }, + "killChainPhase": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/killChainPhase", + "description": "The phase of the cyber kill chain at which this step operates." + }, + "source": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the element or zone from which this step originates." + }, + "destination": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the element or zone this step reaches." + }, + "boundaryCrossed": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the trust boundary this step crosses." + }, + "exploits": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the weaknesses or vulnerabilities this step exploits." + }, + "mitigations": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that detect or prevent this step." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "attackPath": { + "type": "object", + "title": "Attack Path", + "description": "An ordered sequence of steps that an adversary follows to progress from initial access toward an objective, crossing elements and trust boundaries. An attack path complements an attack tree: the tree decomposes a goal into alternatives, whereas the path expresses the temporal progression of a single attack, including lateral movement.", + "required": [ + "bom-ref", + "name", + "steps" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "A human-readable name for the attack path." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the attack path." + }, + "objective": { + "type": "string", + "title": "Objective", + "description": "The attacker objective that the path works toward, such as exfiltrating data or achieving code execution." + }, + "actor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the adversary that follows this path." }, - "resolves": { + "steps": { "type": "array", + "title": "Steps", + "minItems": 1, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPathStep" }, - "title": "Resolves", - "description": "A collection of issues that have been resolved." + "description": "The ordered steps of the path, from the initial action to the objective. The order of the array is significant." }, - "notes": { + "realizes": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/note" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "title": "Notes", - "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + "description": "References using bom-link or bom-ref to the threats that this path realizes." }, - "properties": { + "relatedRisks": { "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } - } - } - }, - "releaseType": { - "type": "string", - "examples": [ - "major", - "minor", - "patch", - "pre-release", - "internal" - ], - "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." - }, - "note": { - "type": "object", - "title": "Note", - "description": "A note containing the locale and content.", - "required": [ - "text" - ], - "additionalProperties": false, - "properties": { - "locale": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/locale", - "title": "Locale", - "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risks that this path contributes to." }, - "text": { - "title": "Release note content", - "description": "Specifies the full content of the release note.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } } } }, - "cyclonedx-service-2.0": { + "cyclonedx-usecase-2.0": { "type": "null", - "title": "CycloneDX Service Model", + "title": "CycloneDX Use Case Model", "$defs": { - "services": { + "useCases": { "type": "array", + "title": "Use Cases", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/useCase" }, - "uniqueItems": true, - "title": "Services" + "description": "A collection of use cases that describe how actors interact with the system to achieve specific goals." }, - "service": { + "useCase": { "type": "object", - "title": "Service", + "title": "Use Case", + "description": "A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.", "required": [ + "bom-ref", "name" ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "provider": { - "title": "Provider", - "description": "The organization that provides the service.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "group": { - "type": "string", - "title": "Service Group", - "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", - "examples": [ - "com.acme" - ] + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", - "title": "Service Name", - "description": "The name of the service. This will often be a shortened, single name of the service.", - "examples": [ - "ticker-service" - ] - }, - "version": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", - "title": "Service Version", - "description": "The service version." + "title": "Name", + "minLength": 1, + "description": "The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')." }, "description": { "type": "string", - "title": "Service Description", - "description": "Specifies a description for the service" + "title": "Description", + "description": "A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution." }, - "endpoints": { + "actors": { "type": "array", + "title": "Actors", + "uniqueItems": true, "items": { - "type": "string", - "format": "iri-reference" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "title": "Endpoints", - "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", - "examples": [ - "https://example.com/api/v1/ticker" - ] - }, - "authenticated": { - "type": "boolean", - "title": "Authentication Required", - "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." - }, - "x-trust-boundary": { - "type": "boolean", - "title": "Crosses Trust Boundary", - "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + "description": "References using bom-link or bom-ref to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." }, - "trustZone": { - "type": "string", - "title": "Trust Zone", - "description": "The name of the trust zone the service resides in." - }, - "data": { + "preconditions": { "type": "array", + "title": "Preconditions", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/serviceData" + "type": "string" }, - "title": "Data", - "description": "Specifies information about the data including the directional flow of data and the data classification." - }, - "licenses": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", - "title": "Service License(s)" - }, - "patentAssertions": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions", - "title": "Service Patent(s)" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "description": "Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases." }, - "services": { + "postconditions": { "type": "array", + "title": "Postconditions", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + "type": "string" }, - "uniqueItems": true, - "title": "Services", - "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." - }, - "releaseNotes": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", - "title": "Release notes", - "description": "Specifies release notes." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" + "description": "Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced." }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" - } - } - }, - "serviceData": { - "type": "object", - "title": "Hash Objects", - "required": [ - "flow", - "classification" - ], - "additionalProperties": false, - "properties": { - "flow": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection", - "title": "Directional Flow", - "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." + "mainFlow": { + "type": "array", + "title": "Main Flow", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" + }, + "description": "The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome." }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/flow" + }, + "description": "Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome." }, - "name": { - "type": "string", - "title": "Name", - "description": "Name for the defined data", - "examples": [ - "Credit card reporting" - ] + "exceptions": { + "type": "array", + "title": "Exceptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/exception" + }, + "description": "Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully." }, - "description": { - "type": "string", - "title": "Description", - "description": "Short description of the data content and usage", - "examples": [ - "Credit card information being exchanged in between the web app and the database" - ] + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off." }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case." }, - "source": { + "businessObjectives": { "type": "array", + "title": "Business Objectives", + "uniqueItems": true, "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "title": "Source", - "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + "description": "References using bom-link or bom-ref to the business objectives this use case supports." }, - "destination": { + "notes": { "type": "array", + "title": "Notes", + "uniqueItems": true, "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "type": "string" }, - "title": "Destination", - "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + "description": "Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } - } - } - }, - "cyclonedx-standard-2.0": { - "type": "null", - "title": "CycloneDX Standard Model", - "$defs": { - "standards": { - "type": "array", - "title": "Standards", - "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standard" - } }, - "standard": { + "step": { "type": "object", - "title": "Standard", - "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "title": "Step", + "description": "A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.", + "required": [ + "number", + "description" + ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the standard. This will often be a shortened, single name of the standard." - }, - "version": { - "type": "string", - "title": "Version", - "description": "The version of the standard." + "number": { + "type": "integer", + "title": "Number", + "minimum": 1, + "description": "The sequence number indicating the ordinal position of this step within its flow, starting at 1." }, "description": { "type": "string", "title": "Description", - "description": "The description of the standard." - }, - "owner": { - "type": "string", - "title": "Owner", - "description": "The owner of the standard, often the entity responsible for its release." - }, - "requirements": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirements" - }, - "levels": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/levels" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "minLength": 1, + "description": "A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'." }, - "signatures": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signatures" + "actor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." } } }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "The list of requirements comprising the standard.", - "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirement" - } - }, - "requirement": { + "flow": { "type": "object", - "title": "Requirement", + "title": "Flow", + "description": "An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.", + "required": [ + "name", + "condition" + ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "identifier": { + "name": { "type": "string", - "title": "Identifier", - "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." + "title": "Name", + "minLength": 1, + "description": "A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')." }, - "title": { + "description": { "type": "string", - "title": "Title", - "description": "The title of the requirement." + "title": "Description", + "description": "A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies." }, - "text": { + "condition": { "type": "string", - "title": "Text", - "description": "The textual content of the requirement." - }, - "descriptions": { - "type": "array", - "title": "Descriptions", - "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", - "items": { - "type": "string" - } + "title": "Condition", + "minLength": 1, + "description": "The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path." }, - "openCre": { + "steps": { "type": "array", - "title": "OWASP OpenCRE Identifier(s)", - "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "title": "Steps", "items": { - "type": "string", - "pattern": "^CRE:[0-9]+-[0-9]+$", - "examples": [ - "CRE:764-507" - ] - } - }, - "parent": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Parent BOM Reference", - "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" + }, + "description": "The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps." } } }, - "levels": { - "type": "array", - "title": "Levels", - "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", - "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/level" - } - }, - "level": { + "exception": { "type": "object", - "title": "Level", + "title": "Exception", + "description": "An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.", + "required": [ + "name", + "condition" + ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "The identifier used in the standard to identify a specific level." - }, - "title": { + "name": { "type": "string", - "title": "Title", - "description": "The title of the level." + "title": "Name", + "minLength": 1, + "description": "A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')." }, "description": { "type": "string", "title": "Description", - "description": "The description of the level." + "description": "A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved." }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "The list of requirement `bom-ref`s that comprise the level.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + "condition": { + "type": "string", + "title": "Condition", + "minLength": 1, + "description": "The specific error condition, system state, or external event that triggers this exception during the execution of the use case." + }, + "handling": { + "type": "string", + "title": "Handling", + "description": "The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support." + } + } + }, + "useCaseAssertions": { + "type": "array", + "title": "Use Case Assertions", + "description": "A list of assertions describing how a component relates to use cases defined in the BOM.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Use Case Assertion", + "description": "An assertion linking one or more use cases to a component, specifying the nature of the relationship.", + "required": [ + "assertionType", + "useCaseRefs" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the relationship between the component and the use case.", + "enum": [ + "extends", + "implements", + "inhibits", + "not-applicable", + "not-assessed", + "other", + "participates-in", + "supports", + "triggers", + "validates" + ], + "meta:enum": { + "extends": "The component adds optional or conditional behavior to the use case, augmenting its primary flow with additional capability.", + "implements": "The component implements or realises the use case, providing the primary capability that makes the use case functional.", + "inhibits": "The component is known to interfere with or block the correct execution of the use case.", + "not-applicable": "The use case does not pertain to this component. The evaluator has reviewed the use case and determined it is irrelevant.", + "not-assessed": "The relationship between the component and the use case has not yet been evaluated.", + "other": "A relationship that does not fit into the other predefined assertion types.", + "participates-in": "The component participates in the use case but is not solely responsible for its implementation.", + "supports": "The component provides enabling infrastructure for the use case without directly implementing or participating in it.", + "triggers": "The component initiates or kicks off the use case without being responsible for its implementation.", + "validates": "The component validates, tests, or verifies the correct execution of the use case." + } + }, + "useCaseRefs": { + "type": "array", + "title": "Use Case References", + "description": "A list of BOM references linking to use case objects defined in the BOM.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "Additional context or clarification regarding the assertion." } } } @@ -8460,16 +15875,9 @@ "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/rating" } }, - "cwes": { - "type": "array", - "title": "CWEs", - "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", - "examples": [ - 399 - ], - "items": { - "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe" - } + "weaknesses": { + "$ref": "#/$defs/cyclonedx-weakness-2.0/$defs/weaknesses", + "description": "The weaknesses, such as CWE classifications, that give rise to this vulnerability." }, "description": { "type": "string", @@ -8610,6 +16018,16 @@ "justification": { "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification" }, + "mitigatingControls": { + "type": "array", + "title": "Mitigating Controls", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that prevent or reduce the exploitability or impact of the vulnerability. Substantiates justifications such as protected_by_mitigating_control, protected_at_perimeter, and protected_at_runtime." + }, "response": { "type": "array", "title": "Response", @@ -8746,12 +16164,6 @@ } } }, - "cwe": { - "type": "integer", - "minimum": 1, - "title": "CWE", - "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" - }, "severity": { "type": "string", "title": "Severity", @@ -8843,7 +16255,7 @@ "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", "protected_at_runtime": "Exploits are prevented at runtime.", "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", - "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." + "protected_by_mitigating_control": "Preventive measures have been implemented that reduce the likelihood or impact of the vulnerability, or both. The controls may be referenced using the mitigatingControls property." } }, "rating": { @@ -8924,6 +16336,74 @@ } } }, + "cyclonedx-weakness-2.0": { + "type": "null", + "title": "CycloneDX Weakness Model", + "$defs": { + "weaknesses": { + "type": "array", + "title": "Weaknesses", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-weakness-2.0/$defs/weakness" + }, + "description": "A collection of weaknesses, such as CWE classifications, that classify an underlying flaw." + }, + "weakness": { + "title": "Weakness", + "description": "A classification of an underlying weakness, given either by a Common Weakness Enumeration (CWE) identifier or by a free-text name with an optional description. The exploitability and the affected scope are expressed by the vulnerability or threat that references the weakness, not on the weakness itself.", + "oneOf": [ + { + "type": "object", + "title": "CWE Weakness", + "description": "A weakness identified by its CWE identifier.", + "additionalProperties": false, + "required": [ + "cweId" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link." + }, + "cweId": { + "type": "integer", + "minimum": 1, + "title": "CWE Identifier", + "description": "The Common Weakness Enumeration (CWE) identifier that classifies this weakness." + } + } + }, + { + "type": "object", + "title": "Named Weakness", + "description": "A weakness identified by a free-text name, used where no CWE classification applies.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the weakness." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the weakness." + } + } + } + ] + } + } + }, "cyclonedx-2.0": { "type": "object", "title": "CycloneDX Transparency Expression Language", @@ -8936,6 +16416,9 @@ "$schema": { "type": "string" }, + "$comment": { + "type": "string" + }, "specFormat": { "type": "string", "title": "Specification Format", @@ -8987,6 +16470,15 @@ "vulnerabilities": { "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities" }, + "threats": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threats" + }, + "risks": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/risks" + }, + "controls": { + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/controls" + }, "annotations": { "$ref": "#/$defs/cyclonedx-annotation-2.0/$defs/annotations" }, @@ -8999,6 +16491,12 @@ "definitions": { "$ref": "#/$defs/cyclonedx-definition-2.0/$defs/definitions" }, + "blueprints": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints" + }, + "profiles": { + "$ref": "#/$defs/cyclonedx-profile-2.0/$defs/profiles" + }, "citations": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations" }, diff --git a/schema/2.0/cyclonedx-2.0.schema.json b/schema/2.0/cyclonedx-2.0.schema.json index 190cc1f82..9336d224a 100644 --- a/schema/2.0/cyclonedx-2.0.schema.json +++ b/schema/2.0/cyclonedx-2.0.schema.json @@ -13,6 +13,9 @@ "$schema": { "type": "string" }, + "$comment": { + "type": "string" + }, "specFormat": { "type": "string", "title": "Specification Format", @@ -64,6 +67,15 @@ "vulnerabilities": { "$ref": "model/cyclonedx-vulnerability-2.0.schema.json#/$defs/vulnerabilities" }, + "threats": { + "$ref": "model/cyclonedx-threat-2.0.schema.json#/$defs/threats" + }, + "risks": { + "$ref": "model/cyclonedx-risk-2.0.schema.json#/$defs/risks" + }, + "controls": { + "$ref": "model/cyclonedx-control-2.0.schema.json#/$defs/controls" + }, "annotations": { "$ref": "model/cyclonedx-annotation-2.0.schema.json#/$defs/annotations" }, @@ -76,6 +88,12 @@ "definitions": { "$ref": "model/cyclonedx-definition-2.0.schema.json#/$defs/definitions" }, + "blueprints": { + "$ref": "model/cyclonedx-blueprint-2.0.schema.json#/$defs/blueprints" + }, + "profiles": { + "$ref": "model/cyclonedx-profile-2.0.schema.json#/$defs/profiles" + }, "citations": { "$ref": "model/cyclonedx-citation-2.0.schema.json#/$defs/citations" }, diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json new file mode 100644 index 000000000..efd084bfb --- /dev/null +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -0,0 +1,445 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-behavior-2.0.schema.json", + "type": "null", + "title": "CycloneDX Behavior Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "behaviors": { + "type": "object", + "title": "Behaviors", + "description": "Behaviors performed by objects within the BOM.", + "additionalProperties": false, + "properties": { + "instances": { + "type": "array", + "title": "Instances", + "description": "Individual behavior instances.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/behaviorInstance" + } + }, + "graphs": { + "type": "array", + "title": "Graphs", + "description": "Behavior graphs that model behaviour over time as activity flows, state machines, or a mixture of the two.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/behaviorGraph" + } + } + } + }, + "behaviorInstance": { + "type": "object", + "title": "Behavior Instance", + "description": "A behavior performed by one or more objects within the BOM.", + "additionalProperties": false, + "required": ["bom-ref", "behavior"], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "behavior": { + "$ref": "../behavior-taxonomy.schema.json", + "title": "Behavior", + "description": "The behavior from the taxonomy." + }, + "acknowledgment": { + "$ref": "#/$defs/acknowledgment" + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References using bom-link or bom-ref to objects that perform this behavior.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References using bom-link or bom-ref to objects affected by this behavior.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + } + } + }, + "trigger": { + "type": "string", + "title": "Trigger", + "description": "The condition or event that initiates a behavior.", + "enum": [ + "startup", + "shutdown", + "scheduled", + "event-driven", + "user-initiated", + "api-call", + "signal", + "condition-based", + "continuous", + "on-demand", + "unknown" + ], + "meta:enum": { + "startup": "Triggered during system or component initialisation.", + "shutdown": "Triggered during system or component termination.", + "scheduled": "Triggered at predetermined times or intervals.", + "event-driven": "Triggered in response to a specific event.", + "user-initiated": "Triggered by explicit user action.", + "api-call": "Triggered by an API invocation.", + "signal": "Triggered by a system or inter-process signal.", + "condition-based": "Triggered when specific conditions are met.", + "continuous": "Runs continuously during normal operation.", + "on-demand": "Triggered on demand as needed.", + "unknown": "The trigger mechanism is not known." + } + }, + "ordering": { + "type": "string", + "title": "Ordering", + "description": "Execution semantics for the nodes of a graph when transitions do not fully specify the order.", + "enum": [ + "sequential", + "unordered", + "parallel" + ], + "meta:enum": { + "sequential": "Nodes execute in ordinal order. Each completes before the next begins.", + "unordered": "All nodes execute, but the order is not guaranteed.", + "parallel": "Nodes may execute concurrently." + } + }, + "acknowledgment": { + "type": "array", + "title": "Acknowledgment", + "description": "Indicates how the behavior or graph was identified. Multiple values indicate the behavior was both declared and observed.", + "uniqueItems": true, + "items": { + "type": "string", + "enum": [ + "declared", + "observed" + ], + "meta:enum": { + "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", + "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." + } + } + }, + "behaviorGraph": { + "type": "object", + "title": "Behavior Graph", + "description": "A graph of nodes joined by transitions that models behaviour over time. A node may be an activity, a state, an event, a gateway, or a start or end point, so the same construct expresses an activity or process flow (where the nodes are activities), a state machine (where the nodes are states), or a mixture of the two.", + "additionalProperties": false, + "required": [ + "bom-ref", + "nodes" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the graph." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the graph and the behaviour it models." + }, + "kind": { + "type": "string", + "title": "Kind", + "description": "An optional hint at the intent of the graph.", + "enum": [ + "activity", + "state-machine", + "mixed" + ], + "meta:enum": { + "activity": "The graph models a process or activity flow whose nodes are activities.", + "state-machine": "The graph models a state machine whose nodes are states.", + "mixed": "The graph mixes activity and state nodes." + } + }, + "subject": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Subject", + "description": "Reference using bom-link or bom-ref to the object whose behaviour this graph describes." + }, + "acknowledgment": { + "$ref": "#/$defs/acknowledgment" + }, + "ordering": { + "$ref": "#/$defs/ordering" + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "nodes": { + "type": "array", + "title": "Nodes", + "description": "The nodes of the graph.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/$defs/behaviorNode" + } + }, + "transitions": { + "type": "array", + "title": "Transitions", + "description": "The transitions between nodes. Transitions express the ordering of an activity flow and the triggered, guarded moves of a state machine.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/transition" + } + } + }, + "allOf": [ + { + "if": { + "properties": { + "ordering": { + "const": "sequential" + } + }, + "required": [ + "ordering" + ] + }, + "then": { + "properties": { + "nodes": { + "items": { + "required": [ + "ordinal" + ] + } + } + } + } + } + ] + }, + "behaviorNode": { + "type": "object", + "title": "Behavior Node", + "description": "A single node in a behavior graph. The kind determines what the node represents and which additional properties apply.", + "additionalProperties": false, + "required": [ + "bom-ref", + "kind" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "kind": { + "type": "string", + "title": "Kind", + "description": "The kind of node.", + "enum": [ + "activity", + "state", + "event", + "gateway", + "initial", + "final" + ], + "meta:enum": { + "activity": "An action that is performed, identified by a behavior, a behavior-instance reference, or a nested graph. The activity-flow counterpart of a step.", + "state": "A durable condition the subject rests in until a transition fires. The state-machine counterpart of a node. A composite state references its nested region through 'graph'.", + "event": "An intermediate event that occurs during the graph.", + "gateway": "A branch or merge point whose outgoing transitions carry the guards.", + "initial": "The starting point of the graph or of a composite node.", + "final": "A completion point of the graph or of a composite node." + } + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the node." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the node." + }, + "ordinal": { + "type": "integer", + "title": "Ordinal", + "minimum": 1, + "description": "Position within a sequential graph. Required when the graph ordering is 'sequential'. Ignored when transitions define the order." + }, + "behavior": { + "$ref": "../behavior-taxonomy.schema.json", + "title": "Behavior", + "description": "For an activity node, the behavior performed, drawn from the taxonomy. Mutually exclusive with 'ref' and 'graph'." + }, + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Behavior Reference", + "description": "For an activity node, a reference to a behavior instance. Mutually exclusive with 'behavior' and 'graph'." + }, + "graph": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Graph Reference", + "description": "A reference to a nested behavior graph. For an activity node it is the sub-process performed and is mutually exclusive with 'behavior' and 'ref'; for a composite node it is the nested region." + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References using bom-link or bom-ref to objects that perform this node.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References using bom-link or bom-ref to objects affected by this node.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "eventType": { + "$ref": "#/$defs/trigger", + "title": "Event Type", + "description": "For an event node, the nature of the event, reusing the trigger vocabulary, such as signal, scheduled, or event-driven." + }, + "gatewayKind": { + "type": "string", + "title": "Gateway Kind", + "description": "For a gateway node, the branching semantics applied across its outgoing transitions.", + "enum": [ + "exclusive", + "inclusive", + "parallel", + "complex" + ], + "meta:enum": { + "exclusive": "Exactly one outgoing transition is taken, the first whose guard holds.", + "inclusive": "Every outgoing transition whose guard holds is taken.", + "parallel": "All outgoing transitions are taken concurrently, forking and later joining execution.", + "complex": "Branch selection follows a complex condition described in the transition guards." + } + }, + "onEntry": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "On Entry", + "description": "For a state node, a reference to a behavior instance performed when the state is entered." + }, + "onExit": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "On Exit", + "description": "For a state node, a reference to a behavior instance performed when the state is exited." + }, + "doActivity": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Do Activity", + "description": "For a state node, a reference to a behavior instance performed while the subject remains in the state." + } + }, + "allOf": [ + { + "if": { + "properties": { + "kind": { + "const": "activity" + } + }, + "required": [ + "kind" + ] + }, + "then": { + "oneOf": [ + { + "required": [ + "behavior" + ] + }, + { + "required": [ + "ref" + ] + }, + { + "required": [ + "graph" + ] + } + ] + } + } + ] + }, + "transition": { + "type": "object", + "title": "Transition", + "description": "A directed edge from one node to another. In an activity flow it expresses ordering; in a state machine it expresses a triggered, guarded move between states.", + "additionalProperties": false, + "required": [ + "source", + "target" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the transition." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the transition." + }, + "source": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Source", + "description": "Reference to the source node." + }, + "target": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Target", + "description": "Reference to the target node." + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "guard": { + "type": "string", + "title": "Guard", + "description": "A guard condition; the transition fires only when it evaluates to true." + }, + "default": { + "type": "boolean", + "title": "Default", + "description": "Whether this transition is taken when no other guard from the same source node holds." + }, + "effect": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Effect", + "description": "Reference to a behavior instance performed when the transition fires." + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json new file mode 100644 index 000000000..0f84730be --- /dev/null +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -0,0 +1,2138 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json", + "type": "null", + "title": "CycloneDX Blueprint Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "blueprints": { + "type": "array", + "title": "Blueprints", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/blueprint" + }, + "description": "A collection of blueprints, each supporting a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling." + }, + "blueprint": { + "type": "object", + "title": "Blueprint", + "description": "A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.", + "required": [ + "name", + "modelTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the blueprint, used to identify this model within the BOM and distinguish it from other blueprints.", + "minLength": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the blueprint, including its scope, the system or subsystem it represents, and any relevant context about the modelling objectives or intended audience." + }, + "metadata": { + "$ref": "#/$defs/metadata" + }, + "modelTypes": { + "type": "array", + "title": "Model Types", + "minItems": 1, + "uniqueItems": true, + "description": "The types of models being represented.", + "items": { + "$ref": "#/$defs/modelType" + } + }, + "scope": { + "$ref": "#/$defs/scope" + }, + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/asset" + }, + "description": "The assets (components, services, data, actors) included in the model." + }, + "behaviors": { + "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behaviors" + }, + "dataStores": { + "type": "array", + "title": "Data Stores", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataStore" + }, + "description": "Structured description of data stores used in the model." + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataSet" + }, + "description": "Datasets handled by the system, including placements and sensitivity." + }, + "zones": { + "type": "array", + "title": "Zones", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics." + }, + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/boundary" + }, + "description": "Boundaries between zones." + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/flow" + }, + "description": "Data, control, or process flows between assets." + }, + "relationships": { + "type": "array", + "title": "Relationships", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/relationship" + }, + "description": "Static, structural relationships between elements of the model, complementing the runtime exchanges captured by flows." + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/actor" + }, + "description": "Human or system actors involved in the model, distinct from assets." + }, + "assumptions": { + "type": "array", + "title": "Assumptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/assumption" + }, + "description": "Assumptions made during the modeling process." + }, + "visualizations": { + "type": "array", + "title": "Visualizations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/visualization" + }, + "description": "Visual representations of the model." + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "type": "object", + "properties": { + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Use Case Reference", + "description": "A reference to a use case object defined in definitions." + }, + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the blueprint assets that are involved in or exercised by this use case." + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the blueprint flows that are triggered or traversed during the execution of this use case." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case." + } + } + }, + "description": "Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements." + }, + "requirements": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements, declared in definitions, that are derived from or related to this model." + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "modelType": { + "title": "Model Type", + "description": "The type of model being represented, either a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. Threat, risk, and privacy analyses are represented in their own models, which reference the blueprint, rather than as blueprint model types.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Model Type", + "description": "A predefined model type from the enumeration.", + "enum": [ + "architecture", + "behavioral", + "conceptual", + "data-flow", + "deployment", + "logical", + "network", + "operational", + "physical", + "process" + ], + "meta:enum": { + "architecture": "An architecture model of the system or software, capturing its major components, their responsibilities, and the interfaces and relationships between them. Broader than a single view, it frames the overall design.", + "behavioral": "A behavioural model, capturing how the system acts over time through its processes, state changes, interactions, and control flow, as opposed to its static structure.", + "conceptual": "A conceptual model at the highest level of abstraction, capturing the key entities, concepts, and relationships in technology-neutral terms without implementation detail. The first level of the conceptual, logical, and physical progression.", + "data-flow": "A data flow model showing how data moves between processes, data stores, and external entities. This is the substrate most commonly used for STRIDE per-element threat analysis.", + "deployment": "A deployment model showing how software is allocated to runtime and infrastructure, including nodes, containers, environments, and the artifacts placed on them.", + "logical": "A logical model detailing the structure and behaviour of the system independent of any specific implementation technology. The middle level of the conceptual, logical, and physical progression.", + "network": "A network model showing topology and connectivity, including segments, links, and the paths over which components communicate.", + "operational": "An operational model describing how the system is run and supported in production, including procedures, responsibilities, and operational dependencies.", + "physical": "A physical model at the implementation level, capturing the tangible realization of the system such as hardware, devices, infrastructure, topology, and physical locations. The most concrete level of the conceptual, logical, and physical progression.", + "process": "A process model describing a business or system process as an ordered set of activities and decisions and the actors that carry them out." + } + }, + { + "type": "object", + "title": "Custom Model Type", + "description": "A custom model type not covered by the predefined enumeration, allowing organisations to define domain-specific model categories.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom model type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom model type." + } + } + } + ] + }, + "metadata": { + "type": "object", + "title": "Blueprint Metadata", + "description": "Metadata about the creation, review, and approval of the blueprint.", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "title": "Timestamp", + "format": "date-time", + "description": "When the blueprint was created or last updated." + }, + "authors": { + "type": "array", + "title": "Authors", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" + }, + "description": "The parties that created the blueprint. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `author`." + }, + "reviewer": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party that reviewed the blueprint. The party's `roles` should include `reviewer`." + }, + "reviewDate": { + "type": "string", + "title": "Review Date", + "format": "date-time", + "description": "When the blueprint was reviewed." + }, + "approver": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party that approved the blueprint. The party's `roles` should include `signatory` or a custom role identifying the approving authority." + }, + "approvalDate": { + "type": "string", + "title": "Approval Date", + "format": "date-time", + "description": "When the blueprint was approved." + }, + "ordinalVersion": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/ordinalVersion" + }, + "lifecycles": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/lifecycles" + }, + "validityPeriod": { + "$ref": "#/$defs/validityPeriod" + } + } + }, + "validityPeriod": { + "type": "object", + "title": "Validity Period", + "description": "The period during which the blueprint is considered valid.", + "additionalProperties": false, + "properties": { + "start": { + "type": "string", + "title": "Start", + "format": "date-time", + "description": "When the blueprint becomes valid." + }, + "end": { + "type": "string", + "title": "End", + "format": "date-time", + "description": "When the blueprint expires." + }, + "reviewFrequency": { + "type": "string", + "title": "Review Frequency", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)." + } + } + }, + "scope": { + "type": "object", + "title": "Scope", + "description": "Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the scope." + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of what is included and excluded from the model." + }, + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1 + }, + "description": "Explicit boundaries of the model." + }, + "includedComponents": { + "type": "array", + "title": "Included Components", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to components explicitly included." + }, + "excludedComponents": { + "type": "array", + "title": "Excluded Components", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to components explicitly excluded." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "asset": { + "type": "object", + "title": "Asset", + "description": "A component, service, data store, actor, or other element included in the blueprint model. An actor asset references a party, since a party such as a person, persona, system, or organization may itself be an asset, including a person in the intelligence sense of a human source.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the asset." + }, + "componentRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the component this asset represents." + }, + "serviceRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the service this asset represents." + }, + "partyRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party this asset represents, such as a person, persona, system, or organization. Used when the asset is an actor." + }, + "type": { + "title": "Asset Type", + "description": "The kind of asset. Use the custom option for kinds not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Asset Type", + "enum": [ + "actor", + "agent", + "api", + "broker", + "cache", + "component", + "container", + "data", + "data-store", + "device", + "endpoint", + "function", + "gateway", + "infrastructure", + "interface", + "model", + "module", + "network", + "process", + "queue", + "resource", + "service", + "stream", + "subsystem", + "system", + "tool" + ], + "meta:enum": { + "actor": "An actor that is an asset in its own right, referencing a party via partyRef. A party such as a system or organization is commonly an asset, and a person may be an asset in the intelligence sense of a human source.", + "agent": "Autonomous AI or software agent.", + "api": "API endpoint or interface.", + "broker": "Message broker or event bus infrastructure.", + "cache": "Caching layer or in-memory data store.", + "component": "Software component or application.", + "container": "Container or orchestration unit.", + "data": "Dataset.", + "data-store": "Database, file system, or data repository.", + "device": "Physical or IoT device.", + "endpoint": "Service endpoint or URL.", + "function": "Serverless function or lambda.", + "gateway": "API gateway, load balancer, or proxy.", + "infrastructure": "Infrastructure component.", + "interface": "System interface or contract.", + "model": "AI or machine learning model.", + "module": "Software module or package.", + "network": "Network segment or resource.", + "process": "Business or system process.", + "queue": "Message queue or task queue.", + "resource": "Generic resource or artifact.", + "service": "Service or microservice.", + "stream": "Data stream or event stream.", + "subsystem": "Part of a larger system.", + "system": "Complete system or application.", + "tool": "A tool or capability invoked by an agent, such as a function, API, or service exposed to an AI agent." + } + }, + { + "type": "object", + "title": "Custom Asset Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom asset type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom asset type." + } + } + } + ] + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the asset." + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the asset's role and purpose." + }, + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the zone containing this asset." + }, + "classification": { + "$ref": "#/$defs/assetClassification" + }, + "tags": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/tags" + }, + "responsibilities": { + "type": "array", + "title": "Responsibilities", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1 + }, + "description": "Responsibilities or functions of this asset." + }, + "interfaces": { + "type": "array", + "title": "Interfaces", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/interface" + }, + "description": "Interfaces exposed by this asset." + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." + }, + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication methods supported/required." + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models supported/required." + }, + "ownership": { + "$ref": "#/$defs/ownership" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + } + }, + "oneOf": [ + { + "title": "Component Reference Asset", + "description": "An asset defined by reference to a component declared elsewhere in the BOM.", + "required": [ + "bom-ref", + "componentRef" + ] + }, + { + "title": "Service Reference Asset", + "description": "An asset defined by reference to a service declared elsewhere in the BOM.", + "required": [ + "bom-ref", + "serviceRef" + ] + }, + { + "title": "Party Reference Asset", + "description": "An asset defined by reference to a party declared elsewhere in the BOM, such as a person, persona, system, or organization that is itself an asset.", + "required": [ + "bom-ref", + "partyRef" + ] + }, + { + "title": "Inline Asset", + "description": "An asset defined inline within the blueprint with an explicit type and name.", + "required": [ + "bom-ref", + "type", + "name" + ] + } + ] + }, + "dataStore": { + "type": "object", + "title": "Data Store", + "description": "A persistent storage system used within the modelled system to hold, retrieve, or manage data.", + "required": [ + "bom-ref", + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the data store." + }, + "description": { + "type": "string", + "title": "Description", + "description": "Purpose and contents of the store." + }, + "type": { + "title": "Type", + "description": "The type of data store. Use the custom option for technologies not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Data Store Type", + "enum": [ + "block", + "blockchain", + "cache", + "column-family", + "data-lake", + "data-warehouse", + "document", + "event-log", + "file", + "graph", + "hierarchical", + "in-memory", + "key-value", + "ledger", + "message-queue", + "multi-model", + "object", + "registry", + "relational", + "search", + "spatial", + "time-series", + "vector" + ], + "meta:enum": { + "block": "Block storage exposing raw volumes.", + "blockchain": "Distributed ledger or blockchain storage.", + "cache": "Caching tier.", + "column-family": "Wide-column or column-family store.", + "data-lake": "Data lake or lakehouse for raw and semi-structured data.", + "data-warehouse": "Analytical data warehouse optimised for OLAP workloads.", + "document": "Document database.", + "event-log": "Event log or append-only streaming store.", + "file": "File system or network-attached storage.", + "graph": "Graph database.", + "hierarchical": "Hierarchical or tree-structured database, such as a directory store.", + "in-memory": "In-memory data store used as a primary store.", + "key-value": "Key-value store.", + "ledger": "Immutable, append-only ledger database.", + "message-queue": "Message queue or broker with persistent storage.", + "multi-model": "A store supporting multiple data models.", + "object": "Object storage.", + "registry": "Configuration or service registry.", + "relational": "Relational database.", + "search": "Search index or full-text search engine.", + "spatial": "Spatial or geospatial database.", + "time-series": "Time-series database.", + "vector": "Vector database for embeddings and similarity search." + } + }, + { + "type": "object", + "title": "Custom Data Store Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom data store type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom data store type." + } + } + } + ] + }, + "vendor": { + "type": "string", + "title": "Vendor", + "description": "The vendor or publisher of the data store product." + }, + "product": { + "type": "string", + "title": "Product", + "description": "The name of the data store product." + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the data store product." + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "Deployment environment (prod, test, etc.)." + }, + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the zone where the asset resides." + }, + "location": { + "type": "string", + "title": "Location", + "description": "Physical or logical hosting location." + }, + "technologies": { + "type": "array", + "title": "Technologies", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Supporting technologies or services." + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to data sets stored here." + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models supported/required." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataSet": { + "type": "object", + "title": "Data Set", + "description": "A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.", + "required": [ + "bom-ref", + "name", + "description" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the dataset." + }, + "description": { + "type": "string", + "title": "Description", + "minLength": 1, + "description": "What information is contained and why it exists." + }, + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "Data profiles that govern the dataset. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile, typically declared in the root profiles catalogue.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfileChoice" + } + }, + "dataObjects": { + "type": "array", + "title": "Data Objects", + "description": "The specific data objects stored in the dataset. Each object names a payload and may reference one of the dataset's data profiles for its governing policy.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataObject" + } + }, + "recordCount": { + "type": "integer", + "title": "Record Count", + "description": "Approximate number of records." + }, + "owners": { + "type": "array", + "title": "Owners", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" + }, + "description": "Parties that own the dataset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models supported/required." + }, + "placements": { + "type": "array", + "title": "Placements", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Placement", + "description": "Describes where a dataset physically or logically resides and the storage characteristics at that location.", + "required": [ + "dataStore" + ], + "additionalProperties": false, + "properties": { + "dataStore": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the store holding this dataset." + }, + "encrypted": { + "type": "boolean", + "title": "Encrypted", + "description": "Whether the dataset is encrypted at this location." + }, + "retention": { + "type": "string", + "title": "Retention", + "description": "Retention policy for this placement." + }, + "replicated": { + "type": "boolean", + "title": "Replicated", + "description": "Indicates if this placement is a replica." + } + } + }, + "description": "Where the dataset resides." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "interface": { + "type": "object", + "required": [ + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the interface." + }, + "type": { + "title": "Type", + "description": "The type of interface. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Interface Type", + "enum": [ + "rest", + "graphql", + "grpc", + "soap", + "messaging", + "file", + "database", + "cli", + "gui", + "api", + "event", + "stream" + ] + }, + { + "type": "object", + "title": "Custom Interface Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom interface type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom interface type." + } + } + } + ] + }, + "description": { + "type": "string", + "description": "Description of the interface." + }, + "specification": { + "type": "string", + "description": "Link or reference to interface specification." + }, + "protocol": { + "type": "string", + "description": "Communication protocol used." + }, + "dataFormat": { + "type": "string", + "description": "Data format (e.g., JSON, XML, Protocol Buffers)." + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + } + }, + "operations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Operations or methods exposed." + } + } + }, + "zone": { + "type": "object", + "title": "Zone", + "description": "A grouping of assets that share a common characteristic, security posture, or administrative control, so they can be reasoned about as a unit. A zone may be logical, physical, network, trust, or another kind, may nest within a parent zone, and is connected to or separated from other zones by boundaries.", + "required": [ + "bom-ref", + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the zone." + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the zone's characteristics." + }, + "type": { + "title": "Type", + "description": "The type of zone. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Zone Type", + "enum": [ + "availability", + "compliance", + "data", + "deployment", + "functional", + "geographic", + "logical", + "network", + "organizational", + "physical", + "process", + "tenant", + "trust" + ], + "meta:enum": { + "availability": "An availability or fault-isolation zone, such as a cloud availability zone, used to bound the blast radius of failures and reason about redundancy and resilience.", + "compliance": "A compliance scope zone whose assets fall under a specific regulatory regime, such as PCI DSS, HIPAA, or FedRAMP, delineating what is in scope and the controls applied.", + "data": "A data classification zone grouping assets by the sensitivity of the data they hold or process, such as public, internal, confidential, or restricted.", + "deployment": "A deployment environment grouping assets by lifecycle stage, such as development, staging, or production.", + "functional": "A functional grouping of assets that serve a common purpose or capability, independent of where or how they are deployed.", + "geographic": "A geographic or data-residency zone bounding assets to a region, country, or jurisdiction, used to reason about sovereignty and cross-border data flows.", + "logical": "A logical grouping of assets defined by architecture or design rather than physical placement.", + "network": "A network segmentation zone, such as a subnet, VLAN, or security group, within which assets share network-level reachability and controls.", + "organizational": "An organizational or administrative zone grouping assets under a common owner, team, or authority.", + "physical": "A physical zone bounding assets to a tangible location, such as a data centre, building, or device enclosure.", + "process": "A process or execution isolation zone, such as a sandbox, container runtime, or trusted execution environment, within which code runs with a defined level of isolation.", + "tenant": "A tenancy isolation zone separating the assets and data of one tenant from another in a multi-tenant system.", + "trust": "A security trust zone whose assets share a common level of trust, so that movement between trust zones is where authentication, authorization, and validation are enforced." + } + }, + { + "type": "object", + "title": "Custom Zone Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom zone type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom zone type." + } + } + } + ] + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the parent zone if this is a sub-zone." + }, + "characteristics": { + "type": "array", + "title": "Characteristics", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Key characteristics of this zone." + }, + "constraints": { + "type": "array", + "title": "Constraints", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Constraints or limitations of this zone." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "boundary": { + "type": "object", + "title": "Boundary", + "description": "An edge that separates or connects two or more zones, marking a point where security controls, policies, or trust levels change. The controls expected when data or actors cross it are captured in crossingRequirements, and the threat model's trust boundary extends a boundary with trust semantics.", + "required": [ + "bom-ref", + "zones" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the boundary." + }, + "type": { + "title": "Type", + "description": "The type of boundary. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Boundary Type", + "enum": [ + "data", + "functional", + "network", + "organizational", + "physical", + "process", + "trust" + ], + "meta:enum": { + "data": "A data classification boundary, crossed when data moves between zones of differing sensitivity, where reclassification, masking, or validation may apply.", + "functional": "A functional boundary between areas of differing responsibility or capability.", + "network": "A network boundary, such as a firewall, gateway, or security group, controlling reachability between network zones.", + "organizational": "An organizational or administrative boundary between assets under different ownership or authority.", + "physical": "A physical security boundary, such as a facility perimeter or device enclosure, between physical zones.", + "process": "A process or execution boundary between isolation contexts, such as between a sandbox and its host.", + "trust": "A trust boundary between zones of differing trust, the primary point at which authentication, authorization, and input validation are enforced and a key trigger for threat analysis." + } + }, + { + "type": "object", + "title": "Custom Boundary Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom boundary type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom boundary type." + } + } + } + ] + }, + "zones": { + "type": "array", + "title": "Zones", + "uniqueItems": true, + "minItems": 2, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the zones this boundary connects or separates." + }, + "crossingRequirements": { + "$ref": "#/$defs/crossingRequirements" + }, + "sessionManagement": { + "$ref": "#/$defs/sessionManagement" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "crossingRequirements": { + "type": "object", + "title": "Crossing Requirements", + "description": "The security controls, policies, and constraints applied when data or actors cross a boundary between zones, such as the authentication and authorization enforced, the protocols permitted, and the validation, logging, and monitoring performed at the crossing.", + "additionalProperties": false, + "properties": { + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication required to cross this boundary." + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models enforced at this boundary." + }, + "dataValidation": { + "type": "boolean", + "title": "Data Validation", + "description": "Whether data is validated when crossing this boundary." + }, + "dataTransformation": { + "type": "boolean", + "title": "Data Transformation", + "description": "Whether data is transformed when crossing this boundary." + }, + "logging": { + "type": "boolean", + "title": "Logging", + "description": "Whether crossings are logged." + }, + "monitoring": { + "type": "boolean", + "title": "Monitoring", + "description": "Whether crossings are monitored." + }, + "rateLimit": { + "type": "string", + "title": "Rate Limit", + "description": "Rate limiting policy." + }, + "protocols": { + "type": "array", + "title": "Protocols", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Allowed protocols for crossing." + } + } + }, + "sessionManagement": { + "type": "object", + "title": "Session Management", + "description": "The lifecycle of the authenticated session established at this boundary, covering session timeouts, access and refresh token validity, and logout behaviour. These properties characterize the session that results from authenticating, independently of the authentication method used.", + "additionalProperties": false, + "properties": { + "accessTokenExpires": { + "type": "boolean", + "title": "Access Token Expires", + "description": "Whether access tokens issued for this boundary expire." + }, + "accessTokenTtl": { + "type": "integer", + "title": "Access Token Time To Live", + "minimum": 0, + "description": "Validity period of an access token, in seconds." + }, + "refreshToken": { + "type": "boolean", + "title": "Refresh Token", + "description": "Whether refresh tokens are issued for this boundary." + }, + "refreshTokenExpires": { + "type": "boolean", + "title": "Refresh Token Expires", + "description": "Whether refresh tokens expire." + }, + "refreshTokenTtl": { + "type": "integer", + "title": "Refresh Token Time To Live", + "minimum": 0, + "description": "Validity period of a refresh token, in seconds." + }, + "idleTimeout": { + "type": "integer", + "title": "Idle Timeout", + "minimum": 0, + "description": "Period of inactivity after which the session ends, in seconds." + }, + "absoluteTimeout": { + "type": "integer", + "title": "Absolute Timeout", + "minimum": 0, + "description": "Period after session creation after which the session ends regardless of activity, in seconds." + }, + "userLogout": { + "type": "boolean", + "title": "User Logout", + "description": "Whether a user can explicitly end the session." + }, + "systemLogout": { + "type": "boolean", + "title": "System Logout", + "description": "Whether the system can end the session without user action." + } + } + }, + "relationship": { + "type": "object", + "title": "Relationship", + "description": "A typed structural relationship from one element to one or more others, complementing the runtime exchanges captured by flows. The subject is `ref`, and the kind of relationship is expressed as a single typed property whose value lists the targets, mirroring the dependency graph for readability.", + "additionalProperties": false, + "required": [ + "ref" + ], + "oneOf": [ + { + "required": [ + "aggregates" + ] + }, + { + "required": [ + "associates" + ] + }, + { + "required": [ + "composes" + ] + }, + { + "required": [ + "contains" + ] + }, + { + "required": [ + "dependsOn" + ] + }, + { + "required": [ + "generalizes" + ] + }, + { + "required": [ + "realizes" + ] + }, + { + "required": [ + "serves" + ] + }, + { + "required": [ + "custom" + ] + } + ], + "properties": { + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to the subject element of the relationship." + }, + "aggregates": { + "$ref": "#/$defs/relationshipTargets", + "title": "Aggregates", + "description": "The subject is the whole in a whole-part relationship in which each target part may exist independently of the whole." + }, + "associates": { + "$ref": "#/$defs/relationshipTargets", + "title": "Associates", + "description": "The subject has a general association with each target." + }, + "composes": { + "$ref": "#/$defs/relationshipTargets", + "title": "Composes", + "description": "The subject is the whole in a whole-part relationship in which each target part cannot exist without the whole." + }, + "contains": { + "$ref": "#/$defs/relationshipTargets", + "title": "Contains", + "description": "The subject contains or nests each target." + }, + "dependsOn": { + "$ref": "#/$defs/relationshipTargets", + "title": "Depends On", + "description": "The subject depends on each target." + }, + "generalizes": { + "$ref": "#/$defs/relationshipTargets", + "title": "Generalizes", + "description": "The subject is a generalisation of each target, as in inheritance." + }, + "realizes": { + "$ref": "#/$defs/relationshipTargets", + "title": "Realizes", + "description": "The subject realises or implements each target." + }, + "serves": { + "$ref": "#/$defs/relationshipTargets", + "title": "Serves", + "description": "The subject provides a service to each target." + }, + "custom": { + "type": "array", + "title": "Custom Relationships", + "description": "Relationships whose kind is not covered by the predefined properties. Each entry names the kind and lists its targets.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Custom Relationship", + "additionalProperties": false, + "required": [ + "type", + "targets" + ], + "properties": { + "type": { + "type": "string", + "title": "Type", + "minLength": 1, + "description": "The name of the custom relationship kind." + }, + "targets": { + "$ref": "#/$defs/relationshipTargets", + "title": "Targets", + "description": "The targets of the custom relationship." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom relationship kind." + } + } + } + } + } + }, + "relationshipTargets": { + "type": "array", + "title": "Relationship Targets", + "description": "References using bom-link or bom-ref to the target elements of a relationship.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.", + "required": [ + "bom-ref", + "name", + "source", + "destination", + "type" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name or description of the flow." + }, + "description": { + "type": "string", + "title": "Description", + "description": "Detailed description of what flows and why." + }, + "type": { + "title": "Type", + "description": "The type of flow. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Flow Type", + "enum": [ + "control", + "data", + "energy", + "event", + "financial", + "message", + "physical", + "process", + "signal" + ], + "meta:enum": { + "control": "Control or command flow.", + "data": "Data or information flow.", + "energy": "Power or energy flow.", + "event": "Event or notification flow.", + "financial": "Financial, value, or payment flow.", + "message": "Message or communication flow.", + "physical": "Physical movement of goods or materials.", + "process": "Business process flow.", + "signal": "Hardware or system signal." + } + }, + { + "type": "object", + "title": "Custom Flow Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom flow type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom flow type." + } + } + } + ] + }, + "source": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the source of the flow. The source may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that originates the exchange." + }, + "destination": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the destination of the flow. The destination may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that receives the exchange." + }, + "bidirectional": { + "type": "boolean", + "title": "Bidirectional", + "default": false, + "description": "Whether flow occurs in both directions." + }, + "synchronous": { + "type": "boolean", + "title": "Synchronous", + "description": "Whether the flow is synchronous or asynchronous." + }, + "encrypted": { + "type": "boolean", + "title": "Encrypted", + "description": "Whether the data carried by this flow is encrypted in transit." + }, + "volume": { + "type": "string", + "title": "Volume", + "description": "Expected volume or frequency of flow." + }, + "timing": { + "type": "string", + "title": "Timing", + "description": "Timing characteristics (real-time, batch, scheduled)." + }, + "protocols": { + "type": "array", + "title": "Protocols", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Communication protocols used by this flow." + }, + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "Data profiles that govern the data carried by this flow. A flow may carry data governed by multiple profiles, for example a payment submission carrying both payment card data and customer personally identifiable information. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfileChoice" + } + }, + "dataObjects": { + "type": "array", + "title": "Data Objects", + "description": "The specific data objects carried by this flow. Each object names a payload and may reference one of the flow's data profiles for its governing policy.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataObject" + } + }, + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication required for this flow." + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models enforced on this flow." + }, + "sequence": { + "type": "integer", + "title": "Sequence", + "minimum": 0, + "description": "Ordering hint so flows can be assembled into sequence diagrams." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "actor": { + "type": "object", + "title": "Actor", + "description": "An actor is a contextual binding between a party and the modelled system. The party identifies who or what is acting (an organisation, person, system, or persona). The actor layer adds properties that are meaningful only within the blueprint, such as the permissions the actor holds in this system and the trust zone in which the actor operates. Identity, roles, archetype, and inter-party relations such as delegation are carried by the wrapped party and shall not be duplicated on the actor.", + "required": [ + "bom-ref", + "party" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this actor binding. References to actors from other parts of the blueprint, such as use cases or flows, use this identifier." + }, + "party": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "title": "Party", + "description": "The party that this actor binds to the modelled system. May be an inline party object declaring identity and roles in place, or a bom-link or bom-ref to a party declared elsewhere in the document." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative describing this actor's role within the modelled system, distinct from the party's identity-level description. Use to record context-specific framing such as why this actor is in scope or how it interacts with the assets in this blueprint." + }, + "permissions": { + "type": "array", + "title": "Permissions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The permissions, capabilities, or duties this actor holds within the modelled system. Distinct from any innate party-level capabilities; these are scoped to the blueprint." + }, + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Zone", + "description": "Reference using bom-link or bom-ref to the trust zone in which the actor operates." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "assumption": { + "type": "object", + "title": "Assumption", + "description": "A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.", + "required": [ + "description" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": { + "type": "string", + "title": "Description", + "minLength": 1, + "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies." + }, + "topic": { + "title": "Topic", + "description": "The topic of the assumption. Use the custom option for topics not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Assumption Topic", + "enum": [ + "availability", + "business", + "compliance", + "operational", + "performance", + "security", + "technical" + ], + "meta:enum": { + "availability": "Assumption about system uptime, redundancy, or failover capabilities.", + "business": "Assumption about business requirements, constraints, or organizational context.", + "compliance": "Assumption about regulatory, legal, or policy compliance obligations.", + "operational": "Assumption about operational procedures, staffing, or maintenance practices.", + "performance": "Assumption about throughput, latency, capacity, or scalability characteristics.", + "security": "Assumption about threat landscape, trust boundaries, or security controls.", + "technical": "Assumption about technology choices, capabilities, or technical constraints." + } + }, + { + "type": "object", + "title": "Custom Assumption Topic", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assumption topic." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assumption topic." + } + } + } + ] + }, + "relatedAssets": { + "type": "array", + "title": "Related Assets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes." + }, + "validity": { + "type": "string", + "title": "Validity", + "enum": [ + "invalid", + "unknown", + "unverified", + "verified" + ], + "meta:enum": { + "invalid": "The assumption has been disproven or is no longer applicable.", + "unknown": "The validity of the assumption has not yet been assessed.", + "unverified": "The assumption has been identified but not yet validated.", + "verified": "The assumption has been confirmed as true through validation." + }, + "default": "unknown", + "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound." + }, + "impact": { + "type": "string", + "title": "Impact", + "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components." + }, + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." + }, + "validationMethod": { + "type": "string", + "title": "Validation Method", + "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement." + }, + "validationDate": { + "type": "string", + "title": "Validation Date", + "format": "date-time", + "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation." + } + } + }, + "visualization": { + "type": "object", + "title": "Visualization", + "description": "A visual representation of the model or a subset of its elements, capturing the diagram type, its content, and the elements depicted.", + "required": [ + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name or title of the visualization." + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of what the visualization shows." + }, + "type": { + "$ref": "#/$defs/visualizationType" + }, + "attachment": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL to the diagram if stored externally." + }, + "level": { + "type": "string", + "title": "Level", + "enum": [ + "detailed", + "high", + "medium", + "overview" + ], + "meta:enum": { + "detailed": "Fine-grained view showing implementation-level specifics.", + "high": "High-level view showing major components and relationships.", + "medium": "Intermediate view balancing breadth and depth.", + "overview": "Top-level summary providing a broad perspective of the system." + }, + "description": "Level of detail in the visualization." + }, + "elements": { + "type": "array", + "title": "Elements", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to elements shown in this visualization." + }, + "interactive": { + "type": "boolean", + "title": "Interactive", + "description": "Whether the visualization is interactive." + }, + "layers": { + "type": "array", + "title": "Layers", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Layers or views available in the visualization." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "visualizationType": { + "type": "object", + "title": "Visualization Type", + "description": "The type of diagram or visual representation.", + "oneOf": [ + { + "title": "Predefined Visualization Type", + "description": "A visualization type selected from a predefined set of well-known diagram types.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "enum": [ + "activity", + "architecture", + "attack-tree", + "block", + "class", + "code", + "communication", + "component", + "container", + "context", + "data-flow", + "deployment", + "entity", + "flowchart", + "matrix", + "mind-map", + "network", + "process", + "sequence", + "state", + "timing", + "use-case" + ], + "meta:enum": { + "activity": "Activity or workflow diagram.", + "architecture": "System architecture diagram.", + "attack-tree": "Attack tree diagram showing alternative paths to a goal.", + "block": "Block diagram, including SysML block definition and internal block diagrams.", + "class": "Class or object diagram.", + "code": "Code structure diagram.", + "communication": "Communication diagram, formerly known as the collaboration diagram.", + "component": "Component diagram.", + "container": "Container diagram, as in C4.", + "context": "Context diagram.", + "data-flow": "Data flow diagram, or DFD.", + "deployment": "Deployment or infrastructure diagram.", + "entity": "Entity relationship diagram.", + "flowchart": "Flowchart depicting steps or decision logic.", + "matrix": "Matrix diagram, such as a dependency structure or traceability matrix.", + "mind-map": "Mind map diagram for decomposition or brainstorming.", + "network": "Network topology diagram.", + "process": "Business process diagram.", + "sequence": "Sequence or interaction diagram.", + "state": "State machine diagram.", + "timing": "Timing diagram showing state changes over time.", + "use-case": "Use case diagram." + } + } + } + }, + { + "title": "Custom Visualization Type", + "description": "A custom visualization type not covered by the predefined enumeration.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom visualization type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom visualization type." + } + } + } + ] + }, + "assetClassification": { + "type": "object", + "additionalProperties": false, + "properties": { + "criticality": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality" + }, + "classification": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataClassification" + }, + "categories": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Business or technical categories." + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tags for classification and search." + } + } + }, + "ownership": { + "type": "array", + "title": "Ownership", + "description": "Parties responsible for the asset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the relationship (`owner`, `steward`, `custodian`, `end-user`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" + } + }, + "authenticationType": { + "title": "Authentication Type", + "description": "The authentication method or protocol used to verify identity, either a predefined value from the enumeration or a custom object describing a method not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Authentication Type", + "description": "A predefined authentication method from the enumeration.", + "enum": [ + "api-key", + "basic", + "bearer", + "biometric", + "certificate", + "digest", + "eap", + "fido2", + "form", + "hmac", + "jwt", + "kerberos", + "ldap", + "magic-link", + "mtls", + "none", + "ntlm", + "oauth1", + "oauth2", + "oidc", + "pin", + "psk", + "push", + "radius", + "saml", + "scram", + "session-cookie", + "ssh", + "totp" + ], + "meta:enum": { + "api-key": "API key authentication.", + "basic": "HTTP Basic authentication (RFC 7617), where the browser presents a native credential dialog and the username and password are sent on each request.", + "bearer": "Bearer token authentication.", + "biometric": "Biometric authentication, such as fingerprint or face recognition.", + "certificate": "Certificate-based authentication.", + "digest": "Digest authentication.", + "eap": "Extensible Authentication Protocol, commonly used with IEEE 802.1X.", + "fido2": "FIDO2 or WebAuthn passwordless authentication.", + "form": "Form-based authentication, where credentials such as a username and password are submitted through an application login form rather than the browser-native HTTP Basic dialog.", + "hmac": "HMAC request signing using a shared secret key.", + "jwt": "JSON Web Token authentication.", + "kerberos": "Kerberos authentication.", + "ldap": "LDAP directory authentication.", + "magic-link": "Passwordless authentication using a single-use link.", + "mtls": "Mutual TLS authentication.", + "none": "No authentication required.", + "ntlm": "NTLM authentication.", + "oauth1": "OAuth 1.0 authentication.", + "oauth2": "OAuth 2.0 authentication.", + "oidc": "OpenID Connect authentication.", + "pin": "Personal identification number, a short secret used as a knowledge factor, such as a device or application unlock PIN.", + "psk": "Pre-shared key authentication.", + "push": "Out-of-band push approval, where a prompt is sent to a registered device or application for the user to approve or deny, optionally confirmed by matching a displayed number.", + "radius": "RADIUS authentication.", + "saml": "SAML authentication.", + "scram": "Salted Challenge Response Authentication Mechanism.", + "session-cookie": "Session authentication using a server-side session identified by a cookie.", + "ssh": "SSH key authentication.", + "totp": "Time-based one-time password authentication." + } + }, + { + "type": "object", + "title": "Custom Authentication Type", + "description": "A custom authentication method not covered by the predefined enumeration, allowing organisations to describe proprietary, emerging, or composite authentication approaches.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom authentication method." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom authentication method, including how identity is verified and any relevant constraints." + } + } + } + ] + }, + "authorizationType": { + "title": "Authorization Type", + "description": "The authorization model used to determine and enforce access permissions, either a predefined value from the enumeration or a custom object describing a model not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Authorization Type", + "description": "A predefined authorization model from the enumeration.", + "enum": [ + "abac", + "acl", + "capability", + "dac", + "mac", + "none", + "pbac", + "radac", + "rbac", + "rebac" + ], + "meta:enum": { + "abac": "Attribute-Based Access Control.", + "acl": "Access Control Lists.", + "capability": "Capability-Based Access Control.", + "dac": "Discretionary Access Control.", + "mac": "Mandatory Access Control.", + "none": "No authorization controls.", + "pbac": "Policy-Based Access Control.", + "radac": "Risk-Adaptive Access Control.", + "rbac": "Role-Based Access Control.", + "rebac": "Relationship-Based Access Control." + } + }, + { + "type": "object", + "title": "Custom Authorization Type", + "description": "A custom authorization model not covered by the predefined enumeration, allowing organisations to describe proprietary, domain-specific, or composite access control models.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom authorization model." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom authorization model, including how access decisions are made and any relevant constraints." + } + } + } + ] + } + } +} diff --git a/schema/2.0/model/cyclonedx-business-objective-2.0.schema.json b/schema/2.0/model/cyclonedx-business-objective-2.0.schema.json new file mode 100644 index 000000000..ae47bd22b --- /dev/null +++ b/schema/2.0/model/cyclonedx-business-objective-2.0.schema.json @@ -0,0 +1,61 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-business-objective-2.0.schema.json", + "type": "null", + "title": "CycloneDX Business Objective Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "businessObjectives": { + "type": "array", + "title": "Business Objectives", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/businessObjective" + }, + "description": "A collection of reusable business objectives that other elements may reference." + }, + "businessObjective": { + "type": "object", + "title": "Business Objective", + "description": "A business goal that a subject supports and that threats, risks, use cases, and requirements can be traced back to. Business objectives anchor risk-centric analysis, such as the first stage of PASTA, where threats and risks are evaluated against what the organization is trying to achieve.", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the business objective." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the business objective." + }, + "criticality": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality", + "description": "The business criticality of the objective." + }, + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for this objective. May be an inline party object or a reference to a previously declared party." + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-common-2.0.schema.json b/schema/2.0/model/cyclonedx-common-2.0.schema.json index dd7ec3de6..538912671 100644 --- a/schema/2.0/model/cyclonedx-common-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-common-2.0.schema.json @@ -495,6 +495,19 @@ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." }, + "ordinalVersion": { + "title": "Ordinal Version", + "description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.", + "type": "string", + "pattern": "^\\d+(\\.\\d+)*$", + "examples": [ + "1", + "1.2", + "1.2.3", + "2025.09.02", + "10.4.7.3" + ] + }, "lifecycle": { "type": "object", "title": "Lifecycle", diff --git a/schema/2.0/model/cyclonedx-component-2.0.schema.json b/schema/2.0/model/cyclonedx-component-2.0.schema.json index 7b3dae3f6..39606c8f2 100644 --- a/schema/2.0/model/cyclonedx-component-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-component-2.0.schema.json @@ -137,6 +137,14 @@ "$ref": "cyclonedx-patent-2.0.schema.json#/$defs/patentAssertions", "title": "Component Patent(s)" }, + "requirementAssertions": { + "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirementAssertions", + "title": "Component Requirement(s)" + }, + "useCaseAssertions": { + "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/useCaseAssertions", + "title": "Component Use Case(s)" + }, "identifiers": { "$ref": "#/$defs/identifiers" }, diff --git a/schema/2.0/model/cyclonedx-control-2.0.schema.json b/schema/2.0/model/cyclonedx-control-2.0.schema.json new file mode 100644 index 000000000..0411f39b4 --- /dev/null +++ b/schema/2.0/model/cyclonedx-control-2.0.schema.json @@ -0,0 +1,229 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-control-2.0.schema.json", + "type": "null", + "title": "CycloneDX Control Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "controls": { + "type": "array", + "title": "Controls", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/control" + }, + "description": "The safeguards and countermeasures that are recommended or in place. Controls may be declared on their own for governance, risk, and compliance use cases, or referenced from threats, trust boundaries, and risk responses." + }, + "control": { + "type": "object", + "title": "Control", + "description": "A safeguard or countermeasure that protects systems, data, or operations. A control binds the elements that implement it to the requirements it satisfies, and records its implementation status and assessed effectiveness.", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the control elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the control." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the control." + }, + "category": { + "title": "Category", + "description": "The category of the control. Use the custom option for a category specific to an organization's taxonomy.", + "oneOf": [ + { + "title": "Predefined Control Category", + "type": "string", + "enum": [ + "preventive", + "detective", + "corrective", + "compensating", + "deterrent", + "recovery" + ], + "meta:enum": { + "preventive": "Prevents an unwanted event from occurring.", + "detective": "Identifies and records that an unwanted event has occurred or is occurring.", + "corrective": "Remedies the condition that allowed an unwanted event.", + "compensating": "Provides an alternative safeguard where a primary control is not feasible.", + "deterrent": "Discourages an actor from attempting an unwanted action.", + "recovery": "Restores operations after an unwanted event." + } + }, + { + "title": "Custom Control Category", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom category." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom category." + } + } + } + ] + }, + "status": { + "title": "Status", + "description": "The implementation status of the control.", + "$ref": "#/$defs/implementationStatus" + }, + "appliesTo": { + "type": "array", + "title": "Applies To", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the elements the control protects, such as components, services, zones, or boundaries. A control without this property applies to the organization or system as a whole." + }, + "implementedBy": { + "type": "array", + "title": "Implemented By", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the components, services, formulation workflows, or parties that implement the control." + }, + "satisfies": { + "type": "array", + "title": "Satisfies", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements the control satisfies, including requirements defined within standards." + }, + "effectiveness": { + "title": "Effectiveness", + "description": "The assessed effectiveness of the control.", + "$ref": "#/$defs/effectiveness" + }, + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for the control. May be an inline party object or a reference to a previously declared party." + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "implementationStatus": { + "title": "Implementation Status", + "description": "The implementation status of a control or response. Use the custom option for a status specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Implementation Status", + "type": "string", + "enum": [ + "recommended", + "proposed", + "approved", + "rejected", + "planned", + "in-progress", + "implemented", + "verified", + "decommissioned" + ], + "meta:enum": { + "recommended": "Suggested by a producer, standard, or assessor. Not yet entered into the adopting organization's decision process.", + "proposed": "Entered into the adopting organization's decision process but not yet approved.", + "approved": "Approved for implementation.", + "rejected": "Considered and declined, with no intent to implement.", + "planned": "Implementation is planned.", + "in-progress": "Implementation is in progress.", + "implemented": "Implemented and in effect.", + "verified": "Implemented and verified as effective.", + "decommissioned": "Removed from service." + } + }, + { + "title": "Custom Implementation Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] + }, + "effectiveness": { + "type": "object", + "title": "Effectiveness", + "description": "The measured or assessed effectiveness of a control or response.", + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Percentage", + "description": "Effectiveness as a decimal from 0 to 1." + }, + "rating": { + "type": "string", + "title": "Rating", + "enum": [ + "ineffective", + "marginal", + "adequate", + "good", + "excellent" + ], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk.", + "marginal": "Slightly reduces risk.", + "adequate": "Adequately reduces risk.", + "good": "Significantly reduces risk.", + "excellent": "Nearly eliminates risk." + }, + "description": "Effectiveness as a qualitative rating." + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index 598f9098d..cb4ee9b29 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -3,79 +3,881 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-data-2.0.schema.json", "type": "null", "title": "CycloneDX Data Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { - "dataClassification": { - "type": "string", - "title": "Data Classification", - "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "A catalogue of reusable data profile definitions. Each entry is a complete inline data profile carrying its own bom-ref so other objects may reference it.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataProfile" + } }, - "dataGovernance": { + "dataProfile": { "type": "object", - "title": "Data Governance", - "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "title": "Data Profile", + "description": "Captures the classification, information types, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", + "required": [ + "name" + ], "additionalProperties": false, "properties": { - "custodians": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this data profile." + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or label that identifies this data profile, such as the name of the dataset, information asset, or data domain it describes.", + "examples": [ + "Customer PII Dataset", + "Transaction Logs", + "Employee Health Records" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system." + }, + "classification": { + "$ref": "#/$defs/dataClassification", + "description": "The classification of the data, indicating the level of protection required. A data profile carries a single classification reflecting the highest applicable level for the data it describes." + }, + "informationTypes": { + "type": "array", + "title": "Information Types", + "description": "The types of information contained in the data. A data profile may contain multiple information types, for example a profile may carry both personally identifiable information and financial data. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/informationType" + }, + "examples": [ + [ + "pii", + "financial" + ], + [ + "phi", + "biometric", + { + "name": "minor-health-data", + "description": "Health information for individuals under 18, subject to COPPA and HIPAA." + } + ] + ] + }, + "subjects": { + "type": "array", + "title": "Subjects", + "description": "The entities, groups, categories, or things that the data is about or pertains to. Identifying data subjects is essential for determining applicable privacy regulations, handling requirements, and protected class obligations.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/subject" + }, + "examples": [ + [ + { + "name": "EU Residents", + "type": "group", + "protectedClass": false, + "jurisdictions": [ + "DE", + "FR", + "IT" + ], + "regulations": [ + "GDPR" + ] + }, + { + "name": "Pediatric Patients", + "type": "group", + "protectedClass": true, + "jurisdictions": [ + "US" + ], + "regulations": [ + "HIPAA", + "COPPA" + ] + } + ] + ] + }, + "purposes": { "type": "array", - "title": "Data Custodians", - "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", - "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } + "title": "Purposes", + "description": "The stated purposes for which this data is collected, processed, or retained. Under the principle of purpose limitation, data must only be used for purposes compatible with those originally specified. Capturing purposes explicitly enables automated compliance checking and compatibility analysis across the data lifecycle.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/purpose" + }, + "examples": [ + [ + { + "name": "Service Delivery", + "legalBasis": "contract" + }, + { + "name": "Fraud Prevention", + "legalBasis": "legitimate interest" + } + ] + ] }, - "stewards": { + "jurisdictions": { + "$ref": "#/$defs/jurisdictions", + "description": "The jurisdictions whose laws and regulations apply to this data based on its nature, classification, or how it is processed and stored. See also subject.jurisdictions for jurisdictions that apply because of who the data is about." + }, + "regulations": { + "$ref": "#/$defs/regulations", + "description": "The regulations that apply to this data based on its nature, classification, or processing context. See also subject.regulations for regulations that apply because of who the data is about." + }, + "dataFormats": { "type": "array", - "title": "Data Stewards", - "description": "Data stewards are responsible for data content, context, and associated business rules.", - "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } + "title": "Data Formats", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The formats in which the data is stored or transmitted.", + "examples": [ + [ + "JSON", + "CSV", + "Parquet" + ] + ] }, - "owners": { + "schema": { "type": "array", - "title": "Data Owners", - "description": "Data owners are concerned with risk and appropriate access to data.", - "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } + "title": "Schema", + "uniqueItems": true, + "items": { + "type": "string", + "format": "uri" + }, + "description": "References to schema contracts or documents describing the data structure.", + "examples": [ + [ + "https://example.com/schemas/customer-v2.json" + ] + ] + }, + "access": { + "type": "array", + "title": "Access", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures." + }, + "collection": { + "type": "array", + "title": "Collection", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations." + }, + "disposal": { + "type": "array", + "title": "Disposal", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction." + }, + "handling": { + "type": "array", + "title": "Handling", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations." + }, + "processing": { + "type": "array", + "title": "Processing", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions." + }, + "retention": { + "type": "array", + "title": "Retention", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation." + }, + "ttl": { + "type": "integer", + "title": "Time to Live", + "minimum": 1, + "description": "The time-to-live in seconds for transient data that is not persisted, such as protected health information carried inside a short-lived JSON Web Token or sensitive material held in memory for the duration of a single request. Distinct from retention, which applies to persisted data and is governed by requirement objects.", + "examples": [ + 300, + 3600 + ] + }, + "sharing": { + "type": "array", + "title": "Sharing", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } } }, - "dataGovernanceResponsibleParty": { + "dataProfileChoice": { + "title": "Data Profile Choice", + "description": "A data profile represented either as a complete inline object or as a reference to a previously declared profile. References use bom-link or bom-ref to point at a profile declared in the root profiles catalogue or elsewhere in the document.", + "oneOf": [ + { + "$ref": "#/$defs/dataProfile" + }, + { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to a previously declared data profile." + } + ] + }, + "dataObject": { "type": "object", + "title": "Data Object", + "description": "A specific data payload such as a message, record, or document. Distinct from a data profile, which is a policy template; a data object is an instance whose name, schema, format, and field-level attributes describe a concrete payload. The governing policy is supplied by an optional reference to a data profile. A single profile may govern many data objects; each data object refers to at most one profile.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this data object." + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the data object, such as the name of the message, record, document, or table row it represents.", + "examples": [ + "user_registration", + "payment_request", + "audit_event" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the data object, including its purpose, origin, and any context relevant to interpreting its attributes." + }, + "profile": { + "$ref": "#/$defs/dataProfileChoice", + "title": "Profile", + "description": "The data profile that governs this object's classification, information types, and lifecycle requirements. May be an inline profile object or a reference using bom-link or bom-ref to a previously declared profile." + }, + "informationTypes": { + "type": "array", + "title": "Information Types", + "description": "The types of information contained in this object. May refine or extend the information types declared on the referenced profile. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/informationType" + } + }, + "schema": { + "type": "object", + "title": "Schema", + "description": "The structural contract describing this object's shape, such as a JSON Schema, XSD, Avro schema, or Protobuf descriptor.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL or URN pointing to the schema document." + }, + "mediaType": { + "type": "string", + "title": "Media Type", + "description": "Media type of the schema, for example application/schema+json, application/xml, or application/vnd.apache.avro+json.", + "examples": [ + "application/schema+json", + "application/xml", + "application/vnd.apache.avro+json" + ] + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "Additional notes about the schema, such as its version or compatibility expectations." + } + } + }, + "format": { + "type": "object", + "title": "Format", + "description": "The serialisation or encoding format of this object, such as application/json, text/csv, or application/hl7-v2.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL or URN pointing to the format specification." + }, + "mediaType": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/mediaType" + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "Additional notes about the format." + } + } + }, + "attributes": { + "type": "array", + "title": "Attributes", + "description": "The fields, columns, or properties contained in this object. Each attribute may carry a typed information type to support field-level classification and compliance analysis.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataAttribute" + } + }, + "relationships": { + "type": "array", + "title": "Relationships", + "description": "Relationships from this data object to other data objects, such as the associations between entities in a logical or conceptual data model.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataRelationship" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataAttribute": { + "type": "object", + "title": "Data Attribute", + "description": "A single field, column, or property within a data object. Carries an optional information type so that producers and consumers can classify and reason about data at field granularity rather than only at the object level.", + "required": [ + "name" + ], "additionalProperties": false, "properties": { - "organization": { - "title": "Organization", - "description": "The organization that is responsible for specific data governance role(s).", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntity" - }, - "contact": { - "title": "Individual", - "description": "The individual that is responsible for specific data governance role(s).", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalContact" + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this attribute, enabling it to be referenced as a key target." + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the attribute as it appears in the data object, such as a field name, column name, or property key.", + "examples": [ + "email", + "dateOfBirth", + "panToken", + "amount" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the attribute, such as its semantics, expected values, or constraints." + }, + "informationType": { + "$ref": "#/$defs/informationType", + "title": "Information Type", + "description": "The information type carried by this attribute. Field-level typing enables compliance analysis at finer granularity than the object-level information types." + }, + "required": { + "type": "boolean", + "title": "Required", + "description": "Indicates whether the attribute is required for the data object to be valid." + }, + "sensitive": { + "type": "boolean", + "title": "Sensitive", + "description": "Indicates whether the attribute carries sensitive content that warrants extra protection beyond the object-level classification, such as masking in logs or stricter access controls." + }, + "key": { + "type": "string", + "title": "Key", + "enum": [ + "primary", + "foreign", + "unique" + ], + "meta:enum": { + "primary": "The attribute is part of the primary key that uniquely identifies the data object.", + "foreign": "The attribute is a foreign key referencing another data object.", + "unique": "The attribute carries a uniqueness constraint." + }, + "description": "The key role of the attribute within the data object." + }, + "references": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "References", + "description": "For a foreign key, a reference using bom-link or bom-ref to the data object or attribute it refers to." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } + } + }, + "dataRelationship": { + "type": "object", + "title": "Data Relationship", + "description": "A relationship from one data object to another, such as an association between entities in a logical or conceptual data model, carrying its cardinality and optionally the attributes that participate.", + "additionalProperties": false, + "required": [ + "target", + "cardinality" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the relationship, such as the role or verb that describes it." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the relationship." + }, + "target": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Target", + "description": "Reference using bom-link or bom-ref to the related data object." + }, + "cardinality": { + "type": "string", + "title": "Cardinality", + "enum": [ + "one-to-one", + "one-to-many", + "many-to-one", + "many-to-many" + ], + "meta:enum": { + "one-to-one": "Each record of the source relates to at most one record of the target, and the reverse.", + "one-to-many": "Each record of the source relates to many records of the target.", + "many-to-one": "Many records of the source relate to one record of the target.", + "many-to-many": "Many records of the source relate to many records of the target." + }, + "description": "The cardinality of the relationship." + }, + "sourceAttributes": { + "type": "array", + "title": "Source Attributes", + "description": "References using bom-link or bom-ref to the attributes on this data object that participate in the relationship, such as the foreign key columns.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "targetAttributes": { + "type": "array", + "title": "Target Attributes", + "description": "References using bom-link or bom-ref to the attributes on the target data object that the relationship refers to, such as the primary key columns.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "subject": { + "type": "object", + "title": "Subject", + "description": "An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. A subject is identified in one of three ways: inline by `name` and `type`, by an inline `party` object, or by `ref` pointing at any bom-ref'd element declared elsewhere in the document (a party, component, service, asset, dataset, or other element). At least one of these forms shall be supplied. Subject-context attributes such as protected-class status, applicable jurisdictions, and applicable regulations are carried here regardless of which identification form is used.", + "additionalProperties": false, + "anyOf": [ + { + "required": [ + "name", + "type" + ] + }, + { + "required": [ + "party" + ] + }, + { + "required": [ + "ref" + ] + } + ], + "examples": [ + { + "name": "EU Residents", + "type": "group", + "protectedClass": false, + "jurisdictions": [ + "DE", + "FR" + ], + "regulations": [ + "GDPR" + ] + }, + { + "ref": "party-pediatric-patients", + "protectedClass": true, + "jurisdictions": [ + "US" + ], + "regulations": [ + "HIPAA", + "COPPA" + ] + }, + { + "party": { + "roles": [ + { + "role": "data-subject" + } + ], + "persona": { + "archetype": "customer", + "scope": "external", + "description": "Fleet vehicle owners enrolled in the connected-services platform." + } + }, + "protectedClass": false + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor. Optional when `party` or `ref` is supplied.", + "minLength": 1, + "examples": [ + "EU Residents", + "Pediatric Patients", + "Fleet Vehicles" + ] + }, + "type": { + "type": "string", + "title": "Type", + "description": "A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices. Optional when `party` or `ref` is supplied.", + "minLength": 1, + "examples": [ + "individual", + "group", + "technology" + ] + }, + "party": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/party", + "title": "Party", + "description": "An inline party object identifying the subject. Use this when the subject is best modelled as a party (organization, person, system, or persona) and has not been declared elsewhere in the document. The party's `roles` should include `data-subject`." + }, + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to any element declared elsewhere in the document that identifies the subject, such as a party, component, service, asset, dataset, or other bom-ref'd element. Use this when the subject is already represented elsewhere and you want to point at it rather than redeclare it." + }, + "protectedClass": { + "type": "boolean", + "title": "Protected Class", + "description": "Indicates whether this subject represents or includes a legally protected class under applicable regulations. Protected classes are groups defined by characteristics such as race, ethnicity, religion, gender, age, disability, sexual orientation, national origin, or genetic information. When true, additional regulatory obligations may apply to the collection, processing, and sharing of data about this subject, including GDPR special category data provisions, US civil rights protections, COPPA requirements for children, and HIPAA protections for health information." + }, + "jurisdictions": { + "$ref": "#/$defs/jurisdictions", + "description": "The jurisdictions whose laws and regulations apply specifically because of this subject. See also dataProfile.jurisdictions for jurisdictions that apply to the data itself." + }, + "regulations": { + "$ref": "#/$defs/regulations", + "description": "The regulations that apply specifically because of this subject. See also dataProfile.regulations for regulations that apply to the data itself." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the subject, its relationship to the data, and any special handling considerations. This may include why the subject is relevant, what aspects of the subject the data captures, and any known sensitivities or regulatory implications." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "jurisdictions": { + "type": "array", + "title": "Jurisdictions", + "description": "The geographic or political jurisdictions whose laws and regulations apply. Values should use ISO 3166-1 alpha-2 country codes or ISO 3166-2 subdivision codes for subnational jurisdictions.", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 2, + "examples": [ + "US", + "GB", + "US-CA" + ] + }, + "examples": [ + [ + "US", + "GB", + "DE" + ] + ] + }, + "regulations": { + "type": "array", + "title": "Regulations", + "description": "The specific laws, regulations, or compliance frameworks that apply.", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1, + "examples": [ + "GDPR", + "HIPAA", + "PCI-DSS" + ] }, - "oneOf":[ + "examples": [ + [ + "GDPR", + "CCPA", + "PCI-DSS" + ] + ] + }, + "purpose": { + "type": "object", + "title": "Purpose", + "description": "The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.", + "required": [ + "name" + ], + "additionalProperties": false, + "examples": [ + { + "name": "Service Delivery", + "legalBasis": "contract" + }, + { + "name": "Fraud Prevention", + "legalBasis": "legitimate interest" + }, + { + "name": "Marketing Analytics", + "legalBasis": "consent" + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the purpose for which data is collected or processed.", + "minLength": 1, + "examples": [ + "Service Delivery", + "Fraud Prevention", + "Marketing Analytics" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the purpose, how the data serves it, and any constraints on use. This narrative should be specific enough to evaluate whether subsequent processing activities are compatible with the original stated purpose." + }, + "legalBasis": { + "type": "string", + "title": "Legal Basis", + "description": "The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.", + "minLength": 1, + "examples": [ + "consent", + "contract", + "legitimate interest" + ] + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataClassification": { + "title": "Data Classification", + "description": "Classifies data by the level of protection it requires, either using a predefined classification level or a custom level not covered by the enumeration. Classification drives protection requirements such as access control, encryption, disclosure restrictions, and statutory handling obligations.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Classification", + "description": "A predefined classification level from the enumeration.", + "enum": [ + "confidential", + "internal", + "public", + "restricted", + "classified" + ], + "meta:enum": { + "confidential": "Confidential information requiring protection.", + "internal": "Internal use only within the organisation.", + "public": "Public information that can be freely shared.", + "restricted": "Highly restricted information with limited access and special protection measures.", + "classified": "Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations." + } + }, { - "required": ["organization"] + "type": "object", + "title": "Custom Classification", + "description": "A custom classification level not covered by the predefined enumeration.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom classification level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of what this custom classification level means and the protections it implies." + } + } + } + ] + }, + "informationType": { + "title": "Information Type", + "description": "Identifies a type of information contained in the data, either using a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. A single dataset can contain multiple information types and is captured as an array on the data profile.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Information Type", + "description": "A predefined information type from the enumeration.", + "enum": [ + "authentication", + "behavioral", + "biometric", + "communication", + "credentials", + "device", + "financial", + "genetic", + "intellectual-property", + "location", + "logs", + "operational", + "pci", + "phi", + "pii", + "safety", + "telemetry" + ], + "meta:enum": { + "authentication": "Authentication data such as passwords, PINs, or security questions.", + "behavioral": "Behavioural data such as browsing history, usage patterns, or profiling data.", + "biometric": "Biometric data such as fingerprints, facial recognition, or voice patterns.", + "communication": "Communication content such as messages, emails, or call records.", + "credentials": "Secrets, tokens, or credentials.", + "device": "Device identifiers or hardware-level data.", + "financial": "Financial statements or transaction data.", + "genetic": "Genetic or genomic data.", + "intellectual-property": "Intellectual property or trade secrets.", + "location": "Precise or inferred geographic location data.", + "logs": "Operational or security log data.", + "operational": "Operational or process data.", + "pci": "Payment card industry data.", + "phi": "Protected health information.", + "pii": "Personally identifiable information.", + "safety": "Safety critical data or signals.", + "telemetry": "System or product telemetry data." + } }, { - "required": ["contact"] + "type": "object", + "title": "Custom Information Type", + "description": "A custom information type not covered by the predefined enumeration.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom information type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom information type and any handling implications it carries." + } + } } ] }, + "dataGovernance": { + "type": "array", + "title": "Data Governance", + "description": "Parties responsible for the data throughout its lifecycle. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the governance relationship (`owner` for ownership and risk accountability, `steward` for content and business rules, `custodian` for safe custody, transport, and storage, `data-controller`, `data-processor`, `data-recipient`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" + } + }, "dataFlowDirection": { "type": "string", + "title": "Data Flow Direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service.", "enum": [ + "bi-directional", "inbound", "outbound", - "bi-directional", "unknown" ], "meta:enum": { + "bi-directional": "Data flows in and out of the service.", "inbound": "Data that enters a service.", "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", "unknown": "The directional flow of data is not known." - }, - "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." + } } } } diff --git a/schema/2.0/model/cyclonedx-declaration-2.0.schema.json b/schema/2.0/model/cyclonedx-declaration-2.0.schema.json index d8c2b39b6..7e2be2d15 100644 --- a/schema/2.0/model/cyclonedx-declaration-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-declaration-2.0.schema.json @@ -105,7 +105,7 @@ "mitigationStrategies": { "type": "array", "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "description": "References using bom-link or bom-ref to the controls that mitigate identified gaps in conformance with the requirement. Each mitigation strategy should be substantiated by evidence.", "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" } } } @@ -156,7 +156,7 @@ "target": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", "title": "Target", - "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + "description": "Reference using bom-link or bom-ref to the target of the claim, such as a control, system, application, module, team, person, process, or business unit." }, "predicate": { "type": "string", @@ -166,7 +166,7 @@ "mitigationStrategies": { "type": "array", "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "description": "References using bom-link or bom-ref to the controls that mitigate identified weaknesses in the evidence supporting the claim. Each mitigation strategy should be substantiated by evidence.", "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" } }, "reasoning": { diff --git a/schema/2.0/model/cyclonedx-definition-2.0.schema.json b/schema/2.0/model/cyclonedx-definition-2.0.schema.json index e4c29ac1b..ec57179bb 100644 --- a/schema/2.0/model/cyclonedx-definition-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-definition-2.0.schema.json @@ -3,7 +3,7 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-definition-2.0.schema.json", "type": "null", "title": "CycloneDX Definition Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "definitions": { "type": "object", @@ -16,6 +16,15 @@ }, "patents": { "$ref": "cyclonedx-patent-2.0.schema.json#/$defs/patents" + }, + "useCases": { + "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/useCases" + }, + "requirements": { + "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirements" + }, + "businessObjectives": { + "$ref": "cyclonedx-business-objective-2.0.schema.json#/$defs/businessObjectives" } } } diff --git a/schema/2.0/model/cyclonedx-profile-2.0.schema.json b/schema/2.0/model/cyclonedx-profile-2.0.schema.json new file mode 100644 index 000000000..0adbe8eb1 --- /dev/null +++ b/schema/2.0/model/cyclonedx-profile-2.0.schema.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-profile-2.0.schema.json", + "type": "null", + "title": "CycloneDX Profile Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "profiles": { + "type": "object", + "title": "Profiles", + "description": "A registry of reusable, named characterizations of how a subject behaves or is governed within a domain. Profiles separate characterization from identity: identity describes who or what the subject is; the profile describes the durable attributes that characterize it. A profile is referenced by its bom-ref from the elements it characterizes, so a single profile can be reused by many subjects.", + "additionalProperties": false, + "properties": { + "dataProfiles": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfiles" + }, + "threatProfiles": { + "$ref": "cyclonedx-threat-2.0.schema.json#/$defs/threatProfiles" + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json new file mode 100644 index 000000000..d141b1b67 --- /dev/null +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -0,0 +1,346 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-requirement-2.0.schema.json", + "type": "null", + "title": "CycloneDX Engineering Requirement Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/requirement" + }, + "description": "A collection of requirements representing specific needs, constraints, or capabilities that must be met." + }, + "requirement": { + "type": "object", + "title": "Requirement", + "description": "A requirement represents a specific need, constraint, or capability that must be met.", + "required": [ + "bom-ref" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)." + }, + "name": { + "type": "string", + "title": "Name", + "description": "A short name or title for the requirement." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the requirement." + }, + "type": { + "type": "array", + "title": "Requirement Types", + "description": "The categories or classifications applicable to the requirement.", + "items": { + "$ref": "#/$defs/requirementType" + }, + "uniqueItems": true + }, + "priority": { + "type": "string", + "title": "Priority", + "description": "The priority level of the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "status": { + "$ref": "#/$defs/requirementStatus" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the requirement." + }, + "stakeholders": { + "type": "array", + "title": "Stakeholders", + "description": "The individuals or groups who have an interest in the requirement.", + "items": { + "type": "string" + }, + "uniqueItems": true + }, + "acceptanceCriteria": { + "type": "array", + "title": "Acceptance Criteria", + "description": "Criteria that must be met for the requirement to be considered satisfied.", + "items": { + "$ref": "#/$defs/acceptanceCriterion" + }, + "uniqueItems": true + }, + "dependencies": { + "type": "array", + "title": "Dependencies", + "description": "Other requirements that this requirement depends on.", + "items": { + "$ref": "#/$defs/dependency" + }, + "uniqueItems": true + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Parent BOM Reference", + "description": "Optional reference using bom-link or bom-ref to a parent requirement. Establishes a hierarchy of requirements." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The reasoning or justification for the requirement." + }, + "fitCriterion": { + "type": "string", + "title": "Fit Criterion", + "description": "A measurable test that the solution must pass to be acceptable to the stakeholders." + }, + "effort": { + "type": "string", + "title": "Effort Estimation", + "description": "An estimation of the effort required to implement the requirement." + }, + "risk": { + "type": "string", + "title": "Risk", + "description": "The risk level associated with implementing or not implementing the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "attachments": { + "type": "array", + "title": "Attachments", + "description": "Files or documents attached to the requirement.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + } + } + }, + "requirementType": { + "type": "string", + "title": "Requirement Type", + "description": "The category or classification applicable to the requirement.", + "enum": [ + "accessibility", + "auditability", + "availability", + "business", + "compatibility", + "compliance", + "deployment", + "functional", + "interoperability", + "localization", + "maintainability", + "non-functional", + "other", + "performance", + "portability", + "privacy", + "regulatory", + "reliability", + "scalability", + "security", + "system", + "testability", + "usability", + "user" + ], + "meta:enum": { + "accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.", + "auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.", + "availability": "Requirements describing the uptime and operational availability of systems or services.", + "business": "Requirements derived from organizational goals, strategies, or business processes.", + "compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.", + "compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.", + "deployment": "Requirements related to deploying, configuring, and operating the system in production environments.", + "functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.", + "interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.", + "localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.", + "maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.", + "non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.", + "other": "Requirements that do not clearly fit into other specified categories.", + "performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.", + "portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.", + "privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.", + "regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.", + "reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.", + "scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.", + "security": "Requirements intended to protect systems, data, and users from malicious actions or threats.", + "system": "Technical requirements defining infrastructure, architecture, or underlying technologies.", + "testability": "Requirements ensuring the system can be effectively validated and tested.", + "usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.", + "user": "Requirements captured directly from user needs, tasks, and expectations." + } + }, + "requirementStatus": { + "type": "string", + "title": "Status", + "description": "The current status of the requirement in the development lifecycle.", + "enum": [ + "draft", + "proposed", + "approved", + "implemented", + "verified", + "deferred", + "rejected", + "replaced", + "obsolete" + ] + }, + "acceptanceCriterion": { + "type": "object", + "title": "Acceptance Criterion", + "description": "A specific condition that must be met for the requirement to be considered satisfied.", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the acceptance criterion." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the acceptance criterion." + }, + "status": { + "type": "string", + "title": "Status", + "description": "The current status of the acceptance criterion.", + "enum": [ + "pending", + "passed", + "failed" + ] + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "A dependency on another requirement.", + "additionalProperties": false, + "properties": { + "ref": { + "oneOf": [ + { + "title": "Ref", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/bomLinkElementType" + } + ] + }, + "type": { + "type": "string", + "title": "Dependency Type", + "description": "The type of dependency relationship.", + "enum": [ + "requires", + "conflicts-with", + "enhances", + "implements", + "other" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the dependency relationship." + } + } + }, + "requirementAssertions": { + "type": "array", + "title": "Requirement Assertions", + "description": "A list of assertions describing how a component relates to specific requirements.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Requirement Assertion", + "description": "An assertion linking one or more requirements to a component, specifying the nature of the relationship.", + "required": [ + "assertionType", + "requirementRefs" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the relationship between the component and the requirement.", + "enum": [ + "conflicts", + "not-applicable", + "not-assessed", + "other", + "partially-satisfies", + "satisfies", + "violates" + ], + "meta:enum": { + "conflicts": "The component is in tension with the requirement but a definitive determination of violation has not been made. This may indicate partial incompatibility, competing constraints, or an unresolved evaluation.", + "not-applicable": "The requirement does not pertain to this component. The evaluator has reviewed the requirement and determined it is irrelevant.", + "not-assessed": "The relationship between the component and the requirement has not yet been evaluated.", + "other": "A relationship that does not fit into the other predefined assertion types.", + "partially-satisfies": "The component partially meets the requirement but does not fully satisfy all of its conditions or acceptance criteria.", + "satisfies": "The component fully satisfies the requirement, meeting all of its conditions and acceptance criteria.", + "violates": "The component has been evaluated and conclusively determined to not meet the requirement, breaching one or more of its conditions or acceptance criteria." + } + }, + "requirementRefs": { + "type": "array", + "title": "Requirement References", + "description": "A list of BOM references linking to requirement objects defined in the BOM.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "Additional context or clarification regarding the assertion." + } + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json new file mode 100644 index 000000000..40e903597 --- /dev/null +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -0,0 +1,1497 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-risk-2.0.schema.json", + "type": "null", + "title": "CycloneDX Risk Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "risks": { + "type": "object", + "title": "Risks", + "description": "A collection of risks identified through risk analysis, together with the assessments that evaluate them. The model is framework-neutral and can document risk regardless of the risk management framework in use, including [ISO 31000](https://www.iso.org/iso-31000-risk-management.html), [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final), the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework), [COSO ERM](https://www.coso.org/), [ISO/IEC 27005](https://www.iso.org/standard/80585.html), and OCTAVE. It accommodates qualitative, semi-quantitative, and quantitative assessment, and each rating records the scoring methodology used, such as [FAIR](https://www.fairinstitute.org/), [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), DREAD, [FMEA](https://asq.org/quality-resources/fmea), NIST SP 800-30, or OCTAVE Allegro. Each risk separates inherent, residual, and target ratings so risk reduction is explicit.", + "additionalProperties": false, + "properties": { + "risks": { + "type": "array", + "title": "Risks", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/risk" + }, + "description": "The documented risks identified through risk analysis." + }, + "assessments": { + "type": "array", + "title": "Assessments", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/assessment" + }, + "description": "Point-in-time risk assessment events, each evaluating one or more of the documented risks." + }, + "riskAppetites": { + "type": "array", + "title": "Risk Appetites", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/riskAppetite" + }, + "description": "The risk appetites that apply to this collection. Multiple entries support a document covering more than one party." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "riskDomain": { + "type": "object", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "The domain or category of risk. Use the custom option for domains specific to an organization's risk taxonomy.", + "oneOf": [ + { + "title": "Predefined Risk Domain", + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply-chain", + "technical", + "project", + "ethical", + "societal", + "human-rights", + "health", + "legal" + ], + "meta:enum": { + "security": "Information security and cybersecurity risks.", + "privacy": "Data protection and privacy risks.", + "operational": "Business operations and continuity risks.", + "financial": "Financial loss and economic impact risks.", + "compliance": "Regulatory and legal compliance risks.", + "strategic": "Strategic business and market risks.", + "reputational": "Brand and reputation damage risks.", + "safety": "Human safety and physical security risks.", + "environmental": "Environmental impact and sustainability risks.", + "supply-chain": "Supply chain and third-party risks.", + "technical": "Technical and technology risks.", + "project": "Project delivery and execution risks.", + "ethical": "Ethical risks, including the responsible use of automated decision-making and artificial intelligence.", + "societal": "Risks to society, communities, or democratic and civic processes.", + "human-rights": "Risks to fundamental human rights, including discrimination and loss of autonomy.", + "health": "Risks to physical or mental health and wellbeing.", + "legal": "Legal exposure, including liability and contractual risks." + } + }, + { + "title": "Custom Risk Domain", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk domain." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk domain." + } + } + } + ] + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "description": { + "type": "string", + "description": "Additional context for this risk domain." + } + } + }, + "riskAttribute": { + "title": "Risk Attribute", + "description": "A security or privacy attribute representing a potential impact area when a risk is realized. Use the custom option for attributes specific to an organization's risk taxonomy.", + "oneOf": [ + { + "title": "Predefined Risk Attribute", + "type": "string", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data-subject-rights", + "integrity", + "minimization", + "non-repudiation", + "possession", + "privacy", + "purpose-limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities.", + "authentication": "Verifying the identity of users, devices, or systems before granting access.", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources.", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified.", + "availability": "Ensuring systems, data, and services are accessible and operational when needed.", + "compliance": "Adherence to applicable laws, regulations, policies, and standards.", + "confidentiality": "Preventing unauthorized access to or disclosure of information.", + "connectivity": "Maintaining secure and reliable communication between systems or components.", + "control": "Enabling individuals to manage how their personal data is used and shared.", + "data-subject-rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorized actors.", + "minimization": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications.", + "possession": "Ensuring control or custody over data or assets, regardless of ownership.", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards.", + "purpose-limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection.", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing.", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose." + } + }, + { + "title": "Custom Risk Attribute", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk attribute." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk attribute." + } + } + } + ] + }, + "risk": { + "type": "object", + "required": [ + "bom-ref", + "name", + "statement" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "A human-readable name for the risk." + }, + "statement": { + "type": "string", + "description": "Structured risk statement describing source, event, and impact." + }, + "description": { + "type": "string", + "description": "Additional narrative about the risk." + }, + "domains": { + "type": "array", + "items": { + "$ref": "#/$defs/riskDomain" + }, + "description": "The risk domains this risk affects." + }, + "affects": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the subjects this risk concerns. A subject may be a component, service, dataset, or model, or a party such as a person, persona, or organization, including a group at risk of being systematically disadvantaged." + }, + "relatedThreats": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats or threat scenarios from a threat model that inform this risk. A reference may point to a discrete threat or to a threat scenario." + }, + "relatedVulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities that inform this risk." + }, + "relatedWeaknesses": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the weaknesses that inform this risk." + }, + "relatedRequirements": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements whose absence or non-conformance gives rise to this risk, such as a requirement that is unmet or only partially met." + }, + "relatedStandards": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the standards whose non-conformance gives rise to this risk." + }, + "relatedClaims": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the conformance claims that give rise to this risk, such as a [CycloneDX Attestations](https://cyclonedx.org/capabilities/attestations/) claim recording that a requirement is unmet or only partially met. The degree of conformance is carried by the claim, not by the risk." + }, + "relatedBusinessObjectives": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this risk threatens." + }, + "inherentRisk": { + "$ref": "#/$defs/rating", + "description": "The assessed risk before any responses are applied." + }, + "residualRisk": { + "$ref": "#/$defs/rating", + "description": "The assessed risk remaining after responses are applied." + }, + "targetRisk": { + "$ref": "#/$defs/rating", + "description": "The risk level the organization aims to reach for this risk. The overall risk appetite is recorded separately on the risks collection or assessment." + }, + "responses": { + "type": "array", + "items": { + "$ref": "#/$defs/riskResponse" + }, + "description": "The responses applied to this risk." + }, + "status": { + "title": "Status", + "description": "The lifecycle status of the risk. Use the custom option for a status specific to an organization's risk process.", + "oneOf": [ + { + "title": "Predefined Risk Status", + "type": "string", + "enum": [ + "identified", + "assessed", + "mitigated", + "accepted", + "transferred", + "retired" + ], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated.", + "assessed": "Risk has been assessed and prioritized.", + "mitigated": "Responses are in place reducing this risk.", + "accepted": "Risk has been formally accepted.", + "transferred": "Risk has been transferred to another party.", + "retired": "Risk no longer applies." + } + }, + { + "title": "Custom Risk Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] + }, + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for this risk. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "rating": { + "type": "object", + "title": "Rating", + "description": "A methodology-neutral assessment of risk along likelihood and impact, with an overall score. The same shape expresses inherent, residual, and target risk so reductions can be compared. A rating can be qualitative (a `level`), semi-quantitative (a numeric `score` on a bounded scale), or quantitative (for example a probable monetary loss under [FAIR](https://www.fairinstitute.org/)). For a catalogue of assessment techniques, see [IEC 31010](https://www.iso.org/standard/72140.html).", + "additionalProperties": false, + "properties": { + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "score": { + "$ref": "#/$defs/riskScore" + }, + "detectability": { + "type": "object", + "title": "Detectability", + "additionalProperties": false, + "description": "The ease or likelihood of detecting the event before or as it is realized, used as a third axis by methodologies such as [FMEA](https://asq.org/quality-resources/fmea), whose risk priority number multiplies severity, occurrence, and detection.", + "properties": { + "score": { + "type": "number", + "minimum": 0, + "description": "The detection value on the scale defined by the methodology. For FMEA, a higher value indicates that the event is harder to detect and therefore riskier." + }, + "description": { + "type": "string", + "description": "A narrative explanation of the detectability assessment." + } + } + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "Confidence in this rating, expressed as a decimal from 0 to 1, where 1 is full confidence. Supports quantitative methods that reason over uncertainty." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The justification for this rating, including the method and the evidence considered." + } + } + }, + "likelihood": { + "type": "object", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.", + "enum": [ + "very-low", + "low", + "medium", + "high", + "very-high", + "certain" + ], + "meta:enum": { + "very-low": "Very unlikely to occur (less than 10% probability).", + "low": "Unlikely to occur (10 to 30% probability).", + "medium": "Possible to occur (30 to 60% probability).", + "high": "Likely to occur (60 to 85% probability).", + "very-high": "Very likely to occur (85 to 99% probability).", + "certain": "Almost certain to occur (greater than 99% probability)." + } + }, + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric likelihood score on the scale defined by the methodology." + }, + "probability": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Probability as a decimal from 0 to 1." + }, + "frequency": { + "type": "number", + "minimum": 0, + "title": "Frequency", + "description": "The expected number of events within the timeframe, for frequency-based methods such as the [FAIR](https://www.fairinstitute.org/) loss event frequency. Unlike a probability, a frequency may exceed 1." + }, + "timeframe": { + "type": "string", + "title": "Timeframe", + "description": "The period over which the probability or frequency is assessed, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year." + }, + "range": { + "$ref": "#/$defs/estimateRange", + "description": "A range for the probability or frequency, supporting quantitative methods that reason over distributions." + }, + "factors": { + "type": "array", + "items": { + "$ref": "#/$defs/likelihoodFactor" + }, + "description": "The factors considered when determining the likelihood level." + }, + "rationale": { + "type": "string", + "description": "The justification for the likelihood rating." + } + } + }, + "likelihoodFactor": { + "type": "object", + "title": "Likelihood Factor", + "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment. It is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", + "required": [ + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.", + "minLength": 1 + }, + "type": { + "title": "Type", + "description": "The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", + "oneOf": [ + { + "title": "Predefined Likelihood Factor Type", + "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", + "type": "string", + "enum": [ + "attack-vector", + "contact-frequency", + "control-effectiveness", + "detectability", + "discoverability", + "exploit-maturity", + "exposure", + "motivation", + "opportunity", + "targeting", + "threat-capability", + "vulnerability" + ], + "meta:enum": { + "attack-vector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", + "contact-frequency": "How often the threat actor comes into contact with the target asset, independent of any intent to act. Aligns with the FAIR contact frequency factor.", + "control-effectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation. Corresponds to resistance strength in FAIR.", + "detectability": "Likelihood that the activity is detected before the risk is realized. Lower detectability increases the chance of a successful action. Aligns with the OWASP Risk Rating intrusion detection factor and the FMEA detection axis.", + "discoverability": "Ease with which the weakness or opportunity can be found by a potential actor. Aligns with the OWASP Risk Rating ease of discovery factor.", + "exploit-maturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", + "exposure": "Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.", + "motivation": "Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.", + "opportunity": "Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.", + "targeting": "Degree to which the threat actor specifically selects this asset or organization rather than acting opportunistically. Aligns with the NIST SP 800-30 targeting factor.", + "threat-capability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", + "vulnerability": "Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor." + } + }, + { + "title": "Custom Likelihood Factor Type", + "description": "A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the custom likelihood factor type.", + "minLength": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom likelihood factor type and how it contributes to likelihood assessment." + } + } + } + ] + }, + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.", + "enum": [ + "very-low", + "low", + "medium", + "high", + "very-high", + "certain" + ], + "meta:enum": { + "very-low": "This factor has minimal contribution to risk realization (less than 10% influence).", + "low": "This factor has limited contribution to risk realization (10 to 30% influence).", + "medium": "This factor moderately contributes to risk realization (30 to 60% influence).", + "high": "This factor strongly contributes to risk realization (60 to 85% influence).", + "very-high": "This factor very strongly contributes to risk realization (85 to 99% influence).", + "certain": "This factor almost certainly contributes to risk realization (greater than 99% influence)." + } + }, + "score": { + "type": "number", + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to likelihood.", + "minimum": 0 + }, + "weight": { + "type": "number", + "title": "Weight", + "description": "The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.", + "minimum": 0, + "maximum": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "impact": { + "type": "object", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "negligible", + "low", + "moderate", + "major", + "catastrophic" + ], + "description": "The qualitative impact severity level.", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences.", + "low": "Minor impact with limited consequences.", + "moderate": "Moderate impact affecting some operations.", + "major": "Significant impact with serious consequences.", + "catastrophic": "Catastrophic impact with existential consequences." + } + }, + "polarity": { + "type": "string", + "title": "Polarity", + "description": "Whether the impact represents a harm or a benefit. Benefits support modeling opportunities and positive risk.", + "enum": [ + "harm", + "benefit" + ], + "meta:enum": { + "harm": "A negative impact or downside.", + "benefit": "A positive impact or upside." + } + }, + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric impact score on the scale defined by the methodology." + }, + "categories": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/impactCategory" + }, + "description": "The categories of impact, including harms relevant to AI and societal risk." + }, + "factors": { + "type": "array", + "title": "Factors", + "items": { + "$ref": "#/$defs/impactFactor" + }, + "description": "The factors considered when determining the impact, allowing methodologies that derive impact from multiple weighted dimensions to record the breakdown." + }, + "range": { + "$ref": "#/$defs/estimateRange", + "description": "A range for the impact score, supporting quantitative methods that reason over distributions." + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + }, + "description": "The risk attributes affected." + }, + "quantification": { + "$ref": "#/$defs/impactQuantification" + }, + "description": { + "type": "string", + "description": "A description of the potential impact." + } + } + }, + "impactCategory": { + "title": "Impact Category", + "description": "A category of impact, including harms relevant to AI and societal risk. Use the custom option for categories specific to an organization's risk taxonomy.", + "oneOf": [ + { + "title": "Predefined Impact Category", + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic", + "bias", + "discrimination", + "fairness", + "human-rights", + "environmental", + "societal", + "psychological", + "physical", + "health" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality.", + "integrity": "Impact on data or system integrity.", + "availability": "Impact on service availability.", + "financial": "Financial loss or impact.", + "reputation": "Reputational damage.", + "regulatory": "Regulatory compliance impact.", + "safety": "Human safety impact.", + "privacy": "Privacy violation impact.", + "operational": "Operational disruption.", + "strategic": "Strategic business impact.", + "bias": "Systematic bias in automated outputs or decisions.", + "discrimination": "Unfair treatment of individuals or groups, including on the basis of protected attributes.", + "fairness": "Impact on the fair and equitable treatment of affected groups.", + "human-rights": "Impact on fundamental human rights, including autonomy and dignity.", + "environmental": "Environmental impact, including energy use and carbon emissions.", + "societal": "Impact on society, communities, or civic processes.", + "psychological": "Psychological or emotional harm.", + "physical": "Physical harm to people or property.", + "health": "Impact on physical or mental health." + } + }, + { + "title": "Custom Impact Category", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom impact category." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom impact category." + } + } + } + ] + }, + "impactFactor": { + "type": "object", + "title": "Impact Factor", + "description": "An individual contributing factor used to determine the overall impact of a risk or scenario. Methodologies such as OWASP Risk Rating, DREAD, and OCTAVE Allegro derive impact from several weighted dimensions, and each factor captures one dimension with its own rating.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the impact factor being evaluated, such as 'Financial damage' or 'Reputation damage'." + }, + "category": { + "$ref": "#/$defs/impactCategory", + "description": "The impact dimension this factor measures." + }, + "score": { + "type": "number", + "minimum": 0, + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to impact." + }, + "weight": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Weight", + "description": "The relative importance of this factor in the overall impact calculation, expressed as a decimal from 0 to 1. OCTAVE Allegro, for example, ranks impact areas and multiplies the ranking by the factor value." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated and how it contributes to the overall impact assessment." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "estimateRange": { + "type": "object", + "title": "Estimate Range", + "description": "A three-point estimate, supporting quantitative methods such as FAIR that reason over distributions rather than single values.", + "additionalProperties": false, + "properties": { + "minimum": { + "type": "number", + "description": "The minimum, or lower bound, estimate." + }, + "mostLikely": { + "type": "number", + "description": "The most likely estimate." + }, + "maximum": { + "type": "number", + "description": "The maximum, or upper bound, estimate." + } + } + }, + "impactQuantification": { + "type": "object", + "additionalProperties": false, + "properties": { + "financialLoss": { + "type": "number", + "description": "The estimated financial loss, in the units given by currency." + }, + "currency": { + "type": "string", + "pattern": "^[A-Z]{3}$", + "description": "The currency of the financial values, as an [ISO 4217](https://www.iso.org/iso-4217-currency-codes.html) code." + }, + "affectedUsers": { + "type": "integer", + "description": "The number of affected users." + }, + "downtime": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "The expected downtime, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration." + }, + "dataRecords": { + "type": "integer", + "description": "The number of data records affected." + }, + "recovery": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "The recovery time, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration." + }, + "financialLossRange": { + "$ref": "#/$defs/estimateRange", + "description": "A distribution of estimated financial loss, supporting quantitative methods such as FAIR that reason over ranges." + }, + "affectedGroups": { + "type": "integer", + "minimum": 0, + "description": "The number of distinct groups or populations affected." + } + } + }, + "riskScore": { + "type": "object", + "title": "Risk Score", + "description": "The overall risk score, expressed as a qualitative `level`, a numeric `score`, or both, with `vector` and `methodology` recording how it was derived. The scale of `score` is defined by the methodology, since rating systems differ. For example, [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) averages factors from 0 to 9, [DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) averages five 1 to 10 ratings, [FMEA](https://asq.org/quality-resources/fmea) multiplies three 1 to 10 axes into a 1 to 1000 risk priority number, and [FAIR](https://www.fairinstitute.org/) expresses probable loss in monetary terms.", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "info", + "low", + "medium", + "high", + "critical" + ], + "description": "The overall qualitative risk level.", + "meta:enum": { + "info": "Informational.", + "low": "Low risk.", + "medium": "Medium risk.", + "high": "High risk.", + "critical": "Critical risk." + } + }, + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric risk score on the scale defined by the methodology." + }, + "vector": { + "type": "string", + "description": "A textual representation of the metric values used to derive the score, in the format defined by the methodology." + }, + "methodology": { + "title": "Methodology", + "description": "The risk rating methodology used to derive this score. Only methodologies that define a scoring calculation are listed; governance frameworks such as [ISO 31000](https://www.iso.org/iso-31000-risk-management.html) are recorded as standards rather than as a score methodology. Use the custom option for methodologies not listed.", + "oneOf": [ + { + "title": "Predefined Risk Methodology", + "type": "string", + "enum": [ + "dread", + "fair", + "fmea", + "nist-sp-800-30", + "octave", + "owasp-risk-rating", + "qualitative-matrix" + ], + "meta:enum": { + "dread": "[DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) risk rating model, the average of five ratings (damage, reproducibility, exploitability, affected users, discoverability) each scored 1 to 10.", + "fair": "[Factor Analysis of Information Risk (FAIR)](https://www.fairinstitute.org/), a quantitative methodology expressing risk as loss event frequency multiplied by loss magnitude.", + "fmea": "[Failure Mode and Effects Analysis (FMEA)](https://asq.org/quality-resources/fmea), using a risk priority number of severity multiplied by occurrence multiplied by detection.", + "nist-sp-800-30": "[NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final) guide for conducting risk assessments, using its exemplary likelihood and impact scales.", + "octave": "[OCTAVE Allegro](https://www.sei.cmu.edu/documents/786/2007_005_001_14885.pdf), using its relative risk score.", + "owasp-risk-rating": "[OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), averaging likelihood and impact factors each scored 0 to 9.", + "qualitative-matrix": "A qualitative risk matrix that derives a risk level by plotting a likelihood band against an impact band, such as a five by five matrix producing a score from 1 to 25." + } + }, + { + "title": "Custom Risk Methodology", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk methodology." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk methodology." + } + } + } + ] + } + } + }, + "riskResponse": { + "type": "object", + "title": "Risk Response", + "description": "An action taken to modify a risk, pairing the chosen strategy with the controls that implement it. Covers the full set of dispositions, from avoiding or reducing a risk to accepting it or, for a positive risk, pursuing it.", + "required": [ + "bom-ref", + "strategy" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference this response elsewhere using a bom-ref or bom-link." + }, + "strategy": { + "type": "string", + "title": "Strategy", + "description": "The disposition chosen for the risk.", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "exploit", + "enhance" + ], + "meta:enum": { + "avoid": "Eliminate the risk by removing its source or not proceeding with the activity.", + "reduce": "Lower the likelihood or impact of the risk through controls.", + "transfer": "Shift the risk to another party, for example through insurance or contract.", + "accept": "Take no further action and retain the risk.", + "exploit": "Pursue an opportunity so that a positive risk occurs.", + "enhance": "Increase the likelihood or benefit of a positive risk." + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the response." + }, + "controls": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that implement this response." + }, + "status": { + "title": "Status", + "description": "The implementation status of the response.", + "$ref": "cyclonedx-control-2.0.schema.json#/$defs/implementationStatus" + }, + "effectiveness": { + "$ref": "cyclonedx-control-2.0.schema.json#/$defs/effectiveness" + }, + "cost": { + "type": "string", + "title": "Cost", + "enum": [ + "trivial", + "low", + "medium", + "high", + "extreme" + ], + "meta:enum": { + "trivial": "Minimal cost and effort.", + "low": "Low cost and effort.", + "medium": "Moderate cost and effort.", + "high": "High cost and significant effort.", + "extreme": "Extreme cost and major effort." + } + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for this response. May be an inline party object or a reference to a previously declared party." + }, + "targetDate": { + "type": "string", + "format": "date-time", + "title": "Target Date", + "description": "The date by which this response is targeted to be implemented." + }, + "addresses": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the items this response addresses, such as a threat, vulnerability, weakness, or another risk." + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "assessment": { + "type": "object", + "required": [ + "bom-ref", + "type", + "cadence", + "timestamp" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "A human-readable name for the assessment." + }, + "type": { + "type": "array", + "title": "Type", + "minItems": 1, + "uniqueItems": true, + "description": "The kinds of assessment performed, given as one or more named exercises or instruments. The type classifies the assessment exercise; the domains of risk evaluated are carried by the referenced risks rather than restated here. Use the custom option for kinds specific to an organization's process.", + "items": { + "oneOf": [ + { + "title": "Predefined Assessment Type", + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "safety", + "financial", + "environmental", + "supply-chain", + "compliance", + "data-protection-impact", + "fundamental-rights-impact", + "ai-impact", + "business-impact", + "third-party", + "threat", + "vulnerability", + "model-risk", + "fraud" + ], + "meta:enum": { + "security": "Security risk assessment, evaluating threats to the confidentiality, integrity, and availability of a subject.", + "privacy": "Privacy risk assessment, evaluating risks to individuals arising from the processing of personal data.", + "operational": "Operational risk assessment, evaluating risks to ongoing operations and continuity.", + "safety": "Safety risk assessment, evaluating risks of harm to people or property.", + "financial": "Financial risk assessment, evaluating exposure to financial loss, such as credit, market, or liquidity risk.", + "environmental": "Environmental risk assessment, evaluating the effect of an activity on the natural environment, including energy use and emissions.", + "supply-chain": "Supply chain risk assessment, evaluating risks across the chain that delivers a product or service, including software and hardware provenance, for example following [NIST SP 800-161](https://csrc.nist.gov/pubs/sp/800/161/r1/final).", + "compliance": "Compliance assessment, evaluating conformance with applicable laws, regulations, policies, or standards.", + "data-protection-impact": "Data protection impact assessment (DPIA), assessing high-risk processing of personal data, for example as described under Article 35 of the [GDPR](https://gdpr-info.eu/art-35-gdpr/).", + "fundamental-rights-impact": "Fundamental rights impact assessment (FRIA), evaluating the effect of a system on fundamental rights, for example as introduced for certain high-risk AI systems by the [EU AI Act](https://artificialintelligenceact.eu/).", + "ai-impact": "Artificial intelligence impact assessment, evaluating the risks and impacts of an AI system, for example following the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework).", + "business-impact": "Business impact analysis (BIA), evaluating the operational and financial consequences of disruption to a business function.", + "third-party": "Third-party risk assessment, evaluating the risk arising from a specific external party relationship, such as a vendor, supplier, or service provider, as distinct from the broader supply chain.", + "threat": "Threat assessment, evaluating the threats and threat actors relevant to a subject.", + "vulnerability": "Vulnerability assessment, evaluating weaknesses that could be exploited.", + "model-risk": "Model risk assessment, evaluating the risk that a decision or quantitative model is incorrect or misused, including model validation.", + "fraud": "Fraud risk assessment, evaluating exposure to fraudulent activity and the controls that detect or prevent it." + } + }, + { + "title": "Custom Assessment Type", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assessment type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assessment type." + } + } + } + ] + } + }, + "cadence": { + "title": "Cadence", + "description": "The temporal cadence or occasion on which the assessment is performed. Use the custom option for patterns specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Assessment Cadence", + "type": "string", + "enum": [ + "initial", + "periodic", + "continuous", + "triggered", + "ad-hoc" + ], + "meta:enum": { + "initial": "Initial, baseline assessment performed once at the outset.", + "periodic": "Scheduled, recurring assessment.", + "continuous": "Continuous, automated monitoring, as in a GRC engineering or continuous controls monitoring practice.", + "triggered": "Assessment triggered by a specific event, such as a change or an incident.", + "ad-hoc": "Unplanned, one-off assessment, neither scheduled nor triggered by a defined event." + } + }, + { + "title": "Custom Assessment Cadence", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assessment cadence." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assessment cadence." + } + } + } + ] + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the assessment was performed." + }, + "scope": { + "type": "string", + "title": "Scope", + "description": "The scope of the assessment, including the systems, boundaries, and what is in or out of scope." + }, + "status": { + "title": "Status", + "description": "The lifecycle status of the assessment. Use the custom option for a status specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Assessment Status", + "type": "string", + "enum": [ + "draft", + "in-progress", + "completed", + "approved", + "superseded" + ], + "meta:enum": { + "draft": "The assessment is being prepared.", + "in-progress": "The assessment is underway.", + "completed": "The assessment is finished.", + "approved": "The assessment has been reviewed and approved.", + "superseded": "The assessment has been replaced by a later one." + } + }, + { + "title": "Custom Assessment Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] + }, + "assessors": { + "type": "array", + "title": "Assessors", + "items": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" + }, + "description": "The parties that performed the assessment. Each may be an inline party or a reference to a previously declared party, and may be a person or an automated system, agent, or tool. Automated assessors support continuous and automated assessment, as in a GRC engineering practice. A party's `roles` should include `auditor` or `assessor`." + }, + "summary": { + "type": "string", + "description": "An executive summary of the assessment." + }, + "risks": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to risk entries evaluated in this assessment." + }, + "overallRisk": { + "type": "object", + "required": [ + "method", + "score" + ], + "additionalProperties": false, + "properties": { + "method": { + "title": "Method", + "description": "The aggregation method used to derive the overall risk from the assessed risks. Use the custom option for methods not listed, such as a quantitative roll-up of loss distributions under FAIR.", + "oneOf": [ + { + "title": "Predefined Aggregation Method", + "type": "string", + "enum": [ + "maximum", + "sum", + "average", + "weighted-average" + ], + "meta:enum": { + "maximum": "The overall risk equals the highest individual risk.", + "sum": "The overall risk is the sum of the individual risks, representing total exposure.", + "average": "The overall risk is the mean of the individual risks.", + "weighted-average": "The overall risk is a weighted mean of the individual risks." + } + }, + { + "title": "Custom Aggregation Method", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom aggregation method." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom aggregation method." + } + } + } + ] + }, + "score": { + "$ref": "#/$defs/riskScore" + }, + "description": { + "type": "string", + "description": "An optional explanation for custom aggregation approaches." + } + }, + "description": "The aggregated risk result for this assessment." + }, + "assumptions": { + "type": "array", + "title": "Assumptions", + "items": { + "type": "string" + }, + "description": "The assumptions, constraints, and limitations under which the assessment was made, to be re-evaluated when they change." + }, + "recommendations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Recommendations from the assessment." + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When the next review should occur." + }, + "riskAppetites": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risk appetites, declared under the risks collection, that applied for this assessment." + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "priority": { + "type": "string", + "enum": [ + "none", + "low", + "medium", + "high", + "critical" + ], + "description": "Priority level.", + "meta:enum": { + "none": "No priority.", + "low": "Low priority.", + "medium": "Medium priority.", + "high": "High priority.", + "critical": "Critical priority." + } + }, + "criticality": { + "type": "string", + "enum": [ + "minimal", + "low", + "moderate", + "high", + "critical" + ], + "description": "Business criticality level.", + "meta:enum": { + "minimal": "Minimal impact on business operations.", + "low": "Low impact with minor inconvenience.", + "moderate": "Moderate impact affecting some operations.", + "high": "High impact affecting critical operations.", + "critical": "Critical impact with severe business consequences." + } + }, + "appetiteLevel": { + "type": "string", + "description": "A qualitative risk appetite level, ranging from risk-averse to risk-seeking.", + "enum": [ + "averse", + "minimal", + "cautious", + "open", + "hungry" + ], + "meta:enum": { + "averse": "Avoidance of risk is the priority, and only the lowest-risk options are acceptable.", + "minimal": "A preference for very low risk, accepting risk only where it is unavoidable.", + "cautious": "A preference for safe options, accepting limited and well-understood risk for reward.", + "open": "A willingness to accept higher risk where the potential reward justifies it.", + "hungry": "An active willingness to seek risk in pursuit of greater reward, within defined control limits." + } + }, + "riskAppetite": { + "type": "object", + "title": "Risk Appetite", + "description": "The amount and type of risk a party is willing to pursue or retain, stated explicitly so that it is not left implicit in individual target ratings. An appetite may be attributed to a specific party through `party`, so a single document can record the appetites of more than one party, and it may be stated overall and refined per risk domain. Quantitative tolerances for a specific risk are expressed through that risk's target rating, and measurement of actual risk against the appetite is recorded through assessments.", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference this risk appetite elsewhere, such as from an assessment." + }, + "party": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party whose risk appetite this is. Set this when a single document captures the appetites of more than one party. May be an inline party object or a reference to a previously declared party." + }, + "level": { + "$ref": "#/$defs/appetiteLevel", + "description": "The overall risk appetite level." + }, + "statement": { + "type": "string", + "title": "Statement", + "description": "A narrative statement of the overall risk appetite, including any qualifications or context." + }, + "rationale": { + "type": "string", + "description": "The justification for this appetite, such as the strategic objective or regulatory obligation that informs it." + }, + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for setting and approving this appetite, such as a board or risk committee. May be an inline party object or a reference to a previously declared party." + }, + "horizon": { + "type": "string", + "description": "The time horizon over which this appetite applies, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year." + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When this appetite is next due for review, since appetite changes with strategy, market conditions, and the threat landscape." + }, + "categories": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "domain", + "level" + ], + "additionalProperties": false, + "properties": { + "domain": { + "$ref": "#/$defs/riskDomain", + "description": "The risk domain this appetite entry applies to." + }, + "level": { + "$ref": "#/$defs/appetiteLevel", + "description": "The appetite level for this risk domain." + }, + "statement": { + "type": "string", + "description": "A narrative statement of the appetite for this risk domain." + }, + "rationale": { + "type": "string", + "description": "The justification for the appetite for this risk domain." + } + } + }, + "description": "Per-domain appetite, refining the overall appetite for specific risk domains such as security, privacy, or financial." + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json new file mode 100644 index 000000000..edc8748c3 --- /dev/null +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -0,0 +1,1476 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-threat-2.0.schema.json", + "type": "null", + "title": "CycloneDX Threat Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "threats": { + "type": "object", + "title": "Threats", + "description": "Threat-modelling content, including the documented threats, the scenarios that realize them, the attack patterns and attack trees that describe how they are carried out, and the trust boundaries they cross.", + "additionalProperties": false, + "properties": { + "threats": { + "type": "array", + "title": "Threats", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/threat" + }, + "description": "The documented threats. Each describes what can go wrong, independent of any specific actor or occurrence." + }, + "scenarios": { + "type": "array", + "title": "Scenarios", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/threatScenario" + }, + "description": "The threat scenarios, each realizing one or more documented threats in a specific way." + }, + "attackPatterns": { + "type": "array", + "title": "Attack Patterns", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/attackPattern" + }, + "description": "A library of attack patterns, typically aligned with CAPEC, that threats and scenarios can reference." + }, + "attackTrees": { + "type": "array", + "title": "Attack Trees", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/attackTree" + }, + "description": "Attack trees that decompose attacker goals into sub-goals and techniques." + }, + "attackPaths": { + "type": "array", + "title": "Attack Paths", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/attackPath" + }, + "description": "Attack paths that describe the ordered progression of an attack across elements and trust boundaries, including lateral movement." + }, + "abuseCases": { + "type": "array", + "title": "Abuse Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that describe how the system can be exercised by an adversary." + }, + "trustBoundaries": { + "type": "array", + "title": "Trust Boundaries", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/trustBoundary" + }, + "description": "The trust boundaries of the system, extending the architectural boundaries defined in a blueprint with trust semantics." + }, + "methodologies": { + "type": "array", + "title": "Methodologies", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/methodology" + }, + "description": "The threat modeling methodologies applied to produce this threat model, such as STRIDE, LINDDUN, PASTA, or attack trees." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "methodology": { + "title": "Threat Modeling Methodology", + "description": "A threat modeling methodology applied to produce this threat model. Use the custom option for methodologies not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Threat Modeling Methodology", + "enum": [ + "STRIDE", + "LINDDUN", + "PASTA", + "MAESTRO", + "OWASP", + "TRIKE", + "VAST", + "ATFAA", + "attack-tree" + ], + "meta:enum": { + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.", + "PASTA": "Process for Attack Simulation and Threat Analysis.", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome.", + "OWASP": "OWASP threat modelling methodology.", + "TRIKE": "Risk-based threat modelling methodology.", + "VAST": "Visual, Agile, and Simple Threat modelling.", + "ATFAA": "Advanced Threat Framework for Autonomous AI Agents.", + "attack-tree": "Attack tree methodology, decomposing attacker goals into sub-goals and techniques." + } + }, + { + "type": "object", + "title": "Custom Threat Modeling Methodology", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom threat modeling methodology." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom threat modeling methodology." + } + } + } + ] + }, + "threat": { + "type": "object", + "title": "Threat", + "description": "A documented threat, describing what can go wrong independent of any specific actor or occurrence. A threat can be catalogued on its own; a threat scenario references it to describe a specific realization.", + "additionalProperties": false, + "required": [ + "bom-ref", + "name" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the threat elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the threat." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the threat." + }, + "source": { + "type": "string", + "title": "Source", + "description": "The source of the threat, such as a threat intelligence feed, a threat catalogue, or an analysis activity." + }, + "origin": { + "title": "Origin", + "description": "The nature of the threat source that gives rise to this threat, following the threat source types of [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final). Use the custom option for an origin not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Origin", + "enum": [ + "adversarial", + "accidental", + "structural", + "environmental" + ], + "meta:enum": { + "adversarial": "An adversary acting with intent, such as an individual, group, organization, or nation state.", + "accidental": "An erroneous action taken without malicious intent, such as a mistake by a privileged user or administrator.", + "structural": "A failure of equipment, software, or environmental controls, such as resource exhaustion or expiry of a component.", + "environmental": "A natural or human-made event outside the control of the organization, such as a fire, flood, or wide-area infrastructure outage." + } + }, + { + "type": "object", + "title": "Custom Origin", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom origin." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom origin." + } + } + } + ] + }, + "categories": { + "type": "array", + "title": "Categories", + "uniqueItems": true, + "description": "The methodology-specific categories that this threat falls under. A threat may be categorized under more than one methodology, for example STRIDE and MAESTRO. The methodology is one of the supported threat-modelling methodologies, and it determines which category values are permitted.", + "items": { + "type": "object", + "title": "Threat Category", + "description": "A threat category. The taxonomy determines the permitted category values.", + "additionalProperties": false, + "required": ["taxonomy", "category"], + "properties": { + "taxonomy": { + "type": "string", + "title": "Taxonomy", + "description": "The threat classification taxonomy that the category is drawn from.", + "enum": ["STRIDE", "LINDDUN", "MAESTRO", "MITRE-ATTACK"], + "meta:enum": { + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome, whose categories are its seven architectural layers.", + "MITRE-ATTACK": "The MITRE ATT&CK framework, whose categories are its Enterprise tactics." + } + }, + "category": { + "type": "string", + "minLength": 1, + "title": "Category", + "description": "The category within the taxonomy. The permitted values are determined by the taxonomy." + } + }, + "allOf": [ + { + "if": { + "required": ["taxonomy"], + "properties": { "taxonomy": { "const": "STRIDE" } } + }, + "then": { + "properties": { + "category": { + "enum": ["spoofing", "tampering", "repudiation", "information-disclosure", "denial-of-service", "elevation-of-privilege"], + "meta:enum": { + "spoofing": "Impersonating something or someone, violating authenticity.", + "tampering": "Modifying data or code, violating integrity.", + "repudiation": "Denying having performed an action, violating non-repudiation.", + "information-disclosure": "Exposing information to unauthorized parties, violating confidentiality.", + "denial-of-service": "Denying or degrading service to legitimate users, violating availability.", + "elevation-of-privilege": "Gaining capabilities without proper authorization, violating authorization." + } + } + } + } + }, + { + "if": { + "required": ["taxonomy"], + "properties": { "taxonomy": { "const": "LINDDUN" } } + }, + "then": { + "properties": { + "category": { + "enum": ["linkability", "identifiability", "non-repudiation", "detectability", "disclosure-of-information", "unawareness", "non-compliance"], + "meta:enum": { + "linkability": "Linking data items to learn more about an individual.", + "identifiability": "Identifying an individual from data.", + "non-repudiation": "Being unable to deny a claim, harming plausible deniability.", + "detectability": "Detecting that an item of interest exists.", + "disclosure-of-information": "Revealing personal data, violating confidentiality.", + "unawareness": "Individuals being unaware of the processing of their data.", + "non-compliance": "Deviating from policy, regulation, or best practice." + } + } + } + } + }, + { + "if": { + "required": ["taxonomy"], + "properties": { "taxonomy": { "const": "MAESTRO" } } + }, + "then": { + "properties": { + "category": { + "enum": ["foundation-models", "data-operations", "agent-frameworks", "deployment-and-infrastructure", "evaluation-and-observability", "security-and-compliance", "agent-ecosystem"], + "meta:enum": { + "foundation-models": "Layer 1. The core models that provide the agent's capabilities.", + "data-operations": "Layer 2. Storage, retrieval, and processing of the agent's data.", + "agent-frameworks": "Layer 3. The frameworks and tools that build and run agents.", + "deployment-and-infrastructure": "Layer 4. The infrastructure on which agents are deployed and scaled.", + "evaluation-and-observability": "Layer 5. Evaluation, monitoring, and observability of agent behaviour.", + "security-and-compliance": "Layer 6. The cross-cutting security and compliance controls.", + "agent-ecosystem": "Layer 7. The applications and marketplace where agents deliver value to end-users." + } + } + } + } + }, + { + "if": { + "required": ["taxonomy"], + "properties": { "taxonomy": { "const": "MITRE-ATTACK" } } + }, + "then": { + "properties": { + "category": { + "enum": ["reconnaissance", "resource-development", "initial-access", "execution", "persistence", "privilege-escalation", "defense-evasion", "credential-access", "discovery", "lateral-movement", "collection", "command-and-control", "exfiltration", "impact"] + } + } + } + } + ] + } + }, + "weaknesses": { + "$ref": "cyclonedx-weakness-2.0.schema.json#/$defs/weaknesses", + "description": "The weaknesses, such as CWE classifications, that this threat exploits." + }, + "relatedVulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities that this threat exploits or that inform it." + }, + "attackPatterns": { + "type": "array", + "title": "Attack Patterns", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the attack patterns by which this threat is carried out." + }, + "attackTrees": { + "type": "array", + "title": "Attack Trees", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the attack trees that decompose this threat." + }, + "abuseCases": { + "type": "array", + "title": "Abuse Cases", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the abuse cases that illustrate how this threat can be exercised." + }, + "killChainPhase": { + "$ref": "#/$defs/killChainPhase", + "description": "The phase of the cyber kill chain at which this threat operates." + }, + "behaviors": { + "type": "array", + "title": "Behaviors", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the declared behaviors that constitute the intent of this threat, drawn from the behavior taxonomy." + }, + "indicators": { + "$ref": "#/$defs/indicators" + }, + "affectedAssets": { + "type": "array", + "title": "Affected Assets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the kinds of assets this threat affects." + }, + "relatedBusinessObjectives": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this threat endangers." + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this threat." + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "threatScenario": { + "type": "object", + "title": "Threat Scenario", + "description": "A specific realization of a threat, in which an actor seeks to cause harm. The scenario references the threat it realizes, supplies the actor by reference to a party, and carries the scenario-specific traits and risk assessment, such as motivation, intent, access level, likelihood, and impact.", + "additionalProperties": false, + "required": [ + "bom-ref", + "name", + "threats" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the threat scenario elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the threat scenario." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the threat scenario." + }, + "threats": { + "type": "array", + "title": "Threats", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this scenario realizes. A scenario realizes one or more threats." + }, + "actor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party that is the actor in this scenario. Named adversary groups are organizations and abstract attacker classes are personas." + }, + "threatProfile": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to a reusable threat profile that describes the durable capabilities of the actor." + }, + "motivation": { + "type": "array", + "title": "Motivation", + "uniqueItems": true, + "description": "The motivations of the actor in this scenario.", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ], + "meta:enum": { + "financial": "Motivated by financial gain.", + "political": "Motivated by political objectives.", + "personal": "Motivated by personal reasons.", + "ideological": "Motivated by ideology or belief.", + "espionage": "Motivated by intelligence gathering.", + "destruction": "Motivated by the desire to destroy.", + "disruption": "Motivated by the desire to disrupt operations.", + "reputation": "Motivated by reputational gain or harm.", + "curiosity": "Motivated by curiosity.", + "competitive": "Motivated by competitive advantage.", + "revenge": "Motivated by revenge.", + "activism": "Motivated by activism." + } + } + }, + "intent": { + "type": "string", + "title": "Intent", + "description": "The intent of the actor in this scenario.", + "enum": [ + "accidental", + "opportunistic", + "targeted", + "persistent" + ], + "meta:enum": { + "accidental": "The harm is caused without intent.", + "opportunistic": "The actor takes advantage of an opportunity as it arises.", + "targeted": "The actor deliberately targets the subject.", + "persistent": "The actor pursues the target persistently over time." + } + }, + "accessLevel": { + "type": "string", + "title": "Access Level", + "description": "The level of access the actor is assumed to have in this scenario.", + "enum": [ + "none", + "external", + "internal", + "privileged", + "physical" + ], + "meta:enum": { + "none": "No access.", + "external": "External access only.", + "internal": "Internal access, such as that of an ordinary user.", + "privileged": "Privileged or administrative access.", + "physical": "Physical access to the target." + } + }, + "attackVector": { + "$ref": "#/$defs/attackVector" + }, + "exploitability": { + "$ref": "#/$defs/exploitability" + }, + "likelihood": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/likelihood" + }, + "impact": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/impact" + }, + "riskScore": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "title": "Risk Attributes", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/riskAttribute" + }, + "description": "The security and privacy attributes that this threat would compromise if realized." + }, + "affectedAssets": { + "type": "array", + "title": "Affected Assets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets affected in this scenario." + }, + "relatedRisks": { + "type": "array", + "title": "Related Risks", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risks that this scenario contributes to." + }, + "relatedVulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities exploited in this scenario." + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "threatProfiles": { + "type": "array", + "title": "Threat Profiles", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/threatProfile" + }, + "description": "Reusable threat profiles, each describing the durable characteristics of an actor that may pose a threat." + }, + "threatProfile": { + "type": "object", + "title": "Threat Profile", + "description": "A durable, actor-level characterization of the capability to pose a threat, capturing attributes that persist across scenarios. Scenario-specific attributes, such as motivation, intent, and access level, belong on a threat scenario rather than on this profile.", + "additionalProperties": false, + "required": [ + "bom-ref" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference this threat profile elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the threat profile." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the threat profile." + }, + "sophistication": { + "type": "string", + "title": "Sophistication", + "description": "The level of technical sophistication an actor characterized by this profile is assumed to possess.", + "enum": ["none", "minimal", "intermediate", "advanced", "expert"], + "meta:enum": { + "none": "No technical sophistication.", + "minimal": "Minimal sophistication, relying on readily available tools and techniques.", + "intermediate": "Intermediate technical skills.", + "advanced": "Advanced skills consistent with a persistent and well-resourced actor.", + "expert": "Expert skills consistent with the most capable actors." + } + }, + "resources": { + "type": "string", + "title": "Resources", + "description": "The level of resources an actor characterized by this profile is assumed to have available.", + "enum": ["minimal", "limited", "moderate", "substantial", "unlimited"], + "meta:enum": { + "minimal": "Minimal resources.", + "limited": "Limited resources.", + "moderate": "Moderate resources.", + "substantial": "Substantial resources.", + "unlimited": "Effectively unlimited resources." + } + }, + "skillSet": { + "type": "array", + "title": "Skill Set", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The specific skills an actor characterized by this profile is assumed to possess." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "attackVector": { + "type": "object", + "title": "Attack Vector", + "description": "The conditions under which an attack is possible, following the convention of common vulnerability scoring systems.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "The context by which an attack is possible.", + "enum": [ + "network", + "adjacent", + "local", + "physical" + ], + "meta:enum": { + "network": "Remotely exploitable via a network.", + "adjacent": "Exploitable from an adjacent network.", + "local": "Requires local access.", + "physical": "Requires physical access." + } + }, + "complexity": { + "type": "string", + "title": "Complexity", + "description": "The complexity of the attack.", + "enum": [ + "low", + "high" + ], + "meta:enum": { + "low": "The attack has low complexity.", + "high": "The attack has high complexity." + } + }, + "privileges": { + "type": "string", + "title": "Privileges", + "description": "The level of privileges required to carry out the attack.", + "enum": [ + "none", + "low", + "high" + ], + "meta:enum": { + "none": "No privileges are required.", + "low": "Low privileges are required.", + "high": "High privileges are required." + } + }, + "userInteraction": { + "type": "string", + "title": "User Interaction", + "description": "Whether the attack requires interaction from a user other than the attacker.", + "enum": [ + "none", + "required" + ], + "meta:enum": { + "none": "No user interaction is required.", + "required": "User interaction is required." + } + }, + "scope": { + "type": "string", + "title": "Scope", + "description": "Whether a successful attack affects resources beyond the vulnerable component.", + "enum": [ + "unchanged", + "changed" + ], + "meta:enum": { + "unchanged": "The attack affects only the vulnerable component.", + "changed": "The attack affects resources beyond the vulnerable component." + } + } + } + }, + "attackPattern": { + "type": "object", + "title": "Attack Pattern", + "description": "A description of the common attributes and approach of an attack, typically aligned with CAPEC. Techniques are aligned with MITRE ATT&CK.", + "additionalProperties": false, + "required": [ + "bom-ref", + "name" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the attack pattern elsewhere using a bom-ref or bom-link." + }, + "capecId": { + "type": "integer", + "minimum": 1, + "title": "CAPEC Identifier", + "description": "The Common Attack Pattern Enumeration and Classification (CAPEC) identifier for this attack pattern." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the attack pattern." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the attack pattern." + }, + "prerequisites": { + "type": "array", + "title": "Prerequisites", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The conditions that must hold for the attack to be possible." + }, + "techniques": { + "type": "array", + "title": "Techniques", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/technique" + }, + "description": "The techniques used to carry out the attack, typically aligned with MITRE ATT&CK." + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this attack pattern." + }, + "examples": { + "type": "array", + "title": "Examples", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Real-world examples of the attack pattern." + } + } + }, + "technique": { + "type": "object", + "title": "Technique", + "description": "A specific technique used to carry out an attack, typically aligned with MITRE ATT&CK.", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "Identifier", + "description": "The identifier of the technique, such as a MITRE ATT&CK technique identifier." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the technique." + }, + "tactic": { + "type": "string", + "title": "Tactic", + "description": "The tactic that the technique supports, such as a MITRE ATT&CK tactic." + }, + "procedure": { + "type": "string", + "title": "Procedure", + "description": "The specific procedure by which the technique is carried out." + } + } + }, + "attackTree": { + "type": "object", + "title": "Attack Tree", + "description": "A decomposition of an attacker goal into sub-goals and techniques, expressed as a flat collection of nodes. Each node lists its child nodes by reference together with an operator that says how those children combine, so the tree is expressed without nesting. One node is the root, representing the attacker goal.", + "additionalProperties": false, + "required": [ + "bom-ref", + "nodes" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the attack tree elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the attack tree." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the attack tree." + }, + "root": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Root BOM Reference", + "description": "Optional reference using bom-link or bom-ref to the root node within nodes, representing the attacker goal. When omitted, the root is the node that no other node lists as a child." + }, + "nodes": { + "type": "array", + "title": "Nodes", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/attackTreeNode" + }, + "description": "The nodes of the attack tree. Each node references its child nodes, which are themselves entries in this array, forming the hierarchy without nesting." + } + } + }, + "attackTreeNode": { + "type": "object", + "title": "Attack Tree Node", + "description": "A node in an attack tree, representing an attacker goal, sub-goal, or technique. A node references its child nodes and carries an operator that says how those children combine. The hierarchy is expressed by these references rather than by nesting.", + "additionalProperties": false, + "required": [ + "bom-ref", + "name" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the node elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The goal, sub-goal, or technique that the node represents." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the node." + }, + "operator": { + "type": "string", + "title": "Operator", + "description": "Specifies how the nodes listed in 'children' combine to achieve this node. A value of 'and' requires every child node; a value of 'or' requires any single child node. For example, a node whose children are a phishing node and a credential-stuffing node uses 'or' when either alone achieves it, or 'and' when both are needed together. A node with no children is a leaf and omits this property.", + "enum": [ + "and", + "or" + ], + "meta:enum": { + "and": "All child nodes are required to achieve this node.", + "or": "Any one child node is sufficient to achieve this node." + } + }, + "children": { + "type": "array", + "title": "Children", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the child nodes that decompose this node. Each child node is a separate entry in the same nodes array, so the hierarchy is expressed without nesting. A child node may be shared by more than one parent." + }, + "attackPattern": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the attack pattern that this node represents." + }, + "weakness": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the weakness that this node exploits." + }, + "cost": { + "type": "string", + "title": "Cost", + "description": "The relative cost to an attacker of achieving this node.", + "enum": [ + "negligible", + "low", + "moderate", + "high", + "prohibitive" + ], + "meta:enum": { + "negligible": "Negligible cost.", + "low": "Low cost.", + "moderate": "Moderate cost.", + "high": "High cost.", + "prohibitive": "Prohibitive cost." + } + }, + "skill": { + "type": "string", + "title": "Skill", + "description": "The skill level required to achieve this node.", + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" + ], + "meta:enum": { + "none": "No special skill is required.", + "basic": "Basic skill is required.", + "intermediate": "Intermediate skill is required.", + "advanced": "Advanced skill is required.", + "expert": "Expert skill is required." + } + }, + "detectability": { + "type": "string", + "title": "Detectability", + "description": "How readily an attempt to achieve this node can be detected.", + "enum": [ + "undetectable", + "low", + "moderate", + "high" + ], + "meta:enum": { + "undetectable": "The attempt is effectively undetectable.", + "low": "The attempt is difficult to detect.", + "moderate": "The attempt is moderately detectable.", + "high": "The attempt is readily detectable." + } + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this node." + } + } + }, + "abuseCase": { + "type": "object", + "title": "Abuse Case", + "description": "A description of how an adversary can misuse the system to achieve a malicious goal. An abuse case is the security counterpart of a use case and reuses its flow structure.", + "additionalProperties": false, + "required": [ + "bom-ref", + "name" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the abuse case elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the abuse case, typically expressed as a malicious goal." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative describing how the system can be misused or abused." + }, + "abuser": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party that abuses the system, typically an attacker persona." + }, + "realizes": { + "type": "array", + "title": "Realizes", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this abuse case realizes." + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The conditions that must hold before the abuse case can begin." + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/step" + }, + "description": "The ordered steps the abuser follows." + }, + "targets": { + "type": "array", + "title": "Targets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets or flows targeted in this abuse case." + }, + "detectionOpportunities": { + "type": "array", + "title": "Detection Opportunities", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The signals, logs, or controls that present an opportunity to detect the abuse." + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this abuse case." + } + } + }, + "exploitability": { + "type": "object", + "title": "Exploitability", + "description": "The degree to which a threat can be exploited in practice.", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "title": "Level", + "description": "The maturity of available exploitation capability.", + "enum": [ + "theoretical", + "proof-of-concept", + "functional", + "weaponized" + ], + "meta:enum": { + "theoretical": "Exploitation is theoretically possible but has not been demonstrated.", + "proof-of-concept": "A proof of concept exists.", + "functional": "A functional exploit exists.", + "weaponized": "A weaponized exploit is in use." + } + }, + "complexity": { + "type": "string", + "title": "Complexity", + "description": "The complexity of exploitation.", + "enum": [ + "trivial", + "low", + "medium", + "high", + "very-high" + ], + "meta:enum": { + "trivial": "Exploitation is trivial.", + "low": "Exploitation has low complexity.", + "medium": "Exploitation has medium complexity.", + "high": "Exploitation has high complexity.", + "very-high": "Exploitation has very high complexity." + } + }, + "skillRequired": { + "type": "string", + "title": "Skill Required", + "description": "The skill level required to exploit the threat.", + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" + ], + "meta:enum": { + "none": "No special skill is required.", + "basic": "Basic skill is required.", + "intermediate": "Intermediate skill is required.", + "advanced": "Advanced skill is required.", + "expert": "Expert skill is required." + } + }, + "automatable": { + "type": "boolean", + "title": "Automatable", + "description": "Whether exploitation can be automated." + } + } + }, + "indicators": { + "type": "object", + "title": "Indicators", + "description": "The observable indicators associated with a threat.", + "additionalProperties": false, + "properties": { + "compromise": { + "type": "array", + "title": "Indicators of Compromise", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The indicators that a compromise has occurred." + }, + "attack": { + "type": "array", + "title": "Indicators of Attack", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The indicators that an attack is under way." + }, + "signatures": { + "type": "array", + "title": "Signatures", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/signature" + }, + "description": "The detection signatures associated with the threat." + } + } + }, + "signature": { + "type": "object", + "title": "Signature", + "description": "A detection signature for a threat.", + "additionalProperties": false, + "required": [ + "type", + "value" + ], + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "The type of signature.", + "enum": [ + "yara", + "snort", + "regex", + "hash", + "behavior" + ], + "meta:enum": { + "yara": "A YARA rule.", + "snort": "A Snort rule.", + "regex": "A regular expression.", + "hash": "A cryptographic hash.", + "behavior": "A behavioural signature." + } + }, + "value": { + "type": "string", + "minLength": 1, + "title": "Value", + "description": "The signature value or pattern." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of what the signature detects." + }, + "confidence": { + "type": "string", + "title": "Confidence", + "description": "The confidence level of a detection by this signature.", + "enum": [ + "low", + "medium", + "high" + ], + "meta:enum": { + "low": "Low confidence.", + "medium": "Medium confidence.", + "high": "High confidence." + } + } + } + }, + "trustBoundary": { + "type": "object", + "title": "Trust Boundary", + "description": "A security annotation marking an architectural boundary as one across which trust changes. It references a boundary defined in a blueprint, where the zones, type, and crossing requirements already live, and adds only the trust differential and the threats and controls at that boundary.", + "additionalProperties": false, + "required": [ + "bom-ref", + "boundary" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the trust boundary elsewhere using a bom-ref or bom-link." + }, + "boundary": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the blueprint boundary that this trust boundary annotates." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the trust boundary." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the trust boundary." + }, + "trustLevel": { + "type": "string", + "title": "Trust Level", + "description": "The trust level differential across the boundary.", + "enum": [ + "untrusted", + "semi-trusted", + "trusted", + "highly-trusted" + ], + "meta:enum": { + "untrusted": "The boundary separates an untrusted zone.", + "semi-trusted": "The boundary separates a semi-trusted zone.", + "trusted": "The boundary separates a trusted zone.", + "highly-trusted": "The boundary separates a highly trusted zone." + } + }, + "threatsAtBoundary": { + "type": "array", + "title": "Threats At Boundary", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that could exploit this boundary." + }, + "controlsAtBoundary": { + "type": "array", + "title": "Controls At Boundary", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls in place at this boundary. Intended primarily for referencing externally defined controls. Where the control and boundary are declared together, prefer the control's appliesTo property." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "killChainPhase": { + "type": "string", + "title": "Kill Chain Phase", + "description": "A phase of the cyber kill chain.", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target.", + "weaponization": "Creating a malicious payload.", + "delivery": "Transmitting the payload to the target.", + "exploitation": "Exploiting a vulnerability or weakness.", + "installation": "Installing malicious software or establishing a foothold.", + "command-and-control": "Establishing a command and control channel.", + "actions-on-objectives": "Achieving the goals of the attack." + } + }, + "attackPathStep": { + "type": "object", + "title": "Attack Path Step", + "description": "A single step in an attack path, describing one action in the progression of an attack.", + "required": [ + "description" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "A short name for the step." + }, + "description": { + "type": "string", + "minLength": 1, + "title": "Description", + "description": "The action the adversary performs in this step." + }, + "technique": { + "$ref": "#/$defs/technique", + "description": "The technique used in this step, typically aligned with MITRE ATT&CK." + }, + "attackPattern": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the attack pattern applied in this step." + }, + "killChainPhase": { + "$ref": "#/$defs/killChainPhase", + "description": "The phase of the cyber kill chain at which this step operates." + }, + "source": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the element or zone from which this step originates." + }, + "destination": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the element or zone this step reaches." + }, + "boundaryCrossed": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the trust boundary this step crosses." + }, + "exploits": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the weaknesses or vulnerabilities this step exploits." + }, + "mitigations": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that detect or prevent this step." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "attackPath": { + "type": "object", + "title": "Attack Path", + "description": "An ordered sequence of steps that an adversary follows to progress from initial access toward an objective, crossing elements and trust boundaries. An attack path complements an attack tree: the tree decomposes a goal into alternatives, whereas the path expresses the temporal progression of a single attack, including lateral movement.", + "required": [ + "bom-ref", + "name", + "steps" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "A human-readable name for the attack path." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the attack path." + }, + "objective": { + "type": "string", + "title": "Objective", + "description": "The attacker objective that the path works toward, such as exfiltrating data or achieving code execution." + }, + "actor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the adversary that follows this path." + }, + "steps": { + "type": "array", + "title": "Steps", + "minItems": 1, + "items": { + "$ref": "#/$defs/attackPathStep" + }, + "description": "The ordered steps of the path, from the initial action to the objective. The order of the array is significant." + }, + "realizes": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this path realizes." + }, + "relatedRisks": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risks that this path contributes to." + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json new file mode 100644 index 000000000..5d04372ff --- /dev/null +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -0,0 +1,302 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-usecase-2.0.schema.json", + "type": "null", + "title": "CycloneDX Use Case Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/useCase" + }, + "description": "A collection of use cases that describe how actors interact with the system to achieve specific goals." + }, + "useCase": { + "type": "object", + "title": "Use Case", + "description": "A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution." + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases." + }, + "postconditions": { + "type": "array", + "title": "Postconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced." + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/step" + }, + "description": "The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome." + }, + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/flow" + }, + "description": "Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome." + }, + "exceptions": { + "type": "array", + "title": "Exceptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/exception" + }, + "description": "Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully." + }, + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case." + }, + "businessObjectives": { + "type": "array", + "title": "Business Objectives", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this use case supports." + }, + "notes": { + "type": "array", + "title": "Notes", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "step": { + "type": "object", + "title": "Step", + "description": "A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.", + "required": [ + "number", + "description" + ], + "additionalProperties": false, + "properties": { + "number": { + "type": "integer", + "title": "Number", + "minimum": 1, + "description": "The sequence number indicating the ordinal position of this step within its flow, starting at 1." + }, + "description": { + "type": "string", + "title": "Description", + "minLength": 1, + "description": "A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'." + }, + "actor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." + } + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.", + "required": [ + "name", + "condition" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies." + }, + "condition": { + "type": "string", + "title": "Condition", + "minLength": 1, + "description": "The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path." + }, + "steps": { + "type": "array", + "title": "Steps", + "items": { + "$ref": "#/$defs/step" + }, + "description": "The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps." + } + } + }, + "exception": { + "type": "object", + "title": "Exception", + "description": "An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.", + "required": [ + "name", + "condition" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved." + }, + "condition": { + "type": "string", + "title": "Condition", + "minLength": 1, + "description": "The specific error condition, system state, or external event that triggers this exception during the execution of the use case." + }, + "handling": { + "type": "string", + "title": "Handling", + "description": "The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support." + } + } + }, + "useCaseAssertions": { + "type": "array", + "title": "Use Case Assertions", + "description": "A list of assertions describing how a component relates to use cases defined in the BOM.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Use Case Assertion", + "description": "An assertion linking one or more use cases to a component, specifying the nature of the relationship.", + "required": [ + "assertionType", + "useCaseRefs" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the relationship between the component and the use case.", + "enum": [ + "extends", + "implements", + "inhibits", + "not-applicable", + "not-assessed", + "other", + "participates-in", + "supports", + "triggers", + "validates" + ], + "meta:enum": { + "extends": "The component adds optional or conditional behavior to the use case, augmenting its primary flow with additional capability.", + "implements": "The component implements or realises the use case, providing the primary capability that makes the use case functional.", + "inhibits": "The component is known to interfere with or block the correct execution of the use case.", + "not-applicable": "The use case does not pertain to this component. The evaluator has reviewed the use case and determined it is irrelevant.", + "not-assessed": "The relationship between the component and the use case has not yet been evaluated.", + "other": "A relationship that does not fit into the other predefined assertion types.", + "participates-in": "The component participates in the use case but is not solely responsible for its implementation.", + "supports": "The component provides enabling infrastructure for the use case without directly implementing or participating in it.", + "triggers": "The component initiates or kicks off the use case without being responsible for its implementation.", + "validates": "The component validates, tests, or verifies the correct execution of the use case." + } + }, + "useCaseRefs": { + "type": "array", + "title": "Use Case References", + "description": "A list of BOM references linking to use case objects defined in the BOM.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "Additional context or clarification regarding the assertion." + } + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json index 2e3f8c110..1e61e654e 100644 --- a/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json @@ -74,14 +74,9 @@ "$ref": "#/$defs/rating" } }, - "cwes": { - "type": "array", - "title": "CWEs", - "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", - "examples": [399], - "items": { - "$ref": "#/$defs/cwe" - } + "weaknesses": { + "$ref": "cyclonedx-weakness-2.0.schema.json#/$defs/weaknesses", + "description": "The weaknesses, such as CWE classifications, that give rise to this vulnerability." }, "description": { "type": "string", @@ -216,6 +211,16 @@ "justification": { "$ref": "#/$defs/impactAnalysisJustification" }, + "mitigatingControls": { + "type": "array", + "title": "Mitigating Controls", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that prevent or reduce the exploitability or impact of the vulnerability. Substantiates justifications such as protected_by_mitigating_control, protected_at_perimeter, and protected_at_runtime." + }, "response": { "type": "array", "title": "Response", @@ -346,12 +351,6 @@ } } }, - "cwe": { - "type": "integer", - "minimum": 1, - "title": "CWE", - "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" - }, "severity": { "type": "string", "title": "Severity", @@ -443,7 +442,7 @@ "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", "protected_at_runtime": "Exploits are prevented at runtime.", "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", - "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." + "protected_by_mitigating_control": "Preventive measures have been implemented that reduce the likelihood or impact of the vulnerability, or both. The controls may be referenced using the mitigatingControls property." } }, "rating": { diff --git a/schema/2.0/model/cyclonedx-weakness-2.0.schema.json b/schema/2.0/model/cyclonedx-weakness-2.0.schema.json new file mode 100644 index 000000000..6680e8d07 --- /dev/null +++ b/schema/2.0/model/cyclonedx-weakness-2.0.schema.json @@ -0,0 +1,71 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-weakness-2.0.schema.json", + "type": "null", + "title": "CycloneDX Weakness Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "weaknesses": { + "type": "array", + "title": "Weaknesses", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/weakness" + }, + "description": "A collection of weaknesses, such as CWE classifications, that classify an underlying flaw." + }, + "weakness": { + "title": "Weakness", + "description": "A classification of an underlying weakness, given either by a Common Weakness Enumeration (CWE) identifier or by a free-text name with an optional description. The exploitability and the affected scope are expressed by the vulnerability or threat that references the weakness, not on the weakness itself.", + "oneOf": [ + { + "type": "object", + "title": "CWE Weakness", + "description": "A weakness identified by its CWE identifier.", + "additionalProperties": false, + "required": [ + "cweId" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link." + }, + "cweId": { + "type": "integer", + "minimum": 1, + "title": "CWE Identifier", + "description": "The Common Weakness Enumeration (CWE) identifier that classifies this weakness." + } + } + }, + { + "type": "object", + "title": "Named Weakness", + "description": "A weakness identified by a free-text name, used where no CWE classification applies.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the weakness." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the weakness." + } + } + } + ] + } + } +} diff --git a/schema/behavior-taxonomy.schema.json b/schema/behavior-taxonomy.schema.json new file mode 100644 index 000000000..2038cd2ec --- /dev/null +++ b/schema/behavior-taxonomy.schema.json @@ -0,0 +1,1492 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/behavior-taxonomy.schema.json", + "type": "string", + "title": "CycloneDX Behavior Taxonomy", + "description": "An independent taxonomy of behaviours that describe actions performed by entities with security, privacy, safety, or operational implications. This taxonomy is maintained separately from the CycloneDX specification and may evolve at a different rate. The taxonomy uses a hierarchical colon-delimited naming convention with three levels: domain (e.g. security), category (e.g. security:authentication), and specific behaviour (e.g. security:authentication:authenticatesUser). Values at any level of the hierarchy are valid.", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "enum": [ + "ai", + "ai:agent", + "ai:agent:actsOnBehalfOfUser", + "ai:agent:coordinatesAgents", + "ai:agent:delegatesTask", + "ai:agent:executesAction", + "ai:agent:invokesTool", + "ai:agent:observesResult", + "ai:agent:plansAction", + "ai:agent:receivesHumanDelegation", + "ai:agent:reflectsOnResult", + "ai:agent:reportsDelegatedAction", + "ai:agent:requestsUserApproval", + "ai:agent:returnsDelegation", + "ai:agent:revisesPlan", + "ai:explainability", + "ai:explainability:attributesFeatures", + "ai:explainability:documentsModel", + "ai:explainability:explainsDecision", + "ai:explainability:tracesPrediction", + "ai:explainability:visualizesModel", + "ai:fairness", + "ai:fairness:auditsModelFairness", + "ai:fairness:calculatesFairnessMetric", + "ai:fairness:detectsBias", + "ai:fairness:handlesProtectedAttribute", + "ai:fairness:mitigatesBias", + "ai:generative", + "ai:generative:citesSource", + "ai:generative:filtersOutput", + "ai:generative:generatesAudio", + "ai:generative:generatesCode", + "ai:generative:generatesEmbedding", + "ai:generative:generatesImage", + "ai:generative:generatesText", + "ai:generative:mitigatesHallucination", + "ai:generative:processesPrompt", + "ai:generative:streamsResponse", + "ai:inference", + "ai:inference:appliesThreshold", + "ai:inference:batchesInference", + "ai:inference:cachesPrediction", + "ai:inference:ensemblesModels", + "ai:inference:generatesPrediction", + "ai:inference:infersInRealTime", + "ai:inference:ranksResults", + "ai:inference:scoresConfidence", + "ai:management", + "ai:management:comparesModels", + "ai:management:deploysModel", + "ai:management:loadsModel", + "ai:management:monitorsModel", + "ai:management:retiresModel", + "ai:management:rollsBackModel", + "ai:management:unloadsModel", + "ai:management:versionsModel", + "ai:quality", + "ai:quality:detectsConceptDrift", + "ai:quality:detectsDataDrift", + "ai:quality:detectsOutlier", + "ai:quality:engineersFeatures", + "ai:quality:selectsFeatures", + "ai:quality:validatesInputData", + "ai:robustness", + "ai:robustness:defendsAgainstAdversarial", + "ai:robustness:detectsAdversarialInput", + "ai:robustness:detectsOutOfDistribution", + "ai:robustness:estimatesUncertainty", + "ai:robustness:validatesRobustness", + "ai:training", + "ai:training:appliesTransferLearning", + "ai:training:checkpointsModel", + "ai:training:fineTunesModel", + "ai:training:ingestsTrainingData", + "ai:training:preprocessesTrainingData", + "ai:training:trainsFederatedly", + "ai:training:trainsModel", + "ai:training:tunesHyperparameters", + "ai:training:validatesModel", + "ai:training:validatesTrainingData", + "application", + "application:codeExecution", + "application:codeExecution:compilesCode", + "application:codeExecution:evaluatesExpression", + "application:codeExecution:executesNativeCommand", + "application:codeExecution:executesScript", + "application:codeExecution:interpretsCode", + "application:codeExecution:invokesViaReflection", + "application:codeExecution:loadsCodeDynamically", + "application:configuration", + "application:configuration:detectsEnvironment", + "application:configuration:evaluatesFeatureFlag", + "application:configuration:loadsConfiguration", + "application:configuration:reloadsConfiguration", + "application:controlFlow", + "application:controlFlow:awaitsAsyncResult", + "application:controlFlow:catchesException", + "application:controlFlow:emitsEvent", + "application:controlFlow:handlesEvent", + "application:controlFlow:invokesCallback", + "application:controlFlow:invokesHandler", + "application:controlFlow:invokesMiddleware", + "application:controlFlow:schedulesAsyncOperation", + "application:controlFlow:throwsException", + "application:dependencyManagement", + "application:dependencyManagement:closesCircuitBreaker", + "application:dependencyManagement:fallsBack", + "application:dependencyManagement:injectsDependency", + "application:dependencyManagement:opensCircuitBreaker", + "application:dependencyManagement:resolvesDependency", + "application:externalIntegration", + "application:externalIntegration:callsExternalService", + "application:externalIntegration:consumesEvent", + "application:externalIntegration:publishesEvent", + "application:externalIntegration:receivesWebhook", + "application:observability", + "application:observability:emitsTelemetry", + "application:observability:logsOperation", + "application:observability:recordsMetric", + "application:observability:reportsHealth", + "application:observability:tracesRequest", + "application:requestHandling", + "application:requestHandling:authenticatesRequest", + "application:requestHandling:authorizesRequest", + "application:requestHandling:bindsParameters", + "application:requestHandling:parsesRequest", + "application:requestHandling:receivesHttpRequest", + "application:requestHandling:rejectsRequest", + "application:requestHandling:routesRequest", + "application:requestHandling:validatesRequest", + "application:responseGeneration", + "application:responseGeneration:generatesResponse", + "application:responseGeneration:readsCookie", + "application:responseGeneration:redirectsRequest", + "application:responseGeneration:returnsError", + "application:responseGeneration:returnsSuccess", + "application:responseGeneration:sendsHttpResponse", + "application:responseGeneration:setsCookie", + "application:responseGeneration:setsHeader", + "application:stateManagement", + "application:stateManagement:acquiresLock", + "application:stateManagement:beginsTransaction", + "application:stateManagement:commitsTransaction", + "application:stateManagement:createsSessionState", + "application:stateManagement:destroysSessionState", + "application:stateManagement:readsSessionState", + "application:stateManagement:releasesLock", + "application:stateManagement:rollsBackTransaction", + "application:stateManagement:synchronizesState", + "application:stateManagement:updatesSessionState", + "data", + "data:encoding", + "data:encoding:appliesXor", + "data:encoding:decodesBaseSixtyFour", + "data:encoding:decodesUrl", + "data:encoding:encodesBaseSixtyFour", + "data:encoding:encodesUrl", + "data:ingestion", + "data:ingestion:pollsSource", + "data:ingestion:readsFile", + "data:ingestion:readsStream", + "data:ingestion:receivesInput", + "data:ingestion:receivesMessage", + "data:ingestion:receivesRequest", + "data:ingestion:subscribesToFeed", + "data:output", + "data:output:formatsResponse", + "data:output:producesOutput", + "data:output:publishesMessage", + "data:output:rendersTemplate", + "data:output:sendsResponse", + "data:output:serializesObject", + "data:output:streamsOutput", + "data:output:writesFile", + "data:parsing", + "data:parsing:decodesData", + "data:parsing:deserializesObject", + "data:parsing:extractsFields", + "data:parsing:parsesData", + "data:parsing:parsesHtml", + "data:parsing:parsesJson", + "data:parsing:parsesXml", + "data:query", + "data:query:executesLdapQuery", + "data:query:executesNoSqlQuery", + "data:query:executesSearch", + "data:query:executesSql", + "data:query:executesXPath", + "data:query:queriesData", + "data:storage", + "data:storage:cachesData", + "data:storage:deletesData", + "data:storage:flushesCache", + "data:storage:invalidatesCache", + "data:storage:retrievesData", + "data:storage:storesData", + "data:storage:updatesData", + "data:transformation", + "data:transformation:aggregatesData", + "data:transformation:compressesData", + "data:transformation:decompressesData", + "data:transformation:encodesData", + "data:transformation:enrichesData", + "data:transformation:filtersData", + "data:transformation:joinsData", + "data:transformation:mapsData", + "data:transformation:normalizesData", + "data:transformation:sortsData", + "data:transformation:transformsData", + "evasion", + "evasion:analysisResistance", + "evasion:analysisResistance:detectsAnalysisTool", + "evasion:analysisResistance:detectsDebugger", + "evasion:analysisResistance:detectsEmulator", + "evasion:analysisResistance:detectsSandbox", + "evasion:analysisResistance:detectsVirtualMachine", + "evasion:analysisResistance:evadesDebugger", + "evasion:analysisResistance:evadesEmulator", + "evasion:analysisResistance:evadesSandbox", + "evasion:analysisResistance:evadesVirtualMachine", + "evasion:analysisResistance:usesTimingEvasion", + "evasion:antiSecurity", + "evasion:antiSecurity:detectsAntivirus", + "evasion:antiSecurity:disablesSecuritySoftware", + "evasion:antiSecurity:evadesAntivirus", + "evasion:antiSecurity:terminatesSecurityProcess", + "evasion:indirection", + "evasion:indirection:resolvesApiDynamically", + "evasion:indirection:usesIndirectCalls", + "evasion:indirection:usesProxyExecution", + "evasion:obfuscation", + "evasion:obfuscation:obfuscatesCode", + "evasion:obfuscation:obfuscatesControlFlow", + "evasion:obfuscation:obfuscatesData", + "evasion:obfuscation:obfuscatesStrings", + "evasion:obfuscation:packsCode", + "evasion:obfuscation:unpacksAtRuntime", + "file", + "file:directory", + "file:directory:changesDirectory", + "file:directory:createsDirectory", + "file:directory:deletesDirectory", + "file:directory:listsDirectory", + "file:directory:traversesDirectory", + "file:disk", + "file:disk:decryptsVolume", + "file:disk:encryptsVolume", + "file:disk:formatsVolume", + "file:disk:mountsVolume", + "file:disk:unmountsVolume", + "file:disk:wipesDisk", + "file:operations", + "file:operations:appendsToFile", + "file:operations:checksFileExistence", + "file:operations:closesFile", + "file:operations:copiesFile", + "file:operations:createsFile", + "file:operations:deletesFile", + "file:operations:getsFileAttributes", + "file:operations:movesFile", + "file:operations:opensFile", + "file:operations:readsFile", + "file:operations:renamesFile", + "file:operations:setsFileAttributes", + "file:operations:setsFilePermissions", + "file:operations:writesFile", + "gui", + "gui:display", + "gui:display:displaysData", + "gui:display:monitorsDisplay", + "gui:display:updatesDisplay", + "gui:session", + "gui:session:displaysLogin", + "gui:session:interactsWithSession", + "gui:session:switchesSession", + "gui:window", + "gui:window:capturesWindow", + "gui:window:createsWindow", + "gui:window:destroysWindow", + "gui:window:enumeratesWindows", + "gui:window:interactsWithTaskbar", + "gui:window:modifiesWindow", + "hardware", + "hardware:actuator", + "hardware:actuator:calibratesActuator", + "hardware:actuator:controlsBattery", + "hardware:actuator:controlsHeating", + "hardware:actuator:controlsLed", + "hardware:actuator:controlsMotor", + "hardware:actuator:controlsPower", + "hardware:actuator:controlsPump", + "hardware:actuator:controlsTemperature", + "hardware:boot", + "hardware:boot:entersRecoveryMode", + "hardware:boot:executesSecureBoot", + "hardware:boot:locksBootConfiguration", + "hardware:boot:modifiesBootConfiguration", + "hardware:boot:readsBootConfiguration", + "hardware:boot:recordsBootMeasurement", + "hardware:boot:verifiesBootLoader", + "hardware:firmware", + "hardware:firmware:monitorsFirmwareIntegrity", + "hardware:firmware:preventsFirmwareRollback", + "hardware:firmware:readsFirmwareVersion", + "hardware:firmware:updatesFirmware", + "hardware:firmware:verifiesFirmwareSignature", + "hardware:memory", + "hardware:memory:encryptsMemory", + "hardware:memory:isolatesMemory", + "hardware:memory:protectsStack", + "hardware:memory:randomizesAddressSpace", + "hardware:memory:readsProtectedMemory", + "hardware:memory:writesProtectedMemory", + "hardware:peripheral", + "hardware:peripheral:accessesCamera", + "hardware:peripheral:accessesDisplay", + "hardware:peripheral:accessesGpio", + "hardware:peripheral:accessesJtag", + "hardware:peripheral:accessesKeyboard", + "hardware:peripheral:accessesStorageDevice", + "hardware:peripheral:accessesUsbDevice", + "hardware:peripheral:configuresDma", + "hardware:peripheral:protectsDma", + "hardware:physicalSecurity", + "hardware:physicalSecurity:detectsPhysicalTamper", + "hardware:physicalSecurity:disablesDebugInterface", + "hardware:physicalSecurity:enablesDebugInterface", + "hardware:physicalSecurity:monitorsEnclosure", + "hardware:physicalSecurity:respondsToTamper", + "hardware:physicalSecurity:zeroizesKeys", + "hardware:security", + "hardware:security:anchorsInHardwareRoot", + "hardware:security:executesInTee", + "hardware:security:generatesPufResponse", + "hardware:security:usesHsm", + "hardware:security:usesSecureElement", + "hardware:sensor", + "hardware:sensor:calibratesSensor", + "hardware:sensor:readsBatteryStatus", + "hardware:sensor:readsBloodOxygen", + "hardware:sensor:readsBloodPressure", + "hardware:sensor:readsCoTwoLevel", + "hardware:sensor:readsEcg", + "hardware:sensor:readsPowerStatus", + "hardware:sensor:readsTemperature", + "hardware:sideChannelDefense", + "hardware:sideChannelDefense:controlsEmEmissions", + "hardware:sideChannelDefense:resistsFaultInjection", + "hardware:sideChannelDefense:resistsPowerAnalysis", + "hardware:sideChannelDefense:resistsTimingAnalysis", + "network", + "network:connection", + "network:connection:acceptsConnection", + "network:connection:detectsConnectionLoss", + "network:connection:establishesConnection", + "network:connection:reconnects", + "network:connection:reusesConnection", + "network:connection:sendsHeartbeat", + "network:connection:terminatesConnection", + "network:discovery", + "network:discovery:advertisesService", + "network:discovery:discoversService", + "network:discovery:enumeratesInterfaces", + "network:discovery:probesPort", + "network:discovery:queriesDns", + "network:discovery:resolvesName", + "network:discovery:scansNetwork", + "network:protocol", + "network:protocol:downgradesProtocol", + "network:protocol:framesMessage", + "network:protocol:negotiatesProtocol", + "network:protocol:parsesMessage", + "network:protocol:retransmitsMessage", + "network:protocol:upgradesProtocol", + "network:protocol:validatesMessage", + "network:remoteInteraction", + "network:remoteInteraction:accessesRemoteDesktop", + "network:remoteInteraction:accessesRemoteShell", + "network:remoteInteraction:executesRemoteCommand", + "network:remoteInteraction:invokesRemoteProcedure", + "network:remoteInteraction:sendsEmail", + "network:remoteInteraction:sendsSms", + "network:remoteInteraction:transfersFile", + "network:routing", + "network:routing:configuresProxy", + "network:routing:forwardsPacket", + "network:routing:redirectsTraffic", + "network:routing:routesTraffic", + "network:routing:tunnelsTraffic", + "network:trafficControl", + "network:trafficControl:balancesLoad", + "network:trafficControl:filtersTraffic", + "network:trafficControl:inspectsTraffic", + "network:trafficControl:interceptsTraffic", + "network:trafficControl:limitsRate", + "network:trafficControl:modifiesTraffic", + "network:trafficControl:shapesTraffic", + "network:transmission", + "network:transmission:broadcastsData", + "network:transmission:multicastsData", + "network:transmission:receivesData", + "network:transmission:sendsData", + "network:transmission:streamsData", + "privacy", + "privacy:collection", + "privacy:collection:capturesAudio", + "privacy:collection:capturesKeystrokes", + "privacy:collection:capturesScreen", + "privacy:collection:capturesVideo", + "privacy:collection:collectsBehavioralData", + "privacy:collection:collectsBiometricData", + "privacy:collection:collectsCommunicationContent", + "privacy:collection:collectsDeviceInformation", + "privacy:collection:collectsFinancialData", + "privacy:collection:collectsHealthData", + "privacy:collection:collectsInBackground", + "privacy:collection:collectsLocationData", + "privacy:collection:collectsPersonalData", + "privacy:collection:collectsSilently", + "privacy:collection:readsBrowserHistory", + "privacy:collection:readsClipboard", + "privacy:deletion", + "privacy:deletion:clearsCache", + "privacy:deletion:deletesPersonalData", + "privacy:deletion:erasesSecurely", + "privacy:deletion:purgesFromBackup", + "privacy:deletion:redactsData", + "privacy:inference", + "privacy:inference:correlatesData", + "privacy:inference:createsProfile", + "privacy:inference:fingerprintsDevice", + "privacy:inference:infersPersonalInformation", + "privacy:inference:linksIdentities", + "privacy:inference:tracksUser", + "privacy:minimization", + "privacy:minimization:aggregatesData", + "privacy:minimization:anonymizesData", + "privacy:minimization:filtersData", + "privacy:minimization:generalizesData", + "privacy:minimization:limitsCollection", + "privacy:minimization:limitsProcessing", + "privacy:minimization:pseudonymizesData", + "privacy:privacyEnhancement", + "privacy:privacyEnhancement:addsDifferentialPrivacy", + "privacy:privacyEnhancement:computesMultiparty", + "privacy:privacyEnhancement:processesHomomorphically", + "privacy:privacyEnhancement:processesLocally", + "privacy:retention", + "privacy:retention:archivesData", + "privacy:retention:backsUpData", + "privacy:retention:enforcesRetentionPeriod", + "privacy:retention:retainsBeyondPurpose", + "privacy:retention:retainsInCache", + "privacy:retention:retainsInLog", + "privacy:retention:storesPersonalData", + "privacy:sharing", + "privacy:sharing:disclosesToThirdParty", + "privacy:sharing:exportsData", + "privacy:sharing:publishesData", + "privacy:sharing:sellsData", + "privacy:sharing:sharesWithAffiliate", + "privacy:sharing:transfersCrossBorder", + "privacy:subjectRights", + "privacy:subjectRights:correctsData", + "privacy:subjectRights:exportsDataPortably", + "privacy:subjectRights:honorsErasureRequest", + "privacy:subjectRights:honorsObjection", + "privacy:subjectRights:providesDataAccess", + "privacy:subjectRights:restrictsProcessing", + "privacy:transparency", + "privacy:transparency:disclosesProcessing", + "privacy:transparency:displaysPrivacyNotice", + "privacy:transparency:explainsAutomatedDecision", + "privacy:transparency:recordsConsent", + "privacy:transparency:requestsConsent", + "privacy:transparency:withdrawsConsent", + "safety", + "safety:autonomousBehavior", + "safety:autonomousBehavior:acceptsOverride", + "safety:autonomousBehavior:enforcesHumanInLoop", + "safety:autonomousBehavior:explainsDecision", + "safety:autonomousBehavior:requestsGuidance", + "safety:autonomousBehavior:respectsDecisionBoundary", + "safety:contentSafety", + "safety:contentSafety:detectsHarmfulContent", + "safety:contentSafety:detectsMisinformation", + "safety:contentSafety:enforcesAgeRestriction", + "safety:contentSafety:filtersContent", + "safety:contentSafety:labelsContent", + "safety:harmPrevention", + "safety:harmPrevention:preventsEnvironmentalHarm", + "safety:harmPrevention:preventsPropertyDamage", + "safety:harmPrevention:preventsUserHarm", + "safety:harmPrevention:protectsBystanders", + "safety:hazardManagement", + "safety:hazardManagement:assessesRisk", + "safety:hazardManagement:identifiesHazard", + "safety:hazardManagement:mitigatesHazard", + "safety:hazardManagement:reportsHazard", + "safety:humanInteraction", + "safety:humanInteraction:adaptsForAccessibility", + "safety:humanInteraction:managesCognitiveLoad", + "safety:humanInteraction:requestsConfirmation", + "safety:humanInteraction:warnsOperator", + "safety:operationalSafety", + "safety:operationalSafety:acceptsManualOverride", + "safety:operationalSafety:enforcesInterlock", + "safety:operationalSafety:enforcesOperatingLimits", + "safety:operationalSafety:executesEmergencyStop", + "safety:operationalSafety:monitorsWatchdog", + "safety:operationalSafety:validatesSafetyCondition", + "security", + "security:auditing", + "security:auditing:logsEvent", + "security:auditing:logsSecurityEvent", + "security:auditing:protectsAuditLog", + "security:auditing:purgesLog", + "security:auditing:rotatesLog", + "security:auditing:signsLogEntry", + "security:auditing:timestampsEvent", + "security:auditing:transmitsLog", + "security:authentication", + "security:authentication:authenticatesDevice", + "security:authentication:authenticatesService", + "security:authentication:authenticatesUser", + "security:authentication:bypassesAuthentication", + "security:authentication:capturesBiometric", + "security:authentication:delegatesAuthentication", + "security:authentication:failsAuthentication", + "security:authentication:locksAccount", + "security:authentication:performsMultiFactorAuthentication", + "security:authentication:promptsForCredentials", + "security:authentication:unlocksAccount", + "security:authentication:validatesBiometric", + "security:authentication:validatesCredentials", + "security:authorization", + "security:authorization:checksPermission", + "security:authorization:delegatesAuthority", + "security:authorization:deniesAccess", + "security:authorization:enforcesRole", + "security:authorization:escalatesPrivilege", + "security:authorization:evaluatesAttributes", + "security:authorization:evaluatesPolicy", + "security:authorization:grantsAccess", + "security:authorization:grantsImpersonation", + "security:authorization:impersonatesUser", + "security:authorization:requestsImpersonation", + "security:authorization:revokesAccess", + "security:authorization:revokesImpersonation", + "security:cryptography", + "security:cryptography:authenticates", + "security:cryptography:checksRevocation", + "security:cryptography:decryptsData", + "security:cryptography:decryptsDataAtRest", + "security:cryptography:decryptsDataInTransit", + "security:cryptography:decryptsDisk", + "security:cryptography:decryptsSecret", + "security:cryptography:destroysKey", + "security:cryptography:encryptsData", + "security:cryptography:encryptsDataAtRest", + "security:cryptography:encryptsDataInTransit", + "security:cryptography:encryptsDisk", + "security:cryptography:encryptsSecret", + "security:cryptography:ensuresAccountability", + "security:cryptography:ensuresConfidentiality", + "security:cryptography:ensuresIntegrity", + "security:cryptography:ensuresNonRepudiation", + "security:cryptography:exchangesKey", + "security:cryptography:generatesKey", + "security:cryptography:generatesRandomValue", + "security:cryptography:hashesData", + "security:cryptography:hashesPassword", + "security:cryptography:identifies", + "security:cryptography:issuesCertificate", + "security:cryptography:preservesPrivacy", + "security:cryptography:presentsClientCertificate", + "security:cryptography:presentsServerCertificate", + "security:cryptography:retrievesKey", + "security:cryptography:revokesCertificate", + "security:cryptography:rotatesKey", + "security:cryptography:signsCode", + "security:cryptography:signsData", + "security:cryptography:signsDocument", + "security:cryptography:storesKey", + "security:cryptography:usesIdentity", + "security:cryptography:validatesCertificate", + "security:cryptography:validatesToken", + "security:cryptography:verifiesCodeSignature", + "security:cryptography:verifiesDataSignature", + "security:cryptography:verifiesDocumentSignature", + "security:cryptography:verifiesHash", + "security:cryptography:verifiesSignature", + "security:cryptography:wrapsKey", + "security:errorHandling", + "security:errorHandling:catchesException", + "security:errorHandling:disclosesErrorDetails", + "security:errorHandling:failsClosed", + "security:errorHandling:failsOpen", + "security:errorHandling:generatesError", + "security:errorHandling:logsError", + "security:errorHandling:propagatesError", + "security:errorHandling:returnsGenericError", + "security:errorHandling:suppressesError", + "security:inputHandling", + "security:inputHandling:escapesInput", + "security:inputHandling:normalizesInput", + "security:inputHandling:rejectsInvalidInput", + "security:inputHandling:sanitizesInput", + "security:inputHandling:truncatesInput", + "security:inputHandling:validatesFormat", + "security:inputHandling:validatesRange", + "security:inputHandling:validatesSchema", + "security:integrity", + "security:integrity:attestsIntegrity", + "security:integrity:detectsTampering", + "security:integrity:respondsToTampering", + "security:integrity:validatesComponent", + "security:integrity:verifiesIntegrity", + "security:integrity:verifiesProvenance", + "security:outputHandling", + "security:outputHandling:encodesOutput", + "security:outputHandling:enforcesContentPolicy", + "security:outputHandling:escapesOutput", + "security:outputHandling:filtersOutput", + "security:outputHandling:masksOutput", + "security:outputHandling:setsSecurityHeader", + "security:session", + "security:session:createsSession", + "security:session:detectsSessionHijacking", + "security:session:invalidatesSession", + "security:session:refreshesSession", + "security:session:regeneratesSessionId", + "security:session:terminatesSession", + "security:session:validatesSession", + "security:threatResponse", + "security:threatResponse:blocksRequest", + "security:threatResponse:blocksSource", + "security:threatResponse:collectsForensicData", + "security:threatResponse:detectsAnomaly", + "security:threatResponse:detectsIntrusion", + "security:threatResponse:initiatesIncidentResponse", + "security:threatResponse:quarantinesElement", + "security:threatResponse:raisesAlert", + "system", + "system:configuration", + "system:configuration:deletesRegistryKey", + "system:configuration:modifiesGroupPolicy", + "system:configuration:readsConfigurationFile", + "system:configuration:readsEnvironmentVariable", + "system:configuration:readsGroupPolicy", + "system:configuration:readsRegistry", + "system:configuration:setsEnvironmentVariable", + "system:configuration:writesConfigurationFile", + "system:configuration:writesRegistry", + "system:informationGathering", + "system:informationGathering:detectsOsVersion", + "system:informationGathering:gathersSystemInformation", + "system:informationGathering:queriesHardwareInformation", + "system:informationGathering:retrievesHostname", + "system:kernelInteraction", + "system:kernelInteraction:hooksKernelFunction", + "system:kernelInteraction:installsDriver", + "system:kernelInteraction:readsKernelMemory", + "system:kernelInteraction:writesKernelMemory", + "system:lifecycle", + "system:lifecycle:appliesUpdate", + "system:lifecycle:decommissions", + "system:lifecycle:initializes", + "system:lifecycle:performsSelfTest", + "system:lifecycle:provisions", + "system:lifecycle:rollsBack", + "system:lifecycle:shutsDown", + "system:operationalState", + "system:operationalState:entersFailSafeState", + "system:operationalState:entersFailSecureState", + "system:operationalState:operatesInDegradedMode", + "system:operationalState:operatesNormally", + "system:operationalState:performsEmergencyShutdown", + "system:persistence", + "system:persistence:createsScheduledTask", + "system:persistence:installsAsService", + "system:persistence:loadsAsKernelModule", + "system:persistence:registersForStartup", + "system:persistence:removesPersistence", + "system:processControl", + "system:processControl:createsProcess", + "system:processControl:dumpsProcessMemory", + "system:processControl:enumeratesProcesses", + "system:processControl:hooksFunction", + "system:processControl:injectsCodeIntoProcess", + "system:processControl:modifiesProcess", + "system:processControl:resumesProcess", + "system:processControl:suspendsProcess", + "system:processControl:terminatesProcess", + "system:resilience", + "system:resilience:activatesRedundancy", + "system:resilience:degradesGracefully", + "system:resilience:detectsFault", + "system:resilience:recoversFromFailure", + "system:resilience:toleratesFault", + "system:resourceManagement", + "system:resourceManagement:allocatesMemory", + "system:resourceManagement:deallocatesMemory", + "system:resourceManagement:handlesResourceExhaustion", + "system:resourceManagement:managesPowerState", + "system:resourceManagement:readsFromStorage", + "system:resourceManagement:resumesThread", + "system:resourceManagement:spawnsThread", + "system:resourceManagement:suspendsThread", + "system:resourceManagement:terminatesThread", + "system:resourceManagement:writesToStorage", + "system:serviceControl", + "system:serviceControl:createsService", + "system:serviceControl:deletesService", + "system:serviceControl:enumeratesServices", + "system:serviceControl:modifiesService", + "system:serviceControl:startsService", + "system:serviceControl:stopsService", + "system:synchronization", + "system:synchronization:acquiresMutex", + "system:synchronization:releasesMutex", + "system:synchronization:signalsEvent", + "system:synchronization:signalsSemaphore", + "system:synchronization:waitsOnEvent", + "system:synchronization:waitsOnSemaphore", + "system:timing", + "system:timing:delaysExecution", + "system:timing:enforcesDeadline", + "system:timing:executesScheduledTask", + "system:timing:resetsWatchdog", + "system:timing:synchronizesClock", + "system:timing:triggersTimeout", + "system:timing:waits", + "system:userManagement", + "system:userManagement:createsUserAccount", + "system:userManagement:deletesUserAccount", + "system:userManagement:elevatesPrivileges", + "system:userManagement:enumeratesUsers", + "system:userManagement:impersonatesUser", + "system:userManagement:modifiesUserAccount" + ], + "meta:enum": { + "ai": "Behaviours relating to artificial intelligence and machine learning operations.", + "ai:agent": "Behaviours that enable autonomous agents to plan and execute tasks.", + "ai:agent:actsOnBehalfOfUser": "The entity performs actions within a delegated user context.", + "ai:agent:coordinatesAgents": "The entity orchestrates multiple agents.", + "ai:agent:delegatesTask": "The entity assigns work to another agent.", + "ai:agent:executesAction": "The entity performs planned step.", + "ai:agent:invokesTool": "The entity calls external capability.", + "ai:agent:observesResult": "The entity captures action outcome.", + "ai:agent:plansAction": "The entity determines steps to achieve goal.", + "ai:agent:receivesHumanDelegation": "The entity accepts authority delegated by a human user.", + "ai:agent:reflectsOnResult": "The entity evaluates action effectiveness.", + "ai:agent:reportsDelegatedAction": "The entity notifies the delegating user of actions taken.", + "ai:agent:requestsUserApproval": "The entity seeks explicit user authorisation before acting.", + "ai:agent:returnsDelegation": "The entity relinquishes delegated authority.", + "ai:agent:revisesPlan": "The entity modifies approach based on results.", + "ai:explainability": "Behaviours that provide interpretable explanations for model decisions.", + "ai:explainability:attributesFeatures": "The entity identifies influential inputs.", + "ai:explainability:documentsModel": "The entity records model design and behaviour.", + "ai:explainability:explainsDecision": "The entity provides human-readable rationale.", + "ai:explainability:tracesPrediction": "The entity records basis for output.", + "ai:explainability:visualizesModel": "The entity renders model behaviour graphically.", + "ai:fairness": "Behaviours that detect and mitigate bias in machine learning models.", + "ai:fairness:auditsModelFairness": "The entity evaluates model for bias.", + "ai:fairness:calculatesFairnessMetric": "The entity measures outcome equality.", + "ai:fairness:detectsBias": "The entity identifies unfair model behaviour.", + "ai:fairness:handlesProtectedAttribute": "The entity manages sensitive attributes.", + "ai:fairness:mitigatesBias": "The entity reduces unfair treatment.", + "ai:generative": "Behaviours that produce content using generative models.", + "ai:generative:citesSource": "The entity attributes generated content.", + "ai:generative:filtersOutput": "The entity screens generated content.", + "ai:generative:generatesAudio": "The entity produces sound content.", + "ai:generative:generatesCode": "The entity produces executable code.", + "ai:generative:generatesEmbedding": "The entity produces vector representation.", + "ai:generative:generatesImage": "The entity produces visual content.", + "ai:generative:generatesText": "The entity produces natural language.", + "ai:generative:mitigatesHallucination": "The entity reduces false content generation.", + "ai:generative:processesPrompt": "The entity interprets user instruction.", + "ai:generative:streamsResponse": "The entity delivers output incrementally.", + "ai:inference": "Behaviours that generate predictions using trained models.", + "ai:inference:appliesThreshold": "The entity uses decision boundary.", + "ai:inference:batchesInference": "The entity processes multiple inputs together.", + "ai:inference:cachesPrediction": "The entity stores prediction for reuse.", + "ai:inference:ensemblesModels": "The entity combines multiple model outputs.", + "ai:inference:generatesPrediction": "The entity produces model output.", + "ai:inference:infersInRealTime": "The entity generates prediction with low latency.", + "ai:inference:ranksResults": "The entity orders predictions by relevance.", + "ai:inference:scoresConfidence": "The entity assigns certainty to prediction.", + "ai:management": "Behaviours that deploy and manage machine learning models throughout their lifecycle.", + "ai:management:comparesModels": "The entity evaluates relative model performance.", + "ai:management:deploysModel": "The entity places model into service.", + "ai:management:loadsModel": "The entity retrieves model for use.", + "ai:management:monitorsModel": "The entity observes model performance.", + "ai:management:retiresModel": "The entity removes model from service.", + "ai:management:rollsBackModel": "The entity reverts to previous version.", + "ai:management:unloadsModel": "The entity removes model from memory.", + "ai:management:versionsModel": "The entity tracks model versions.", + "ai:quality": "Behaviours that monitor and maintain model and data quality.", + "ai:quality:detectsConceptDrift": "The entity identifies input-output relationship change.", + "ai:quality:detectsDataDrift": "The entity identifies input distribution change.", + "ai:quality:detectsOutlier": "The entity identifies anomalous input.", + "ai:quality:engineersFeatures": "The entity transforms raw data for model.", + "ai:quality:selectsFeatures": "The entity chooses relevant input features.", + "ai:quality:validatesInputData": "The entity checks inference input quality.", + "ai:robustness": "Behaviours that defend against adversarial attacks and handle uncertain inputs.", + "ai:robustness:defendsAgainstAdversarial": "The entity resists adversarial manipulation.", + "ai:robustness:detectsAdversarialInput": "The entity identifies crafted malicious input.", + "ai:robustness:detectsOutOfDistribution": "The entity identifies unfamiliar input.", + "ai:robustness:estimatesUncertainty": "The entity quantifies prediction confidence.", + "ai:robustness:validatesRobustness": "The entity tests model resilience.", + "ai:training": "Behaviours that prepare data and train machine learning models.", + "ai:training:appliesTransferLearning": "The entity adapts pre-trained model.", + "ai:training:checkpointsModel": "The entity saves model state during training.", + "ai:training:fineTunesModel": "The entity refines model for specific task.", + "ai:training:ingestsTrainingData": "The entity acquires data for training.", + "ai:training:preprocessesTrainingData": "The entity prepares data for training.", + "ai:training:trainsFederatedly": "The entity trains on distributed data.", + "ai:training:trainsModel": "The entity adjusts model parameters.", + "ai:training:tunesHyperparameters": "The entity optimises configuration parameters.", + "ai:training:validatesModel": "The entity evaluates model during training.", + "ai:training:validatesTrainingData": "The entity checks training data quality.", + "application": "Behaviours relating to application-level request processing and business logic.", + "application:codeExecution": "Behaviours that dynamically load and execute code at runtime.", + "application:codeExecution:compilesCode": "The entity transforms source to executable form.", + "application:codeExecution:evaluatesExpression": "The entity interprets and executes an expression.", + "application:codeExecution:executesNativeCommand": "The entity runs an operating system command.", + "application:codeExecution:executesScript": "The entity runs script code.", + "application:codeExecution:interpretsCode": "The entity executes code without compilation.", + "application:codeExecution:invokesViaReflection": "The entity calls method through reflection.", + "application:codeExecution:loadsCodeDynamically": "The entity loads executable code at runtime.", + "application:configuration": "Behaviours that load and manage application configuration settings.", + "application:configuration:detectsEnvironment": "The entity determines deployment context.", + "application:configuration:evaluatesFeatureFlag": "The entity checks feature toggle state.", + "application:configuration:loadsConfiguration": "The entity reads configuration settings.", + "application:configuration:reloadsConfiguration": "The entity refreshes configuration dynamically.", + "application:controlFlow": "Behaviours that manage the execution sequence and event handling within an application.", + "application:controlFlow:awaitsAsyncResult": "The entity waits for asynchronous completion.", + "application:controlFlow:catchesException": "The entity handles an error condition.", + "application:controlFlow:emitsEvent": "The entity triggers an event.", + "application:controlFlow:handlesEvent": "The entity responds to an event.", + "application:controlFlow:invokesCallback": "The entity executes a callback function.", + "application:controlFlow:invokesHandler": "The entity calls a request handler.", + "application:controlFlow:invokesMiddleware": "The entity executes middleware component.", + "application:controlFlow:schedulesAsyncOperation": "The entity queues work for later execution.", + "application:controlFlow:throwsException": "The entity raises an error condition.", + "application:dependencyManagement": "Behaviours that resolve and manage dependencies on other components.", + "application:dependencyManagement:closesCircuitBreaker": "The entity resumes calls to recovered dependency.", + "application:dependencyManagement:fallsBack": "The entity uses alternative when primary fails.", + "application:dependencyManagement:injectsDependency": "The entity provides component to dependent.", + "application:dependencyManagement:opensCircuitBreaker": "The entity stops calls to failing dependency.", + "application:dependencyManagement:resolvesDependency": "The entity locates required component.", + "application:externalIntegration": "Behaviours that communicate with external services and systems.", + "application:externalIntegration:callsExternalService": "The entity invokes an external API.", + "application:externalIntegration:consumesEvent": "The entity receives event from external system.", + "application:externalIntegration:publishesEvent": "The entity sends event to external system.", + "application:externalIntegration:receivesWebhook": "The entity accepts callback from external service.", + "application:observability": "Behaviours that emit telemetry for monitoring and debugging purposes.", + "application:observability:emitsTelemetry": "The entity transmits operational data.", + "application:observability:logsOperation": "The entity records an operational event.", + "application:observability:recordsMetric": "The entity captures a quantitative measurement.", + "application:observability:reportsHealth": "The entity communicates operational status.", + "application:observability:tracesRequest": "The entity tracks request across services.", + "application:requestHandling": "Behaviours that receive and process incoming requests.", + "application:requestHandling:authenticatesRequest": "The entity verifies requestor identity.", + "application:requestHandling:authorizesRequest": "The entity verifies requestor permissions.", + "application:requestHandling:bindsParameters": "The entity maps request data to parameters.", + "application:requestHandling:parsesRequest": "The entity interprets incoming request.", + "application:requestHandling:receivesHttpRequest": "The entity accepts an HTTP request.", + "application:requestHandling:rejectsRequest": "The entity refuses to process request.", + "application:requestHandling:routesRequest": "The entity directs request to appropriate handler.", + "application:requestHandling:validatesRequest": "The entity verifies request validity.", + "application:responseGeneration": "Behaviours that construct and transmit responses to requests.", + "application:responseGeneration:generatesResponse": "The entity creates a response.", + "application:responseGeneration:readsCookie": "The entity retrieves cookie value.", + "application:responseGeneration:redirectsRequest": "The entity sends client to different location.", + "application:responseGeneration:returnsError": "The entity indicates failure.", + "application:responseGeneration:returnsSuccess": "The entity indicates successful completion.", + "application:responseGeneration:sendsHttpResponse": "The entity transmits an HTTP response.", + "application:responseGeneration:setsCookie": "The entity creates or modifies a cookie.", + "application:responseGeneration:setsHeader": "The entity adds HTTP header to response.", + "application:stateManagement": "Behaviours that maintain and synchronise application state across requests.", + "application:stateManagement:acquiresLock": "The entity obtains exclusive access to resource.", + "application:stateManagement:beginsTransaction": "The entity starts an atomic operation group.", + "application:stateManagement:commitsTransaction": "The entity finalises transaction changes.", + "application:stateManagement:createsSessionState": "The entity initialises session data.", + "application:stateManagement:destroysSessionState": "The entity removes session data.", + "application:stateManagement:readsSessionState": "The entity retrieves session data.", + "application:stateManagement:releasesLock": "The entity relinquishes exclusive access.", + "application:stateManagement:rollsBackTransaction": "The entity undoes transaction changes.", + "application:stateManagement:synchronizesState": "The entity maintains consistency across replicas.", + "application:stateManagement:updatesSessionState": "The entity modifies session data.", + "data": "Behaviours relating to the ingestion and transformation of structured and unstructured data.", + "data:encoding": "Behaviours that apply specific encoding schemes to data.", + "data:encoding:appliesXor": "The entity transforms data using XOR operation.", + "data:encoding:decodesBaseSixtyFour": "The entity converts Base64 to original form.", + "data:encoding:decodesUrl": "The entity converts URL-encoded data.", + "data:encoding:encodesBaseSixtyFour": "The entity converts data to Base64.", + "data:encoding:encodesUrl": "The entity converts data for URL inclusion.", + "data:ingestion": "Behaviours that acquire data from external sources.", + "data:ingestion:pollsSource": "The entity periodically checks for new data.", + "data:ingestion:readsFile": "The entity retrieves data from a file.", + "data:ingestion:readsStream": "The entity consumes data from a continuous source.", + "data:ingestion:receivesInput": "The entity accepts data from an external source.", + "data:ingestion:receivesMessage": "The entity accepts a message from a queue.", + "data:ingestion:receivesRequest": "The entity accepts an incoming request.", + "data:ingestion:subscribesToFeed": "The entity registers to receive updates.", + "data:output": "Behaviours that produce and transmit data to external consumers.", + "data:output:formatsResponse": "The entity structures data for delivery.", + "data:output:producesOutput": "The entity generates data for consumption.", + "data:output:publishesMessage": "The entity sends a message to a queue.", + "data:output:rendersTemplate": "The entity generates output from a template.", + "data:output:sendsResponse": "The entity transmits a reply.", + "data:output:serializesObject": "The entity converts object to transmittable form.", + "data:output:streamsOutput": "The entity continuously produces data.", + "data:output:writesFile": "The entity saves data to a file.", + "data:parsing": "Behaviours that interpret and extract information from structured data formats.", + "data:parsing:decodesData": "The entity converts encoded data to original form.", + "data:parsing:deserializesObject": "The entity reconstructs object from serialised form.", + "data:parsing:extractsFields": "The entity isolates specific data elements.", + "data:parsing:parsesData": "The entity interprets structured data.", + "data:parsing:parsesHtml": "The entity interprets HTML content.", + "data:parsing:parsesJson": "The entity interprets JSON-formatted data.", + "data:parsing:parsesXml": "The entity interprets XML-formatted data.", + "data:query": "Behaviours that retrieve data based on specified criteria.", + "data:query:executesLdapQuery": "The entity queries an LDAP directory.", + "data:query:executesNoSqlQuery": "The entity queries a NoSQL database.", + "data:query:executesSearch": "The entity performs full-text or indexed search.", + "data:query:executesSql": "The entity runs a SQL statement.", + "data:query:executesXPath": "The entity evaluates an XPath expression.", + "data:query:queriesData": "The entity retrieves data matching criteria.", + "data:storage": "Behaviours that persist and retrieve data from storage systems.", + "data:storage:cachesData": "The entity stores data for quick retrieval.", + "data:storage:deletesData": "The entity removes stored data.", + "data:storage:flushesCache": "The entity writes cached data to persistent storage.", + "data:storage:invalidatesCache": "The entity marks cached data as stale.", + "data:storage:retrievesData": "The entity fetches stored data.", + "data:storage:storesData": "The entity saves data persistently.", + "data:storage:updatesData": "The entity modifies stored data.", + "data:transformation": "Behaviours that convert data from one form or structure to another.", + "data:transformation:aggregatesData": "The entity combines multiple values.", + "data:transformation:compressesData": "The entity reduces data size.", + "data:transformation:decompressesData": "The entity restores compressed data.", + "data:transformation:encodesData": "The entity converts data to encoded form.", + "data:transformation:enrichesData": "The entity adds information from external sources.", + "data:transformation:filtersData": "The entity removes unwanted elements.", + "data:transformation:joinsData": "The entity combines data from multiple sources.", + "data:transformation:mapsData": "The entity converts between data structures.", + "data:transformation:normalizesData": "The entity converts to standard form.", + "data:transformation:sortsData": "The entity orders data elements.", + "data:transformation:transformsData": "The entity converts data from one form to another.", + "evasion": "Behaviours relating to techniques that avoid detection and analysis.", + "evasion:analysisResistance": "Behaviours that detect and evade analysis environments.", + "evasion:analysisResistance:detectsAnalysisTool": "The entity identifies analysis software.", + "evasion:analysisResistance:detectsDebugger": "The entity identifies debugger presence.", + "evasion:analysisResistance:detectsEmulator": "The entity identifies emulation environment.", + "evasion:analysisResistance:detectsSandbox": "The entity identifies sandbox environment.", + "evasion:analysisResistance:detectsVirtualMachine": "The entity identifies VM environment.", + "evasion:analysisResistance:evadesDebugger": "The entity modifies behaviour under debugging.", + "evasion:analysisResistance:evadesEmulator": "The entity modifies behaviour under emulation.", + "evasion:analysisResistance:evadesSandbox": "The entity modifies behaviour in sandbox.", + "evasion:analysisResistance:evadesVirtualMachine": "The entity modifies behaviour in VM.", + "evasion:analysisResistance:usesTimingEvasion": "The entity uses delays to evade analysis.", + "evasion:antiSecurity": "Behaviours that detect and disable security software.", + "evasion:antiSecurity:detectsAntivirus": "The entity identifies AV software.", + "evasion:antiSecurity:disablesSecuritySoftware": "The entity deactivates security tools.", + "evasion:antiSecurity:evadesAntivirus": "The entity avoids AV detection.", + "evasion:antiSecurity:terminatesSecurityProcess": "The entity kills security software processes.", + "evasion:indirection": "Behaviours that use indirect methods to execute code.", + "evasion:indirection:resolvesApiDynamically": "The entity finds API addresses at runtime.", + "evasion:indirection:usesIndirectCalls": "The entity invokes functions indirectly.", + "evasion:indirection:usesProxyExecution": "The entity executes through intermediary.", + "evasion:obfuscation": "Behaviours that obscure code and data to hinder analysis.", + "evasion:obfuscation:obfuscatesCode": "The entity makes code difficult to analyse.", + "evasion:obfuscation:obfuscatesControlFlow": "The entity obscures execution paths.", + "evasion:obfuscation:obfuscatesData": "The entity hides data structures.", + "evasion:obfuscation:obfuscatesStrings": "The entity hides string contents.", + "evasion:obfuscation:packsCode": "The entity compresses or encrypts executable.", + "evasion:obfuscation:unpacksAtRuntime": "The entity decompresses code during execution.", + "file": "Behaviours relating to file system operations and disk management.", + "file:directory": "Behaviours that create and navigate directory structures.", + "file:directory:changesDirectory": "The entity sets current working directory.", + "file:directory:createsDirectory": "The entity creates a new directory.", + "file:directory:deletesDirectory": "The entity removes a directory.", + "file:directory:listsDirectory": "The entity enumerates directory contents.", + "file:directory:traversesDirectory": "The entity recursively explores directories.", + "file:disk": "Behaviours that manage storage volumes and disk-level operations.", + "file:disk:decryptsVolume": "The entity decrypts a storage volume.", + "file:disk:encryptsVolume": "The entity encrypts a storage volume.", + "file:disk:formatsVolume": "The entity prepares storage for use.", + "file:disk:mountsVolume": "The entity attaches a storage volume.", + "file:disk:unmountsVolume": "The entity detaches a storage volume.", + "file:disk:wipesDisk": "The entity securely erases disk contents.", + "file:operations": "Behaviours that create and manipulate files.", + "file:operations:appendsToFile": "The entity adds data to end of file.", + "file:operations:checksFileExistence": "The entity verifies whether a file exists.", + "file:operations:closesFile": "The entity releases file access.", + "file:operations:copiesFile": "The entity duplicates a file.", + "file:operations:createsFile": "The entity creates a new file.", + "file:operations:deletesFile": "The entity removes a file.", + "file:operations:getsFileAttributes": "The entity retrieves file metadata.", + "file:operations:movesFile": "The entity relocates a file.", + "file:operations:opensFile": "The entity prepares a file for access.", + "file:operations:readsFile": "The entity retrieves file contents.", + "file:operations:renamesFile": "The entity changes a file name.", + "file:operations:setsFileAttributes": "The entity modifies file metadata.", + "file:operations:setsFilePermissions": "The entity modifies file access permissions.", + "file:operations:writesFile": "The entity modifies file contents.", + "gui": "Behaviours relating to graphical user interface interactions.", + "gui:display": "Behaviours that render and monitor visual output.", + "gui:display:displaysData": "The entity renders information visually.", + "gui:display:monitorsDisplay": "The entity observes displayed content.", + "gui:display:updatesDisplay": "The entity refreshes visual presentation.", + "gui:session": "Behaviours that interact with user login sessions.", + "gui:session:displaysLogin": "The entity presents login interface.", + "gui:session:interactsWithSession": "The entity operates within user session.", + "gui:session:switchesSession": "The entity changes active user session.", + "gui:window": "Behaviours that create and manipulate graphical windows.", + "gui:window:capturesWindow": "The entity captures window contents.", + "gui:window:createsWindow": "The entity creates a graphical window.", + "gui:window:destroysWindow": "The entity closes a window.", + "gui:window:enumeratesWindows": "The entity lists open windows.", + "gui:window:interactsWithTaskbar": "The entity modifies taskbar elements.", + "gui:window:modifiesWindow": "The entity changes window properties.", + "hardware": "Behaviours relating to hardware components and physical device interactions.", + "hardware:actuator": "Behaviours that control physical actuators and output devices.", + "hardware:actuator:calibratesActuator": "The entity adjusts actuator accuracy.", + "hardware:actuator:controlsBattery": "The entity manages battery charging.", + "hardware:actuator:controlsHeating": "The entity manages heating element.", + "hardware:actuator:controlsLed": "The entity manages LED indicator.", + "hardware:actuator:controlsMotor": "The entity manages motor operation.", + "hardware:actuator:controlsPower": "The entity manages power distribution.", + "hardware:actuator:controlsPump": "The entity manages fluid pump.", + "hardware:actuator:controlsTemperature": "The entity regulates temperature.", + "hardware:boot": "Behaviours that verify and configure system startup processes.", + "hardware:boot:entersRecoveryMode": "The entity boots via alternative path.", + "hardware:boot:executesSecureBoot": "The entity verifies code integrity at startup.", + "hardware:boot:locksBootConfiguration": "The entity prevents boot setting changes.", + "hardware:boot:modifiesBootConfiguration": "The entity changes boot settings.", + "hardware:boot:readsBootConfiguration": "The entity retrieves boot settings.", + "hardware:boot:recordsBootMeasurement": "The entity logs boot component hashes.", + "hardware:boot:verifiesBootLoader": "The entity validates boot loader authenticity.", + "hardware:firmware": "Behaviours that manage and verify firmware integrity.", + "hardware:firmware:monitorsFirmwareIntegrity": "The entity checks for firmware tampering.", + "hardware:firmware:preventsFirmwareRollback": "The entity blocks reversion to old firmware.", + "hardware:firmware:readsFirmwareVersion": "The entity retrieves firmware version.", + "hardware:firmware:updatesFirmware": "The entity applies firmware changes.", + "hardware:firmware:verifiesFirmwareSignature": "The entity validates firmware authenticity.", + "hardware:memory": "Behaviours that protect and isolate memory regions.", + "hardware:memory:encryptsMemory": "The entity protects memory contents.", + "hardware:memory:isolatesMemory": "The entity separates memory regions.", + "hardware:memory:protectsStack": "The entity defends against stack attacks.", + "hardware:memory:randomizesAddressSpace": "The entity applies ASLR.", + "hardware:memory:readsProtectedMemory": "The entity accesses protected memory region.", + "hardware:memory:writesProtectedMemory": "The entity modifies protected memory region.", + "hardware:peripheral": "Behaviours that interact with peripheral devices and interfaces.", + "hardware:peripheral:accessesCamera": "The entity interacts with camera hardware.", + "hardware:peripheral:accessesDisplay": "The entity interacts with display hardware.", + "hardware:peripheral:accessesGpio": "The entity reads or writes GPIO pins.", + "hardware:peripheral:accessesJtag": "The entity uses JTAG debug interface.", + "hardware:peripheral:accessesKeyboard": "The entity interacts with keyboard hardware.", + "hardware:peripheral:accessesStorageDevice": "The entity interacts with storage hardware.", + "hardware:peripheral:accessesUsbDevice": "The entity interacts with USB peripheral.", + "hardware:peripheral:configuresDma": "The entity sets up direct memory access.", + "hardware:peripheral:protectsDma": "The entity prevents unauthorised DMA.", + "hardware:physicalSecurity": "Behaviours that detect and respond to physical tampering.", + "hardware:physicalSecurity:detectsPhysicalTamper": "The entity identifies physical interference.", + "hardware:physicalSecurity:disablesDebugInterface": "The entity prevents debug access.", + "hardware:physicalSecurity:enablesDebugInterface": "The entity permits debug access.", + "hardware:physicalSecurity:monitorsEnclosure": "The entity detects housing penetration.", + "hardware:physicalSecurity:respondsToTamper": "The entity reacts to physical attack.", + "hardware:physicalSecurity:zeroizesKeys": "The entity destroys keys on tamper detection.", + "hardware:security": "Behaviours that utilise hardware security features and trusted execution environments.", + "hardware:security:anchorsInHardwareRoot": "The entity uses tamper-resistant hardware for trust.", + "hardware:security:executesInTee": "The entity runs in trusted execution environment.", + "hardware:security:generatesPufResponse": "The entity uses physical unclonable function.", + "hardware:security:usesHsm": "The entity employs hardware security module.", + "hardware:security:usesSecureElement": "The entity employs dedicated security hardware.", + "hardware:sensor": "Behaviours that read measurements from hardware sensors.", + "hardware:sensor:calibratesSensor": "The entity adjusts sensor accuracy.", + "hardware:sensor:readsBatteryStatus": "The entity obtains battery state.", + "hardware:sensor:readsBloodOxygen": "The entity obtains SpO2 measurement.", + "hardware:sensor:readsBloodPressure": "The entity obtains blood pressure measurement.", + "hardware:sensor:readsCoTwoLevel": "The entity obtains CO2 measurement.", + "hardware:sensor:readsEcg": "The entity obtains electrocardiogram data.", + "hardware:sensor:readsPowerStatus": "The entity obtains power state.", + "hardware:sensor:readsTemperature": "The entity obtains temperature measurement.", + "hardware:sideChannelDefense": "Behaviours that protect against side-channel attacks.", + "hardware:sideChannelDefense:controlsEmEmissions": "The entity limits electromagnetic leakage.", + "hardware:sideChannelDefense:resistsFaultInjection": "The entity protects against induced faults.", + "hardware:sideChannelDefense:resistsPowerAnalysis": "The entity protects against power-based attacks.", + "hardware:sideChannelDefense:resistsTimingAnalysis": "The entity protects against timing-based attacks.", + "network": "Behaviours relating to network communication and data transmission between systems.", + "network:connection": "Behaviours that establish and manage network connections.", + "network:connection:acceptsConnection": "The entity receives an incoming connection.", + "network:connection:detectsConnectionLoss": "The entity identifies a dropped connection.", + "network:connection:establishesConnection": "The entity initiates a network connection.", + "network:connection:reconnects": "The entity re-establishes a dropped connection.", + "network:connection:reusesConnection": "The entity uses a pooled connection.", + "network:connection:sendsHeartbeat": "The entity transmits a keep-alive signal.", + "network:connection:terminatesConnection": "The entity closes a network connection.", + "network:discovery": "Behaviours that locate and advertise network services and resources.", + "network:discovery:advertisesService": "The entity announces its availability.", + "network:discovery:discoversService": "The entity locates an available service.", + "network:discovery:enumeratesInterfaces": "The entity lists network interfaces.", + "network:discovery:probesPort": "The entity checks if a port is open.", + "network:discovery:queriesDns": "The entity requests DNS resolution.", + "network:discovery:resolvesName": "The entity translates a name to an address.", + "network:discovery:scansNetwork": "The entity probes for active hosts or services.", + "network:protocol": "Behaviours that negotiate and implement communication protocols.", + "network:protocol:downgradesProtocol": "The entity falls back to a less secure protocol version.", + "network:protocol:framesMessage": "The entity structures data for transmission.", + "network:protocol:negotiatesProtocol": "The entity agrees on communication protocol with peer.", + "network:protocol:parsesMessage": "The entity interprets received network data.", + "network:protocol:retransmitsMessage": "The entity resends data after transmission failure.", + "network:protocol:upgradesProtocol": "The entity transitions to a more secure protocol version.", + "network:protocol:validatesMessage": "The entity verifies message format and integrity.", + "network:remoteInteraction": "Behaviours that execute operations on remote systems.", + "network:remoteInteraction:accessesRemoteDesktop": "The entity controls a remote graphical interface.", + "network:remoteInteraction:accessesRemoteShell": "The entity interacts with a remote command line.", + "network:remoteInteraction:executesRemoteCommand": "The entity runs a command on a remote system.", + "network:remoteInteraction:invokesRemoteProcedure": "The entity calls a function on a remote system.", + "network:remoteInteraction:sendsEmail": "The entity transmits an email message.", + "network:remoteInteraction:sendsSms": "The entity transmits a text message.", + "network:remoteInteraction:transfersFile": "The entity sends or receives a file remotely.", + "network:routing": "Behaviours that direct network traffic to its destination.", + "network:routing:configuresProxy": "The entity sets up traffic to route through a proxy.", + "network:routing:forwardsPacket": "The entity passes a packet toward its destination.", + "network:routing:redirectsTraffic": "The entity diverts traffic to a different destination.", + "network:routing:routesTraffic": "The entity directs network traffic to destinations.", + "network:routing:tunnelsTraffic": "The entity encapsulates traffic within another protocol.", + "network:trafficControl": "Behaviours that manage and manipulate network traffic flow.", + "network:trafficControl:balancesLoad": "The entity distributes requests across destinations.", + "network:trafficControl:filtersTraffic": "The entity blocks or allows traffic based on rules.", + "network:trafficControl:inspectsTraffic": "The entity examines traffic contents.", + "network:trafficControl:interceptsTraffic": "The entity captures traffic in transit.", + "network:trafficControl:limitsRate": "The entity restricts traffic volume.", + "network:trafficControl:modifiesTraffic": "The entity alters traffic in transit.", + "network:trafficControl:shapesTraffic": "The entity manages traffic timing and priority.", + "network:transmission": "Behaviours that send and receive data over network connections.", + "network:transmission:broadcastsData": "The entity sends data to multiple recipients.", + "network:transmission:multicastsData": "The entity sends data to a group of recipients.", + "network:transmission:receivesData": "The entity accepts data from the network.", + "network:transmission:sendsData": "The entity transmits data over the network.", + "network:transmission:streamsData": "The entity continuously transmits or receives data.", + "privacy": "Behaviours relating to the collection and processing of personal and sensitive data.", + "privacy:collection": "Behaviours that gather personal or sensitive information from individuals or systems.", + "privacy:collection:capturesAudio": "The entity records sound via microphone.", + "privacy:collection:capturesKeystrokes": "The entity records keyboard input.", + "privacy:collection:capturesScreen": "The entity records display contents.", + "privacy:collection:capturesVideo": "The entity records images via camera.", + "privacy:collection:collectsBehavioralData": "The entity records user actions and patterns.", + "privacy:collection:collectsBiometricData": "The entity captures biometric information.", + "privacy:collection:collectsCommunicationContent": "The entity captures message or call contents.", + "privacy:collection:collectsDeviceInformation": "The entity gathers device identifiers or characteristics.", + "privacy:collection:collectsFinancialData": "The entity gathers payment or financial information.", + "privacy:collection:collectsHealthData": "The entity gathers protected health information.", + "privacy:collection:collectsInBackground": "The entity gathers data without active user engagement.", + "privacy:collection:collectsLocationData": "The entity gathers geographical position information.", + "privacy:collection:collectsPersonalData": "The entity gathers personally identifiable information.", + "privacy:collection:collectsSilently": "The entity gathers data without user awareness.", + "privacy:collection:readsBrowserHistory": "The entity accesses web browsing history.", + "privacy:collection:readsClipboard": "The entity accesses clipboard contents.", + "privacy:deletion": "Behaviours that remove or destroy personal data.", + "privacy:deletion:clearsCache": "The entity removes data from temporary storage.", + "privacy:deletion:deletesPersonalData": "The entity removes personal data.", + "privacy:deletion:erasesSecurely": "The entity irreversibly destroys data.", + "privacy:deletion:purgesFromBackup": "The entity removes data from backup systems.", + "privacy:deletion:redactsData": "The entity removes specific content from records.", + "privacy:inference": "Behaviours that derive personal information through analysis and correlation of data.", + "privacy:inference:correlatesData": "The entity combines data from multiple sources.", + "privacy:inference:createsProfile": "The entity builds a profile from collected data.", + "privacy:inference:fingerprintsDevice": "The entity identifies device via characteristics.", + "privacy:inference:infersPersonalInformation": "The entity derives personal data from other data.", + "privacy:inference:linksIdentities": "The entity associates data across contexts.", + "privacy:inference:tracksUser": "The entity follows user activity across sessions.", + "privacy:minimization": "Behaviours that reduce the amount or sensitivity of personal data processed.", + "privacy:minimization:aggregatesData": "The entity combines records into summaries.", + "privacy:minimization:anonymizesData": "The entity removes identifying information.", + "privacy:minimization:filtersData": "The entity removes unnecessary data elements.", + "privacy:minimization:generalizesData": "The entity reduces data precision.", + "privacy:minimization:limitsCollection": "The entity gathers only necessary data.", + "privacy:minimization:limitsProcessing": "The entity restricts data use to stated purposes.", + "privacy:minimization:pseudonymizesData": "The entity replaces identifiers with pseudonyms.", + "privacy:privacyEnhancement": "Behaviours that employ technical measures to protect privacy during processing.", + "privacy:privacyEnhancement:addsDifferentialPrivacy": "The entity injects noise to protect individuals.", + "privacy:privacyEnhancement:computesMultiparty": "The entity performs joint computation privately.", + "privacy:privacyEnhancement:processesHomomorphically": "The entity computes on encrypted data.", + "privacy:privacyEnhancement:processesLocally": "The entity handles data on-device.", + "privacy:retention": "Behaviours that store personal data over time.", + "privacy:retention:archivesData": "The entity moves data to long-term storage.", + "privacy:retention:backsUpData": "The entity creates copies for recovery.", + "privacy:retention:enforcesRetentionPeriod": "The entity deletes data after specified time.", + "privacy:retention:retainsBeyondPurpose": "The entity keeps data longer than necessary.", + "privacy:retention:retainsInCache": "The entity keeps data in temporary storage.", + "privacy:retention:retainsInLog": "The entity keeps data in log files.", + "privacy:retention:storesPersonalData": "The entity saves personal data persistently.", + "privacy:sharing": "Behaviours that disclose personal data to third parties or across boundaries.", + "privacy:sharing:disclosesToThirdParty": "The entity transmits personal data externally.", + "privacy:sharing:exportsData": "The entity outputs data in portable format.", + "privacy:sharing:publishesData": "The entity makes data publicly available.", + "privacy:sharing:sellsData": "The entity provides data in exchange for value.", + "privacy:sharing:sharesWithAffiliate": "The entity provides data to related entities.", + "privacy:sharing:transfersCrossBorder": "The entity sends data across jurisdictions.", + "privacy:subjectRights": "Behaviours that fulfil data subject rights under privacy regulations.", + "privacy:subjectRights:correctsData": "The entity modifies inaccurate personal data.", + "privacy:subjectRights:exportsDataPortably": "The entity provides data in portable format.", + "privacy:subjectRights:honorsErasureRequest": "The entity deletes data upon request.", + "privacy:subjectRights:honorsObjection": "The entity ceases processing upon objection.", + "privacy:subjectRights:providesDataAccess": "The entity gives individuals their data.", + "privacy:subjectRights:restrictsProcessing": "The entity limits data use upon request.", + "privacy:transparency": "Behaviours that inform individuals about data processing activities.", + "privacy:transparency:disclosesProcessing": "The entity reveals data processing activities.", + "privacy:transparency:displaysPrivacyNotice": "The entity presents privacy information.", + "privacy:transparency:explainsAutomatedDecision": "The entity describes automated decision logic.", + "privacy:transparency:recordsConsent": "The entity stores consent decisions.", + "privacy:transparency:requestsConsent": "The entity asks for processing permission.", + "privacy:transparency:withdrawsConsent": "The entity processes consent revocation.", + "safety": "Behaviours relating to the prevention of harm to users and the environment.", + "safety:autonomousBehavior": "Behaviours that govern decision-making boundaries and human oversight of autonomous systems.", + "safety:autonomousBehavior:acceptsOverride": "The entity yields to human command.", + "safety:autonomousBehavior:enforcesHumanInLoop": "The entity requires human involvement.", + "safety:autonomousBehavior:explainsDecision": "The entity provides rationale for its action.", + "safety:autonomousBehavior:requestsGuidance": "The entity asks for human direction.", + "safety:autonomousBehavior:respectsDecisionBoundary": "The entity stays within authorised decision scope.", + "safety:contentSafety": "Behaviours that detect and filter harmful or inappropriate content.", + "safety:contentSafety:detectsHarmfulContent": "The entity identifies potentially harmful content.", + "safety:contentSafety:detectsMisinformation": "The entity identifies false or misleading content.", + "safety:contentSafety:enforcesAgeRestriction": "The entity limits access by user age.", + "safety:contentSafety:filtersContent": "The entity blocks or restricts content.", + "safety:contentSafety:labelsContent": "The entity marks content with warnings or ratings.", + "safety:harmPrevention": "Behaviours that actively protect users and bystanders from physical or psychological harm.", + "safety:harmPrevention:preventsEnvironmentalHarm": "The entity acts to protect the environment.", + "safety:harmPrevention:preventsPropertyDamage": "The entity acts to protect physical property.", + "safety:harmPrevention:preventsUserHarm": "The entity acts to protect users from injury.", + "safety:harmPrevention:protectsBystanders": "The entity considers safety of non-users.", + "safety:hazardManagement": "Behaviours that identify and mitigate potentially dangerous conditions.", + "safety:hazardManagement:assessesRisk": "The entity evaluates severity and likelihood of harm.", + "safety:hazardManagement:identifiesHazard": "The entity detects a potentially harmful condition.", + "safety:hazardManagement:mitigatesHazard": "The entity reduces hazard severity or likelihood.", + "safety:hazardManagement:reportsHazard": "The entity communicates a hazardous condition.", + "safety:humanInteraction": "Behaviours that manage communication and interaction with human operators.", + "safety:humanInteraction:adaptsForAccessibility": "The entity adjusts for users with disabilities.", + "safety:humanInteraction:managesCognitiveLoad": "The entity limits information to prevent overwhelm.", + "safety:humanInteraction:requestsConfirmation": "The entity requires human approval for action.", + "safety:humanInteraction:warnsOperator": "The entity alerts human to abnormal condition.", + "safety:operationalSafety": "Behaviours that enforce safe operating limits and conditions.", + "safety:operationalSafety:acceptsManualOverride": "The entity yields control to human operator.", + "safety:operationalSafety:enforcesInterlock": "The entity prevents unsafe operation combinations.", + "safety:operationalSafety:enforcesOperatingLimits": "The entity prevents operation outside safe bounds.", + "safety:operationalSafety:executesEmergencyStop": "The entity immediately halts dangerous operation.", + "safety:operationalSafety:monitorsWatchdog": "The entity checks for uncontrolled operation.", + "safety:operationalSafety:validatesSafetyCondition": "The entity confirms safe operating state.", + "security": "Behaviours relating to the protection of systems and data from unauthorised access and threats.", + "security:auditing": "Behaviours that record security-relevant events for accountability and forensic analysis.", + "security:auditing:logsEvent": "The entity records an occurrence.", + "security:auditing:logsSecurityEvent": "The entity records a security-relevant occurrence.", + "security:auditing:protectsAuditLog": "The entity prevents tampering with log records.", + "security:auditing:purgesLog": "The entity deletes old log records.", + "security:auditing:rotatesLog": "The entity archives and starts new log files.", + "security:auditing:signsLogEntry": "The entity cryptographically signs audit records.", + "security:auditing:timestampsEvent": "The entity records when an event occurred.", + "security:auditing:transmitsLog": "The entity sends log data to a remote destination.", + "security:authentication": "Behaviours that verify the identity of users and entities.", + "security:authentication:authenticatesDevice": "The entity confirms device identity.", + "security:authentication:authenticatesService": "The entity confirms service identity.", + "security:authentication:authenticatesUser": "The entity confirms user identity.", + "security:authentication:bypassesAuthentication": "The entity permits access without authentication.", + "security:authentication:capturesBiometric": "The entity collects biometric data for authentication.", + "security:authentication:delegatesAuthentication": "The entity relies on external identity provider.", + "security:authentication:failsAuthentication": "The entity rejects invalid credentials.", + "security:authentication:locksAccount": "The entity prevents further authentication attempts.", + "security:authentication:performsMultiFactorAuthentication": "The entity requires multiple authentication factors.", + "security:authentication:promptsForCredentials": "The entity requests authentication information.", + "security:authentication:unlocksAccount": "The entity restores authentication capability.", + "security:authentication:validatesBiometric": "The entity verifies biometric data.", + "security:authentication:validatesCredentials": "The entity verifies supplied credentials.", + "security:authorization": "Behaviours that determine and enforce access permissions.", + "security:authorization:checksPermission": "The entity verifies access rights.", + "security:authorization:delegatesAuthority": "The entity transfers access rights to another.", + "security:authorization:deniesAccess": "The entity refuses a requested action.", + "security:authorization:enforcesRole": "The entity restricts actions based on assigned role.", + "security:authorization:escalatesPrivilege": "The entity gains elevated permissions.", + "security:authorization:evaluatesAttributes": "The entity uses attributes for access decisions.", + "security:authorization:evaluatesPolicy": "The entity applies rules to make access decisions.", + "security:authorization:grantsAccess": "The entity permits a requested action.", + "security:authorization:grantsImpersonation": "The entity permits another to act within its security context.", + "security:authorization:impersonatesUser": "The entity performs actions within another user's security context.", + "security:authorization:requestsImpersonation": "The entity initiates a request to act as another user.", + "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", + "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", + "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", + "security:cryptography:authenticates": "The entity verifies the identity of a user, process, or device.", + "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", + "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", + "security:cryptography:decryptsDataAtRest": "The entity restores stored encrypted data to readable form.", + "security:cryptography:decryptsDataInTransit": "The entity restores data received over a network to readable form.", + "security:cryptography:decryptsDisk": "The entity unlocks and decrypts contents of an encrypted disk.", + "security:cryptography:decryptsSecret": "The entity retrieves and decrypts a secured credential or metadata.", + "security:cryptography:destroysKey": "The entity securely erases a key.", + "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", + "security:cryptography:encryptsDataAtRest": "The entity protects stored data by converting it to unreadable form.", + "security:cryptography:encryptsDataInTransit": "The entity protects data moving across a network.", + "security:cryptography:encryptsDisk": "The entity applies full-disk encryption to protect all data on a drive.", + "security:cryptography:encryptsSecret": "The entity secures sensitive credentials or metadata.", + "security:cryptography:ensuresAccountability": "The entity ensures actions can be traced to a specific individual or process.", + "security:cryptography:ensuresConfidentiality": "The entity protects sensitive information from unauthorised access.", + "security:cryptography:ensuresIntegrity": "The entity guarantees that data has not been altered or tampered with.", + "security:cryptography:ensuresNonRepudiation": "The entity provides proof of origin and integrity to prevent denial.", + "security:cryptography:exchangesKey": "The entity shares a key with another party.", + "security:cryptography:generatesKey": "The entity creates a cryptographic key.", + "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", + "security:cryptography:hashesData": "The entity generates a cryptographic hash.", + "security:cryptography:hashesPassword": "The entity applies a cryptographic hash function to a password.", + "security:cryptography:identifies": "The entity establishes a unique identity for an actor within the system.", + "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", + "security:cryptography:preservesPrivacy": "The entity protects personally identifiable information and user data.", + "security:cryptography:presentsClientCertificate": "The entity provides a client certificate for authentication.", + "security:cryptography:presentsServerCertificate": "The entity provides a server certificate for authentication.", + "security:cryptography:retrievesKey": "The entity obtains a stored key.", + "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", + "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", + "security:cryptography:signsCode": "The entity applies a digital signature to executable code.", + "security:cryptography:signsData": "The entity creates a digital signature.", + "security:cryptography:signsDocument": "The entity applies a digital signature to a document.", + "security:cryptography:storesKey": "The entity saves a key securely.", + "security:cryptography:usesIdentity": "The entity utilises established identity credentials for operations.", + "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", + "security:cryptography:validatesToken": "The entity verifies the authenticity and expiration of a security token.", + "security:cryptography:verifiesCodeSignature": "The entity validates a digital signature on executable code.", + "security:cryptography:verifiesDataSignature": "The entity validates a digital signature on data.", + "security:cryptography:verifiesDocumentSignature": "The entity validates a digital signature on a document.", + "security:cryptography:verifiesHash": "The entity validates data against a hash.", + "security:cryptography:verifiesSignature": "The entity validates a digital signature.", + "security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport.", + "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", + "security:errorHandling:catchesException": "The entity intercepts an error condition.", + "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", + "security:errorHandling:failsClosed": "The entity denies access when controls fail.", + "security:errorHandling:failsOpen": "The entity permits access when controls fail.", + "security:errorHandling:generatesError": "The entity produces an error condition.", + "security:errorHandling:logsError": "The entity records an error condition.", + "security:errorHandling:propagatesError": "The entity passes an error to caller.", + "security:errorHandling:returnsGenericError": "The entity provides minimal error information.", + "security:errorHandling:suppressesError": "The entity hides an error condition.", + "security:inputHandling": "Behaviours that validate and sanitise input data to prevent injection attacks.", + "security:inputHandling:escapesInput": "The entity encodes special characters in input.", + "security:inputHandling:normalizesInput": "The entity converts input to standard form.", + "security:inputHandling:rejectsInvalidInput": "The entity refuses malformed or dangerous input.", + "security:inputHandling:sanitizesInput": "The entity removes potentially harmful content from input.", + "security:inputHandling:truncatesInput": "The entity shortens input to acceptable length.", + "security:inputHandling:validatesFormat": "The entity verifies input conforms to expected format.", + "security:inputHandling:validatesRange": "The entity ensures values fall within acceptable bounds.", + "security:inputHandling:validatesSchema": "The entity checks input against a defined schema.", + "security:integrity": "Behaviours that verify and protect the integrity of data and code.", + "security:integrity:attestsIntegrity": "The entity provides evidence of its own integrity.", + "security:integrity:detectsTampering": "The entity identifies modification attempts.", + "security:integrity:respondsToTampering": "The entity reacts to detected tampering.", + "security:integrity:validatesComponent": "The entity verifies authenticity of a dependency.", + "security:integrity:verifiesIntegrity": "The entity confirms data or code has not been altered.", + "security:integrity:verifiesProvenance": "The entity confirms origin and history.", + "security:outputHandling": "Behaviours that encode and filter output data to prevent information leakage.", + "security:outputHandling:encodesOutput": "The entity transforms output to prevent injection.", + "security:outputHandling:enforcesContentPolicy": "The entity restricts content sources.", + "security:outputHandling:escapesOutput": "The entity encodes special characters in output.", + "security:outputHandling:filtersOutput": "The entity removes sensitive content from output.", + "security:outputHandling:masksOutput": "The entity obscures sensitive data in output.", + "security:outputHandling:setsSecurityHeader": "The entity adds security-related HTTP headers.", + "security:session": "Behaviours that manage authenticated user sessions.", + "security:session:createsSession": "The entity establishes an authenticated session.", + "security:session:detectsSessionHijacking": "The entity identifies unauthorised session use.", + "security:session:invalidatesSession": "The entity revokes session validity.", + "security:session:refreshesSession": "The entity extends session lifetime.", + "security:session:regeneratesSessionId": "The entity creates a new session identifier.", + "security:session:terminatesSession": "The entity ends an authenticated session.", + "security:session:validatesSession": "The entity verifies session validity.", + "security:threatResponse": "Behaviours that detect and respond to security threats and incidents.", + "security:threatResponse:blocksRequest": "The entity refuses a suspicious request.", + "security:threatResponse:blocksSource": "The entity prevents further requests from a source.", + "security:threatResponse:collectsForensicData": "The entity gathers evidence for investigation.", + "security:threatResponse:detectsAnomaly": "The entity recognises deviation from normal patterns.", + "security:threatResponse:detectsIntrusion": "The entity identifies a potential security breach.", + "security:threatResponse:initiatesIncidentResponse": "The entity triggers security response procedures.", + "security:threatResponse:quarantinesElement": "The entity isolates a suspicious item.", + "security:threatResponse:raisesAlert": "The entity notifies of a security event.", + "system": "Behaviours relating to operating system interactions and the management of computational resources.", + "system:configuration": "Behaviours that read and modify system configuration settings.", + "system:configuration:deletesRegistryKey": "The entity removes entries from the registry.", + "system:configuration:modifiesGroupPolicy": "The entity changes group policy settings.", + "system:configuration:readsConfigurationFile": "The entity loads settings from a configuration file.", + "system:configuration:readsEnvironmentVariable": "The entity retrieves an environment variable value.", + "system:configuration:readsGroupPolicy": "The entity retrieves group policy settings.", + "system:configuration:readsRegistry": "The entity retrieves values from the system registry.", + "system:configuration:setsEnvironmentVariable": "The entity modifies an environment variable.", + "system:configuration:writesConfigurationFile": "The entity saves settings to a configuration file.", + "system:configuration:writesRegistry": "The entity stores values in the system registry.", + "system:informationGathering": "Behaviours that collect information about the host system and its configuration.", + "system:informationGathering:detectsOsVersion": "The entity determines the operating system version.", + "system:informationGathering:gathersSystemInformation": "The entity collects system configuration details.", + "system:informationGathering:queriesHardwareInformation": "The entity retrieves hardware specifications.", + "system:informationGathering:retrievesHostname": "The entity obtains the system hostname.", + "system:kernelInteraction": "Behaviours that interact directly with the operating system kernel.", + "system:kernelInteraction:hooksKernelFunction": "The entity intercepts kernel-level calls.", + "system:kernelInteraction:installsDriver": "The entity loads a kernel-mode driver.", + "system:kernelInteraction:readsKernelMemory": "The entity accesses kernel memory space.", + "system:kernelInteraction:writesKernelMemory": "The entity modifies kernel memory space.", + "system:lifecycle": "Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.", + "system:lifecycle:appliesUpdate": "The entity installs software or firmware updates.", + "system:lifecycle:decommissions": "The entity securely retires from service.", + "system:lifecycle:initializes": "The entity performs start-up routines and loads configuration.", + "system:lifecycle:performsSelfTest": "The entity verifies its own operational readiness.", + "system:lifecycle:provisions": "The entity configures itself for deployment.", + "system:lifecycle:rollsBack": "The entity reverts to a previous known-good state.", + "system:lifecycle:shutsDown": "The entity executes orderly cessation of operations.", + "system:operationalState": "Behaviours that govern an entity's functional status and mode of operation.", + "system:operationalState:entersFailSafeState": "The entity transitions to a known safe state upon detecting a fault.", + "system:operationalState:entersFailSecureState": "The entity denies access or ceases sensitive operations upon detecting a security fault.", + "system:operationalState:operatesInDegradedMode": "The entity continues operation with reduced functionality.", + "system:operationalState:operatesNormally": "The entity performs its intended functions within designed parameters.", + "system:operationalState:performsEmergencyShutdown": "The entity immediately halts to prevent harm or damage.", + "system:persistence": "Behaviours that establish mechanisms for an entity to survive system restarts.", + "system:persistence:createsScheduledTask": "The entity schedules itself for recurring execution.", + "system:persistence:installsAsService": "The entity registers itself as a system service.", + "system:persistence:loadsAsKernelModule": "The entity loads itself into the kernel.", + "system:persistence:registersForStartup": "The entity configures itself to execute at system boot.", + "system:persistence:removesPersistence": "The entity removes its persistence mechanism.", + "system:processControl": "Behaviours that create and manipulate operating system processes.", + "system:processControl:createsProcess": "The entity starts a new process.", + "system:processControl:dumpsProcessMemory": "The entity extracts memory contents from a process.", + "system:processControl:enumeratesProcesses": "The entity lists running processes.", + "system:processControl:hooksFunction": "The entity intercepts and redirects function calls.", + "system:processControl:injectsCodeIntoProcess": "The entity inserts executable code into another process.", + "system:processControl:modifiesProcess": "The entity changes attributes of a running process.", + "system:processControl:resumesProcess": "The entity continues paused process execution.", + "system:processControl:suspendsProcess": "The entity pauses process execution.", + "system:processControl:terminatesProcess": "The entity ends a running process.", + "system:resilience": "Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.", + "system:resilience:activatesRedundancy": "The entity activates backup systems or alternative processing paths.", + "system:resilience:degradesGracefully": "The entity progressively reduces functionality rather than failing abruptly.", + "system:resilience:detectsFault": "The entity identifies an internal fault or anomalous condition.", + "system:resilience:recoversFromFailure": "The entity restores normal operation following a failure.", + "system:resilience:toleratesFault": "The entity continues operation despite the presence of a fault.", + "system:resourceManagement": "Behaviours that allocate and deallocate computational resources such as memory and threads.", + "system:resourceManagement:allocatesMemory": "The entity reserves memory for use.", + "system:resourceManagement:deallocatesMemory": "The entity releases previously allocated memory.", + "system:resourceManagement:handlesResourceExhaustion": "The entity responds to depleted resources.", + "system:resourceManagement:managesPowerState": "The entity transitions between power consumption states.", + "system:resourceManagement:readsFromStorage": "The entity retrieves data from persistent storage.", + "system:resourceManagement:resumesThread": "The entity continues paused thread execution.", + "system:resourceManagement:spawnsThread": "The entity creates a new execution thread.", + "system:resourceManagement:suspendsThread": "The entity pauses thread execution.", + "system:resourceManagement:terminatesThread": "The entity ends an execution thread.", + "system:resourceManagement:writesToStorage": "The entity saves data to persistent storage.", + "system:serviceControl": "Behaviours that manage system services and daemons.", + "system:serviceControl:createsService": "The entity installs a system service or daemon.", + "system:serviceControl:deletesService": "The entity removes a system service.", + "system:serviceControl:enumeratesServices": "The entity lists installed services.", + "system:serviceControl:modifiesService": "The entity changes service configuration.", + "system:serviceControl:startsService": "The entity initiates service execution.", + "system:serviceControl:stopsService": "The entity halts service execution.", + "system:synchronization": "Behaviours that coordinate access to shared resources across concurrent execution contexts.", + "system:synchronization:acquiresMutex": "The entity obtains exclusive access via mutex.", + "system:synchronization:releasesMutex": "The entity relinquishes mutex ownership.", + "system:synchronization:signalsEvent": "The entity triggers a synchronisation event.", + "system:synchronization:signalsSemaphore": "The entity releases a semaphore.", + "system:synchronization:waitsOnEvent": "The entity blocks until an event is signalled.", + "system:synchronization:waitsOnSemaphore": "The entity blocks until semaphore is available.", + "system:timing": "Behaviours that govern temporal aspects of execution including scheduling and synchronisation.", + "system:timing:delaysExecution": "The entity postpones an operation.", + "system:timing:enforcesDeadline": "The entity ensures completion within a timing constraint.", + "system:timing:executesScheduledTask": "The entity performs a task at a predetermined time.", + "system:timing:resetsWatchdog": "The entity signals continued operation to a watchdog monitor.", + "system:timing:synchronizesClock": "The entity aligns its internal clock with an external source.", + "system:timing:triggersTimeout": "The entity acts upon detecting an unresponsive condition.", + "system:timing:waits": "The entity pauses execution for a specified duration.", + "system:userManagement": "Behaviours that create and manipulate user accounts and privileges.", + "system:userManagement:createsUserAccount": "The entity adds a new user account.", + "system:userManagement:deletesUserAccount": "The entity removes a user account.", + "system:userManagement:elevatesPrivileges": "The entity gains higher access permissions.", + "system:userManagement:enumeratesUsers": "The entity lists user accounts.", + "system:userManagement:impersonatesUser": "The entity assumes another user's identity.", + "system:userManagement:modifiesUserAccount": "The entity changes user account properties." + } +} diff --git a/tools/src/main/js/bundler/bundle-schemas.js b/tools/src/main/js/bundler/bundle-schemas.js index 784a3c0e3..c074c78f3 100644 --- a/tools/src/main/js/bundler/bundle-schemas.js +++ b/tools/src/main/js/bundler/bundle-schemas.js @@ -7,6 +7,7 @@ const path = require('path'); // This constant is used as the default value for ref exceptions; can be overridden via options.refExceptions. const DEFAULT_REF_EXCEPTION_FILES = [ 'spdx.schema.json', + 'behavior-taxonomy.schema.json', 'cryptography-defs.schema.json', 'jsf-0.82.schema.json' ]; diff --git a/tools/src/test/resources/2.0/invalid-behavior-flowstep-multi-2.0.json b/tools/src/test/resources/2.0/invalid-behavior-flowstep-multi-2.0.json new file mode 100644 index 000000000..d43fc4107 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-behavior-flowstep-multi-2.0.json @@ -0,0 +1,30 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0004-4abc-8def-1122334455dd", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-bad-node", + "name": "Activity node with two mutually exclusive sources", + "modelTypes": [ + "process" + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "g-bad", + "nodes": [ + { + "bom-ref": "n-bad", + "kind": "activity", + "behavior": "data:ingestion:receivesRequest", + "graph": "g-other" + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-authentication-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-authentication-2.0.json new file mode 100644 index 000000000..1bb797091 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-authentication-2.0.json @@ -0,0 +1,26 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:1a2b3c4d-5e6f-4079-8190-2b3c4d5e6f70", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-legacy-auth", + "name": "Legacy authentication values", + "modelTypes": [ + "data-flow" + ], + "assets": [ + { + "bom-ref": "asset-legacy", + "type": "service", + "name": "Legacy service", + "authentication": [ + "mfa", + "mTLS" + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-authorization-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-authorization-2.0.json new file mode 100644 index 000000000..eb8e00d51 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-authorization-2.0.json @@ -0,0 +1,25 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:5e4d3c2b-1a09-4f8e-9d7c-6b5a4c3d2e1f", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-legacy-authz", + "name": "Removed authorization model", + "modelTypes": [ + "data-flow" + ], + "assets": [ + { + "bom-ref": "asset-legacy-authz", + "type": "service", + "name": "Legacy service", + "authorization": [ + "cbac" + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-relationship-type-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-relationship-type-2.0.json new file mode 100644 index 000000000..05a01a8b9 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-relationship-type-2.0.json @@ -0,0 +1,35 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0006-4abc-8def-1122334455ff", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-bad-relationship", + "name": "Relationship with unknown type", + "modelTypes": [ + "architecture" + ], + "assets": [ + { + "bom-ref": "asset-a", + "type": "service", + "name": "Service A" + }, + { + "bom-ref": "asset-b", + "type": "service", + "name": "Service B" + } + ], + "relationships": [ + { + "ref": "asset-a", + "uses": [ + "asset-b" + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-visualization-format-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-visualization-format-2.0.json new file mode 100644 index 000000000..e2e6d0420 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-visualization-format-2.0.json @@ -0,0 +1,26 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:9f8e7d6c-5b4a-4039-8271-1a2b3c4d5e6f", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-legacy", + "name": "Legacy visualization shape", + "modelTypes": [ + "data-flow" + ], + "visualizations": [ + { + "bom-ref": "viz-legacy", + "name": "Old shape using removed properties", + "type": { + "type": "data-flow" + }, + "format": "mermaid", + "content": "flowchart LR; a-->b" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-visualization-type-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-visualization-type-2.0.json new file mode 100644 index 000000000..eb6eff09e --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-visualization-type-2.0.json @@ -0,0 +1,24 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:4d3c2b1a-6e5f-4a09-9b8c-7d6e5f4a3b2c", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-renamed", + "name": "Renamed visualization type", + "modelTypes": [ + "behavioral" + ], + "visualizations": [ + { + "bom-ref": "viz-collaboration", + "name": "Uses the renamed-away collaboration type", + "type": { + "type": "collaboration" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-control-missing-name-2.0.json b/tools/src/test/resources/2.0/invalid-control-missing-name-2.0.json new file mode 100644 index 000000000..87a7a8055 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-control-missing-name-2.0.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:5e2c8a4d-1b9f-4c3e-a7d0-6f4b2e9c8a15", + "version": 1, + "controls": [ + { + "bom-ref": "control-unnamed" + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-control-status-unknown-2.0.json b/tools/src/test/resources/2.0/invalid-control-status-unknown-2.0.json new file mode 100644 index 000000000..4c21016d4 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-control-status-unknown-2.0.json @@ -0,0 +1,14 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:3a7f1c5e-8d4b-4e2a-9b0c-7e5d3f1a6c92", + "version": 1, + "controls": [ + { + "bom-ref": "control-bad-status", + "name": "Control with an unknown status", + "status": "active" + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-data-cardinality-2.0.json b/tools/src/test/resources/2.0/invalid-data-cardinality-2.0.json new file mode 100644 index 000000000..43b33b783 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-data-cardinality-2.0.json @@ -0,0 +1,34 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0005-4abc-8def-1122334455ee", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-bad-cardinality", + "name": "Data relationship with invalid cardinality", + "modelTypes": [ + "logical" + ], + "dataSets": [ + { + "bom-ref": "ds-bad", + "name": "Bad data set", + "description": "Exercises an invalid cardinality value.", + "dataObjects": [ + { + "bom-ref": "do-a", + "name": "A", + "relationships": [ + { + "target": "do-b", + "cardinality": "1:N" + } + ] + } + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-risk-likelihood-legacy-level-2.0.json b/tools/src/test/resources/2.0/invalid-risk-likelihood-legacy-level-2.0.json new file mode 100644 index 000000000..49b0da198 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-risk-likelihood-legacy-level-2.0.json @@ -0,0 +1,18 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:5f9b1d2c-6a3e-44b7-9c2a-0d8e7f6a1b23", + "version": 1, + "risks": { + "risks": [ + { + "bom-ref": "risk-y", + "name": "Legacy likelihood level", + "statement": "Uses a retired camelCase likelihood level value that should no longer validate.", + "inherentRisk": { + "likelihood": { "level": "veryHigh" } + } + } + ] + } +} diff --git a/tools/src/test/resources/2.0/invalid-risk-response-missing-strategy-2.0.json b/tools/src/test/resources/2.0/invalid-risk-response-missing-strategy-2.0.json new file mode 100644 index 000000000..ce9bad4cf --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-risk-response-missing-strategy-2.0.json @@ -0,0 +1,18 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:1b4e28ba-2fa1-11d2-883f-0016d3cca427", + "version": 1, + "risks": { + "risks": [ + { + "bom-ref": "risk-x", + "name": "Response missing strategy", + "statement": "A risk whose response omits the required strategy.", + "responses": [ + { "bom-ref": "resp-x", "function": "prevent" } + ] + } + ] + } +} diff --git a/tools/src/test/resources/2.0/invalid-threatmodel-category-taxonomy-mismatch-2.0.json b/tools/src/test/resources/2.0/invalid-threatmodel-category-taxonomy-mismatch-2.0.json new file mode 100644 index 000000000..a8d19ff51 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-threatmodel-category-taxonomy-mismatch-2.0.json @@ -0,0 +1,18 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "threats": { + "threats": [ + { + "bom-ref": "threat-bad-category", + "name": "STRIDE methodology paired with a LINDDUN category value", + "categories": [ + { + "taxonomy": "STRIDE", + "category": "linkability" + } + ] + } + ] + } +} diff --git a/tools/src/test/resources/2.0/invalid-threatmodel-missing-bomref-2.0.json b/tools/src/test/resources/2.0/invalid-threatmodel-missing-bomref-2.0.json new file mode 100644 index 000000000..49e07bb83 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-threatmodel-missing-bomref-2.0.json @@ -0,0 +1,14 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "threats": { + "scenarios": [ + { + "name": "Scenario missing its required bom-ref", + "threats": [ + "threat-1" + ] + } + ] + } +} diff --git a/tools/src/test/resources/2.0/invalid-vulnerability-weakness-cwe-and-name-2.0.json b/tools/src/test/resources/2.0/invalid-vulnerability-weakness-cwe-and-name-2.0.json new file mode 100644 index 000000000..b003de717 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-vulnerability-weakness-cwe-and-name-2.0.json @@ -0,0 +1,17 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "vulnerabilities": [ + { + "bom-ref": "vuln-1", + "id": "CVE-2000-0000", + "weaknesses": [ + { + "bom-ref": "wk-bad", + "cweId": 502, + "name": "Deserialization of Untrusted Data" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/prototypes/behavior-mockup-evidence.json b/tools/src/test/resources/2.0/prototypes/behavior-mockup-evidence.json new file mode 100644 index 000000000..a66beb174 --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/behavior-mockup-evidence.json @@ -0,0 +1,119 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "blueprints": [ + { + "bom-ref": "blueprint-pth-payload", + "name": "Pass-the-Hash Payload Behavioral Blueprint", + "modelTypes": [ + { "type": "behavioral" } + ], + "methodologies": [ + { "type": "MITRE-ATTACK" } + ], + "behaviors": { + "instances": [ + { + "bom-ref": "b-startup-exec", + "behavior": "system:persistence:registersForStartup", + "trigger": "startup", + "evidence": { + "bom-ref": "evidence-1", + "confidence": 0.95, + "description": "Persistence registration via Run key write observed in unpacked binary.", + "methods": [ + { + "technique": "binary-analysis", + "confidence": 0.95, + "value": "Import of advapi32!RegSetValueExW resolving to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run at 0x00401a20.", + "tools": [{ "ref": "karambit" }], + "externalReferences": { + "type": "formulation", + "url": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#my-workflow" + } + } + ] + } + }, + { + "bom-ref": "b-decode", + "behavior": "evasion:obfuscation:obfuscatesStrings", + "trigger": "startup", + "evidence": { + "confidence": 0.9, + "description": "Stack-built XOR-decoded strings resolved at runtime.", + "methods": [ + { + "technique": "binary-analysis", + "confidence": 0.9, + "value": "XOR decode loop at 0x00403110 with key 0x5A resolving C2 hostnames and API names prior to use." + } + ], + "tools": [ + { "ref": "karambit" } + ] + } + }, + { + "bom-ref": "b-credential-collect", + "behavior": "privacy:collection:collectsPersonalData", + "trigger": "startup", + "evidence": { + "confidence": 0.92, + "description": "LSASS memory access to harvest NTLM hashes.", + "methods": [ + { + "technique": "binary-analysis", + "confidence": 0.92, + "value": "OpenProcess on lsass.exe with PROCESS_VM_READ followed by MiniDumpWriteDump observed at 0x004044c0." + } + ], + "tools": [ + { "ref": "karambit" } + ] + } + }, + { + "bom-ref": "b-exfil", + "behavior": "network:transmission:sendsData", + "trigger": "startup", + "evidence": { + "confidence": 0.88, + "description": "HTTPS POST of collected artifacts to external C2 endpoint.", + "methods": [ + { + "technique": "binary-analysis", + "confidence": 0.88, + "value": "WinHttpOpen/WinHttpConnect/WinHttpSendRequest chain at 0x00405e80 posting to 185.x.x.x/gate.php." + } + ], + "tools": [ + { "ref": "karambit" } + ] + } + } + ], + "flows": [ + { + "bom-ref": "flow-pth-payload", + "trigger": "startup", + "acknowledgment": ["observed"], + "evidence": { + "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#evidence-1" + }, + "ordering": "unordered", + "steps": [ + { "ordinal": 1, "ref": "b-startup-exec" }, + { "ordinal": 2, "ref": "b-decode" }, + { "ordinal": 3, "ref": "b-credential-collect" }, + { "ordinal": 4, "ref": "b-exfil" } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/prototypes/behavior-mockup.json b/tools/src/test/resources/2.0/prototypes/behavior-mockup.json new file mode 100644 index 000000000..8638870a1 --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/behavior-mockup.json @@ -0,0 +1,109 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "blueprints": [ + { + "bom-ref": "blueprint-pth-payload", + "name": "Pass-the-Hash Payload Behavioral Blueprint", + "modelTypes": [ + { "type": "behavioral" } + ], + "methodologies": [ + { "type": "MITRE-ATTACK" } + ], + "behaviors": { + "instances": [ + { + "bom-ref": "b-startup-exec", + "behavior": "system:persistence:registersForStartup", + "acknowledgment": ["observed"], + "trigger": "startup" + }, + { + "bom-ref": "b-decode", + "behavior": "evasion:obfuscation:obfuscatesStrings", + "acknowledgment": ["observed"], + "trigger": "startup" + }, + { + "bom-ref": "b-credential-collect", + "behavior": "privacy:collection:collectsPersonalData", + "acknowledgment": ["observed"], + "trigger": "startup" + }, + { + "bom-ref": "b-exfil", + "behavior": "network:transmission:sendsData", + "acknowledgment": ["observed"], + "trigger": "startup" + } + ], + "flows": [ + { + "bom-ref": "flow-pth-payload", + "trigger": "startup", + "acknowledgment": ["observed"], + "ordering": "sequential", + "steps": [ + { "ordinal": 1, "ref": "b-startup-exec" }, + { "ordinal": 2, "ref": "b-decode" }, + { "ordinal": 3, "ref": "b-credential-collect" }, + { "ordinal": 4, "ref": "b-exfil" } + ] + } + ], + + "workflows": [ + { + "bom-ref": "workflow-pth-payload", + "name": "Pass-the-Hash Payload Workflow", + "trigger": { + "type": "startup" + }, + "tasks": [ + { + "b-ref": "b-startup-exec", + "timeStart": "2026-01-01T00:00:00Z" + }, + { + "b-ref": "b-decode", + "timeStart": "2026-01-01T00:10:00Z" + }, + { + "b-ref": "b-credential-collect", + "timeStart": "2026-01-01T00:12:00Z" + }, + { + "b-ref": "b-exfil", + "timeStart": "2026-01-01T00:13:00Z" + } + ], + "taskDependencies": [ + { + "ref": "b-startup-exec", + "dependsOn": [] + }, + { + "ref": "b-decode", + "dependsOn": [ "b-startup-exec" ] + }, + { + "ref": "b-credential-collect", + "dependsOn": [ "b-decode" ] + }, + { + "ref": "b-exfil", + "dependsOn": [ "b-credential-collect" ] + } + ] + } + ] + + + } + } + ] +} diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json new file mode 100644 index 000000000..e36ec28ab --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json @@ -0,0 +1,71 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "blueprints": [ + { + "bom-ref": "blueprint-1", + "blueprintMetadata":{ + "timestamp": "2025-09-12T15:42:30Z", + "authors": [], + "reviewers": [], + "reviewDate": "2025-09-03", + "approvers": [], + "approvalDate": "2025-09-12", + "ordinalVersion": "1.0", + "lifecycles": [ + { + "phase": "operations" + } + ], + "validityPeriod": { + "start": "", + "end": "", + "reviewFrequency": "P3M" + } + }, + "modelTypes": [ + "threat", + "dataFlow", + "logical" + ], + "methodologies": [ + "STRIDE", + "LINDDUN" + ], + "perspectives": [ + { + "bom-ref": "perspective-1", + "type": "security", + "name": "", + "role": "Security Architect", + "objectives": [], + "concerns": [], + "viewpoint": "" + ], + "scope": { + "bom-ref": "scope-1", + "name": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "$comment": "Business criticality, data sensitivity, and tier are defined on the individual assets. Exposure is not defined yet.", + "boundaries": [], + "includedComponents": [], + "excludedComponents": [] + + }, + "visualizations": [ + + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://developer.hashicorp.com/vault/docs" + }, + { + "type": "vcs", + "url": "https://github.com/hashicorp/vault" + } + ] + } + } + ] + } \ No newline at end of file diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json new file mode 100644 index 000000000..d549195a3 --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json @@ -0,0 +1,1258 @@ +{ + "$schema": "https://github.com/OWASP/www-project-threat-model-library/blob/v1.0.1/threat-model.schema.json", + "version": "1.0", + "scope": { + "title": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "business_criticality": "high", + "data_sensitivity": [ + "biz", + "cred", + "pii" + ], + "exposure": "internal", + "tier": "mission_critical" + }, + "description": "Enterprise secrets management and cryptographic services for applications and operators.", + "frozen": false, + "release_docs_link": "https://developer.hashicorp.com/vault/docs", + "reviewed_at": "2025-09-03", + "repo_link": "https://github.com/hashicorp/vault", + "diagrams": [ + { + "title": "AWS Deployment with K8s and a load balancer","type": "mermaid", + "source": "flowchart LR; AU[\"App User\"]; DEV[\"Developer\"]; PE[\"Platform Engineer\"]; APP1[\"Client Application (App 1)\"]; CLI[\"Vault CLI / API Client\"]; subgraph VPC[\"Internal AWS VPC\"]; direction LR; VPN[\"VPN Gateway (AWS SSO)\"]; LB[\"AWS Load Balancer\"]; subgraph EKS[\"EKS Cluster\"]; direction TB; APISERVER[\"Kubernetes API Server\"]; subgraph NS[\"K8s Namespace: vault\"]; direction LR; SVC[\"K8s Service: vault-internal\"]; SVC_EP[\"Service Endpoint\"]; subgraph VAULT[\"Vault HA Deployment (StatefulSet)\"]; direction LR; V1[\"Vault Pod 1 (Active)\"]; V2[\"Vault Pod 2 (Standby)\"]; V3[\"Vault Pod 3 (Standby)\"]; API[\"Vault API (:8200)\"]; AUTH[\"Vault Auth Methods\"]; SE[\"Vault Secret Engines\"]; AUDDEV[\"Vault Audit Devices\"]; subgraph RAFT[\"Integrated Storage (Raft :8201 mTLS)\"]; R1[\"Raft Peer (Pod 1)\"]; R2[\"Raft Peer (Pod 2)\"]; R3[\"Raft Peer (Pod 3)\"]; end; end; end; end; KMS[\"Vault Auto-Unseal (Cloud KMS)\"]; end; AU -->|Login/API| APP1; APP1 -- \"TLS :8200\" --> LB; DEV -->|\"VPN + AWS SSO\"| VPN; PE -->|\"VPN + AWS SSO\"| VPN; DEV -->|\"Uses Vault CLI\"| CLI; PE -->|\"Uses Vault CLI\"| CLI; CLI -->|\"Tunnel via VPN\"| VPN; VPN -->|\"Forward to VPC\"| LB; CLI -- \"TLS :8200 (via VPN)\" --> LB; VPN -. \"kubectl (AWS SSO)\" .-> APISERVER; LB -->|\"TLS :8200\"| SVC_EP; SVC_EP --> V1; SVC_EP --> V2; SVC_EP --> V3; V1 --- API; V2 --- API; V3 --- API; API --> AUTH; API --> SE; API --> AUDDEV; V1 --- R1; V2 --- R2; V3 --- R3; R1 <-->|\"Raft :8201 mTLS\"| R2; R1 <-->|\"Raft :8201 mTLS\"| R3; R2 <-->|\"Raft :8201 mTLS\"| R3; VAULT -. \"Auto-Unseal\" .-> KMS;" + } + ], + "trust_zones": [ + { + "symbolic_name": "public", + "title": "Public Internet Zone", + "description": "External clients and actors including applications, CI/CD pipelines, and operators that connect to Vault over TLS (8200)." + }, + { + "symbolic_name": "aws-vpc", + "title": "Internal AWS VPC", + "description": "Private AWS VPC hosting the EKS cluster and load balancer. Provides network isolation and segmentation for Vault components." + }, + { + "symbolic_name": "eks-cluster", + "title": "EKS Cluster Zone", + "description": "Amazon EKS cluster providing the orchestration environment for Vault pods and services." + }, + { + "symbolic_name": "k8s-namespace-vault", + "title": "Vault Kubernetes Namespace", + "description": "Dedicated Kubernetes namespace (`vault`) that contains the Vault StatefulSet, Service, and Raft integrated storage peers." + } + ], + "trust_boundaries": [ + { + "trust_zone_a": "public-internet", + "trust_zone_b": "aws-vpc", + "access_control_methods": [ + "acl", + "rbac" + ], + "authentication_methods": [ + "public_key", + "token", + "sso" + + ] + }, + { + "trust_zone_a": "aws-vpc", + "trust_zone_b": "eks-cluster", + "access_control_methods": [ + "rbac", + "acl" + ], + "authentication_methods": [ + "public_key" + ] + }, + { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault", + "access_control_methods": [ + "rbac", + "acl", + "mac" + ], + "authentication_methods": [ + "token" + ] + } + ], + "actors": [ + { + "symbolic_name": "platform-engineer", + "title": "Platform Engineer", + "description": "Responsible for deploying, operating, and maintaining the Vault cluster. Manages HA configuration, upgrades, storage backends, and operational tasks like initialization, unseal, and monitoring.", + "type": "engineer", + "permissions": "Deploy and upgrade Vault; configure Raft or Consul storage; perform initialization and unseal operations; enable/disable auth and secrets engines; monitor health and performance.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "developer", + "title": "Application Developer", + "description": "A developer who builds and maintains applications that consume secrets from Vault. In this scenario, developers also have access to the Kubernetes cluster where Vault is deployed, as well as Vault audit logs. This gives them significant power to access, modify, and observe secret-related operations.", + "type": "engineer", + "permissions": "Push and retrieve secrets; configure application roles for development; read Vault audit logs; access the Kubernetes cluster including the Vault namespace, which may allow tampering with Vault pods, services, or Raft storage.", + "trust_zone": "aws-vpc" + }, + + { + "symbolic_name": "app-user", + "title": "End User of Client Application", + "description": "An end user (internal employee or external customer) who interacts with an application that relies on Vault for secrets management or cryptographic operations.", + "type": "user", + "permissions": "Indirect access to Vault-protected resources through the client application; cannot interact with Vault directly.", + "trust_zone": "public" + } + ], + "components": [ + { + "symbolic_name": "client-app-1", + "title": "Client Application (App 1)", + "description": "External application that end users interact with. Relies on Vault for secrets or cryptographic operations.", + "trust_zone": "public-internet" + }, + { + "symbolic_name": "vpn-gateway", + "title": "VPN Gateway", + "description": "Provides secure entry for engineers and developers into the AWS VPC hosting Vault.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "aws-lb", + "title": "AWS Load Balancer", + "description": "DMZ load balancer that forwards client requests over TLS to the Vault Kubernetes Service endpoint.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "eks-cluster", + "title": "Amazon EKS Cluster", + "description": "Managed Kubernetes control plane and worker nodes that run the Vault namespace.", + "trust_zone": "eks-cluster" + }, + { + "symbolic_name": "k8s-service-vault-internal", + "title": "Kubernetes Service: vault-internal", + "description": "Cluster-internal service endpoint that routes traffic from the AWS Load Balancer to Vault pods.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-ha-statefulset", + "title": "Vault HA Deployment (StatefulSet)", + "description": "Vault pods (1 active leader, 2 standbys) running in high availability mode and exposing the Vault API.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-auth-methods", + "title": "Vault Authentication Methods", + "description": "Pluggable authentication backends (e.g., AppRole, Kubernetes, AWS IAM, OIDC) that validate identities and issue scoped Vault tokens.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-secret-engines", + "title": "Vault Secret Engines", + "description": "Pluggable backends for secrets management and cryptographic operations, including KV, PKI, Transit, Database, and dynamic secrets engines.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-audit-devices", + "title": "Vault Audit Devices", + "description": "Configured audit sinks (file, syslog, socket, etc.) that record all requests and responses for security and compliance monitoring.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-cli", + "title": "Vault CLI / API Client", + "description": "The Vault command-line interface and HTTP API used by engineers and automation tools to interact with Vault.", + "trust_zone": "public-internet-client-zone", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-auto-unseal", + "title": "Vault Auto-Unseal (Cloud KMS Integration)", + "description": "Integration with external Key Management Services (AWS KMS, GCP KMS, Azure Key Vault) to automate the unseal process.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-api", + "title": "Vault API", + "description": "The HTTP API exposed by Vault pods on port 8200. Provides entry points to authentication methods, secret engines, and application endpoints.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + } + ], + "data_stores": [ + { + "symbolic_name": "vault-raft-storage", + "title": "Vault Integrated Storage (Raft)", + "description": "Embedded Raft storage peers that persist encrypted Vault data. Provides replication and consensus across Vault pods.", + "type": "key_value", + "vendor": "HashiCorp", + "product": "Vault Raft Storage", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-audit-logs", + "title": "Vault Audit Logs", + "description": "Audit device output streams (file, syslog, socket) that contain records of every Vault request and response for compliance and monitoring.", + "type": "object", + "vendor": "HashiCorp", + "product": "Vault Audit Devices", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "cloud-kms", + "title": "Cloud KMS for Auto-Unseal", + "description": "External Key Management Service used by Vault for auto-unseal operations and master key encryption.", + "type": "key_value", + "vendor": "AWS", + "product": "AWS KMS", + "trust_zone": "aws-vpc" + } + ], + "data_sets": [ + { + "symbolic_name": "vault-secrets", + "title": "Vault Stored Secrets", + "description": "Static and dynamic secrets stored and managed within Vault, including credentials, API keys, and tokens. Encrypted at rest within the Raft storage backend.", + "placements": [ + { + "data_store": "vault-raft-storage", + "encrypted": true + } + ], + "record_count": 5000, + "data_sensitivity": [ + "cred", + "pii", + "biz" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-audit-records", + "title": "Vault Audit Log Records", + "description": "Detailed records of Vault API requests and responses, containing metadata on who accessed what, when, and how.", + "placements": [ + { + "data_store": "vault-audit-logs", + "encrypted": false + } + ], + "record_count": 1000000, + "data_sensitivity": [ + "biz", + "pii" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-unseal-keys", + "title": "Vault Master Key and Unseal Keys", + "description": "Key shares or cloud KMS-encrypted master keys used for unsealing Vault and securing the root of trust.", + "placements": [ + { + "data_store": "cloud-kms", + "encrypted": true + } + ], + "record_count": 5, + "data_sensitivity": [ + "cred" + ], + "access_control_methods": [ + "acl", + "rbac" + ] + } + ], + "data_flows": [ + { + "symbolic_name": "developer-to-cli", + "title": "Developer to Vault CLI", + "description": "Developer issues commands to the local Vault CLI binary, which acts as the client interface to Vault.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "platform-engineer-to-cli", + "title": "Platform Engineer to Vault CLI", + "description": "Platform Engineer issues commands to the local Vault CLI binary for managing Vault operations and configurations.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "app-user-to-client-app", + "title": "App User to Client Application", + "description": "An end user interacts with the client-facing application, which relies on Vault for secrets or cryptographic operations.", + "source": { + "type": "actor", + "object": "app-user" + }, + "destination": { + "type": "component", + "object": "client-app-1" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "client-app-to-aws-lb", + "title": "Client Application to AWS Load Balancer", + "description": "Client Application (App 1) sends requests to Vault via the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "client-app-1" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "cli-to-vpn", + "title": "Vault CLI to VPN Gateway", + "description": "Vault CLI tunnels traffic through the VPN Gateway, which enforces AWS SSO before allowing access into the VPC.", + "source": { + "type": "component", + "object": "vault-cli" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vpn-to-aws-lb", + "title": "VPN Gateway to AWS Load Balancer", + "description": "VPN Gateway forwards authenticated engineer traffic (AWS SSO) into the VPC, delivering Vault CLI/API requests to the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "vpn-gateway" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "aws-lb-to-eks", + "title": "AWS Load Balancer to EKS Cluster", + "description": "The Load Balancer forwards TLS :8200 traffic into the EKS cluster.", + "source": { + "type": "component", + "object": "aws-lb" + }, + "destination": { + "type": "component", + "object": "eks-cluster" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "k8s-service-to-vault-ha", + "title": "Kubernetes Service to Vault HA StatefulSet", + "description": "The Service load balances requests to Vault pods.", + "source": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "destination": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "eks-cluster-to-k8s-service", + "title": "EKS Cluster to Kubernetes Service (vault-internal)", + "description": "EKS networking routes traffic internally to the cluster Service endpoint for Vault.", + "source": { + "type": "component", + "object": "eks-cluster" + }, + "destination": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-vault-api", + "title": "Vault Pod to Vault API", + "description": "Requests arriving at a Vault pod are handled by the Vault API listener on :8200.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-api" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-auth", + "title": "Vault API to Auth Methods", + "description": "Login requests (/auth/*) dispatched to configured authentication backends.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-auth-methods" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-secrets", + "title": "Vault API to Secret Engines", + "description": "Secret read/write and cryptographic operations routed to secrets engines.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-secret-engines" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-audit", + "title": "Vault API to Audit Devices", + "description": "Vault writes request/response metadata to audit devices (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-audit-devices" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-core-to-raft", + "title": "Vault Core to Raft Storage", + "description": "Vault Core persists encrypted state via the storage barrier into Integrated Storage (Raft).", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-auto-unseal", + "title": "Vault to Auto-Unseal Integration", + "description": "Vault contacts the Cloud KMS integration to decrypt master key material during startup/unseal.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-auto-unseal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Audit devices append structured records to the audit log store.", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "auto-unseal-to-cloud-kms", + "title": "Auto-Unseal to Cloud KMS", + "description": "Auto-unseal integration calls Cloud KMS to decrypt the master key material.", + "source": { + "type": "component", + "object": "vault-auto-unseal" + }, + "destination": { + "type": "data_store", + "object": "cloud-kms" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "developer-to-vpn", + "title": "Developer to VPN (AWS SSO)", + "description": "Developer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "platform-engineer-to-vpn", + "title": "Platform Engineer to VPN (AWS SSO)", + "description": "Platform Engineer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "vault-audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Vault pods (audit devices) write structured audit records to the audit log store (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-developer", + "title": "Developer reads Vault Audit Logs", + "description": "Developer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-platform-engineer", + "title": "Platform Engineer reads Vault Audit Logs", + "description": "Platform Engineer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage", + "title": "Developer reads Raft Storage", + "description": "Developer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage-platform-engineer", + "title": "Platform Engineer reads Raft Storage", + "description": "Platform Engineer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + } + ], + "assumptions": [ + { + "description": "All communication between clients, load balancers, Kubernetes services, and Vault pods occurs over TLS (8200).", + "validity": "confirmed" + }, + { + "description": "Vault Raft storage is encrypted at rest by the Vault barrier, and requires master key material (from KMS or Shamir unseal) for decryption.", + "validity": "confirmed" + }, + { + "description": "Vault pods run inside a dedicated Kubernetes namespace with RBAC, NetworkPolicies, and IAM roles scoped to the namespace.", + "validity": "confirmed" + }, + { + "description": "VPN gateway enforces AWS SSO authentication for Developers and Platform Engineers before they can access the AWS VPC and EKS cluster.", + "validity": "confirmed" + }, + { + "description": "Cloud KMS (AWS KMS) keys used for auto-unseal are properly scoped and only accessible by Vault service accounts.", + "validity": "confirmed" + }, + { + "description": "Audit devices are configured and cannot be disabled without privileged administrator actions.", + "validity": "confirmed" + }, + { + "description": "Developers and Platform Engineers with kubectl access could bypass the Vault API to access logs and storage directly, introducing insider risk.", + "validity": "confirmed" + }, + { + "description": "Raft replication between Vault pods uses mutual TLS on port 8201 with certificate pinning/verification.", + "validity": "confirmed" + }, + { + "description": "VPN Gateway enforces AWS SSO (MFA) for Developers and Platform Engineers before access to the VPC and EKS control plane.", + "validity": "confirmed" + }, + { + "description": "EKS API access requires VPN + SSO and is logged; direct Internet access to the cluster or nodes is blocked.", + "validity": "confirmed" + } + ], + "threat_personas": [ + { + "symbolic_name": "darius", + "title": "Darius the Compromised / Malicious Developer", + "description": "An insider developer whose account or workstation is compromised (or who has turned malicious). Has kubectl access to the EKS cluster and can read Vault audit logs and pod files. Could exfiltrate secrets, tamper with Raft storage, or disable/modify logging.", + "is_person": true, + "skill_level": "engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "high" + }, + { + "symbolic_name": "sofia", + "title": "Sofia the Rogue Platform Engineer", + "description": "An insider with elevated privileges over Vault’s deployment, networking, and storage backends. Capable of modifying StatefulSets, Service configurations, or intercepting API traffic.", + "is_person": true, + "skill_level": "expert_engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "low" + }, + { + "symbolic_name": "li-wei", + "title": "Li Wei the External Attacker", + "description": "An attacker on the public Internet attempting to exploit misconfigurations, weak authentication methods, or exposed APIs to gain unauthorized access to Vault.", + "is_person": true, + "skill_level": "script_kid", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "giovanni", + "title": "Giovanni the Curious Administrator", + "description": "A well-meaning but overcurious administrator who inspects Vault audit logs or Raft storage beyond their intended duties, creating insider risk without direct malicious intent.", + "is_person": true, + "skill_level": "insider", + "access_level": "admin", + "malicious_intent": false, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "alejandra", + "title": "Alejandra the OC-Sponsored Operator", + "description": "An operator working on behalf of organized crime (ransomware/credential resale). Skilled at exploiting exposed services, social engineering, and purchasing insider access; targets Vault to harvest credentials and secrets for monetization.", + "is_person": true, + "skill_level": "oc_sponsored", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "high" + } + ], + "threats": [ + { + "symbolic_name": "insider-exfiltrate-secrets-via-kubectl", + "title": "Insider exfiltrates secrets and configuration via kubectl (pod exec / file copy)", + "description": "A developer or platform engineer with kubectl access execs into Vault pods or mounts pod volumes to read Raft storage files and configuration, allowing exfiltration of encrypted state and metadata which can be used for offline attacks or tampering.", + "threat_persona": "darius", + "event": "unauthorized data exfiltration / tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 284, + "cwe_title": "Improper Access Control" + }, + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "insider-read-tamper-audit-logs", + "title": "Insider reads or tampers with audit logs", + "description": "An actor with cluster access directly reads Vault audit files or streams pod logs (kubectl logs). They can exfiltrate sensitive audit trails, or delete/modify logs to remove traces of malicious activity.", + "threat_persona": "darius", + "event": "information disclosure / evidence tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "rogue-platform-tamper-ha-config", + "title": "Rogue platform engineer tampers with Vault deployment to cause DoS or capture secrets", + "description": "A platform engineer modifies StatefulSet, Service, or network rules (or injects sidecars) to disrupt Vault availability (DoS), redirect traffic to a malicious endpoint, or capture secrets in transit.", + "threat_persona": "sofia", + "event": "denial of service / credential capture / traffic interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 210, + "capec_title": "Abuse Existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 732, + "cwe_title": "Incorrect Permission Assignment for Critical Resource" + }, + { + "cwe_id": 269, + "cwe_title": "Improper Privilege Management" + } + ] + }, + { + "symbolic_name": "compromised-workload-abuse-auth", + "title": "Compromised workload abuses auth (Kubernetes/AppRole/IAM) to exfiltrate secrets and access various services with these secrets", + "description": "A compromised application or CI job uses stolen credentials, stolen service account tokens, or abused auth bindings to obtain Vault tokens, then reads secrets or requests dynamic credentials beyond its intended scope.", + "threat_persona": "li-wei", + "event": "unauthorized secret access", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 555, + "capec_title": "Remote Services with Stolen Credentials" + } + ], + "weaknesses": [ + { + "cwe_id": 287, + "cwe_title": "Improper Authentication" + }, + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "exposed-raft-port-remote-attack", + "title": "Exposed Raft/consensus ports allow remote access to storage", + "description": "If Raft ports (8201) or the pod network are exposed outside the cluster/VPC, an attacker could discover services, attempt to join/replicate, extract data, or cause cluster instability.", + "threat_persona": "li-wei", + "event": "confidentiality breach / data exfiltration / cluster compromise", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 310, + "capec_title": "Scanning for Vulnerable Software" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "lb-tls-mitm-or-termination-misconfig", + "title": "TLS termination/misconfiguration at Load Balancer leads to MITM or credential leak", + "description": "If the AWS Load Balancer is misconfigured (terminates TLS without re-encrypting, or uses an untrusted certificate), an attacker or compromised LB control plane could intercept or tamper with Vault API traffic.", + "threat_persona": "alejandra", + "event": "man-in-the-middle / data interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 117, + "capec_title": "Interception" + } + ], + "weaknesses": [ + { + "cwe_id": 295, + "cwe_title": "Improper Certificate Validation" + } + ] + }, + { + "symbolic_name": "vault-availability-failure", + "title": "Loss of availability of secret material due to failure", + "description": "Failures in cluster nodes, Raft replication, or storage can cause Vault to become unavailable, preventing applications from retrieving secrets or performing cryptographic operations.", + "threat_persona": "sofia", + "event": "denial of service / loss of availability", + "sources": [ + "failure" + ], + "attack_mechanisms": [ + { + "capec_id": 125, + "capec_title": "Flooding" + } + ], + "weaknesses": [ + { + "cwe_id": 400, + "cwe_title": "Uncontrolled Resource Consumption" + }, + { + "cwe_id": 664, + "cwe_title": "Improper Control of a Resource Through its Lifetime" + } + ] + }, + { + "symbolic_name": "misconfigured-policies-excess-privilege", + "title": "Over-permissive Vault policies allow lateral movement or secret theft", + "description": "Misconfigured Vault policies or overly-broad role bindings grant principals capabilities they don't need (e.g., wildcard admin policies), enabling actors to list/read secrets or create tokens for escalation.", + "threat_persona": "giovanni", + "event": "unauthorized access / privilege escalation", + "sources": [ + "human_error" + ], + "attack_mechanisms": [ + { + "capec_id": 212, + "capec_title": "Abuse existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + } + ] + } + ], + "controls": [ + { + "symbolic_name": "restrict-k8s-rbac", + "title": "Restrict Kubernetes RBAC for developers and engineers", + "description": "Limit Kubernetes RoleBindings/ClusterRoleBindings so that developers and engineers cannot exec into Vault pods, read pod volumes, or access Raft storage directly. Only platform engineers should have restricted administrative access under break-glass conditions.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "pod-security-policies", + "title": "Apply Pod Security Standards / OPA Gatekeeper", + "description": "Use Kubernetes Pod Security Standards (restricted profile) or OPA/Gatekeeper policies to prevent privileged containers and block direct volume mounts that would expose Raft data to kubectl exec or copy commands.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "audit-kubectl-commands", + "title": "Audit kubectl exec and cp usage", + "description": "Enable Kubernetes audit logging to track all kubectl exec and copy commands. Send logs to a SIEM for real-time detection of suspicious access attempts.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs" + + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "vault-multiple-audit-devices", + "title": "Configure multiple Vault audit devices", + "description": "Enable at least two Vault audit devices (e.g., file and syslog). Even if one sink is tampered with or deleted, other sinks continue to capture activity.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "immutable-storage-for-audit", + "title": "Store Vault audit logs in immutable storage", + "description": "Use append-only storage (e.g., WORM S3 buckets or immutable syslog servers) for Vault audit logs so they cannot be deleted or modified retroactively.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "deployment-change-control", + "title": "Require change control for Vault deployment manifests", + "description": "Enforce code review and approval workflows (e.g., GitOps, Infrastructure as Code pipelines) for changes to Vault StatefulSets, Services, and ConfigMaps. Prevent direct kubectl edits in production.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "k8s-admission-controls", + "title": "Apply Kubernetes admission controls for Vault workloads", + "description": "Use admission controllers (OPA Gatekeeper, Kyverno) to enforce security policies on Vault pods (no sidecars, no privilege escalation, no host networking) and reject unauthorized changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "monitor-k8s-config-changes", + "title": "Monitor and alert on Kubernetes configuration changes", + "description": "Enable auditing of Kubernetes API server for changes to StatefulSets, Services, and ConfigMaps in the Vault namespace. Send to SIEM for alerting on unexpected changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "constrain-auth-methods", + "title": "Constrain Vault authentication methods", + "description": "Configure Vault auth methods (AppRole, Kubernetes, IAM) with least privilege. Require role bindings to be tightly scoped (limited CIDRs, bounded service accounts, short-lived tokens).", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "short-lived-tokens", + "title": "Use short-lived Vault tokens and dynamic secrets", + "description": "Configure Vault roles and policies to issue ephemeral tokens and dynamic credentials that automatically expire, limiting impact of stolen tokens.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "bind-secrets-to-identity", + "title": "Bind secrets tightly to workload identity", + "description": "Restrict Vault roles to specific Kubernetes service accounts, IAM roles, or AppRoles. Enforce identity binding so compromised workloads cannot escalate or impersonate others.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "restrict-raft-network-access", + "title": "Restrict Raft port access to Vault cluster nodes only", + "description": "Use Kubernetes NetworkPolicies and AWS Security Groups to restrict port 8201 so only Vault pods can communicate with each other. Block all external or client access to Raft traffic.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "raft-mtls-cert-validation", + "title": "Enforce mutual TLS for Raft replication", + "description": "Require Vault nodes to authenticate Raft peers with mTLS certificates. Configure strict certificate validation and rotation to prevent unauthorized Raft peers from joining the cluster.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "monitor-raft-consensus-health", + "title": "Monitor Raft consensus health", + "description": "Enable monitoring and alerting on Raft replication status, quorum health, and node membership changes. Detect anomalies that may indicate tampering or external Raft join attempts.", + "threats": [ + "exposed-raft-port-remote-attack", + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "end-to-end-strong-tls", + "title": "Enforce end-to-end TLS from clients to Vault pods. Enforce TLS versions (1.2+), secure cipher suites, and valid CA-signed certificates. Disable weak ciphers and enforce certificate pinning where possible.", + "description": "Configure the AWS Load Balancer for TCP passthrough (no TLS termination), or ensure re-encryption is used with trusted server certificates so traffic is encrypted all the way to Vault pods.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "monitor-lb-config", + "title": "Monitor and alert on Load Balancer TLS configuration changes", + "description": "Continuously check AWS Load Balancer TLS configuration (e.g., via AWS Config or Security Hub). Alert if TLS termination is enabled unexpectedly or insecure parameters are set.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "multi-az-deployment", + "title": "Deploy Vault cluster across multiple Availability Zones", + "description": "Distribute Vault pods and Raft peers across multiple AWS Availability Zones to ensure quorum and service availability during AZ-level outages.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "raft-backup-snapshots", + "title": "Enable automated Raft snapshots and backup", + "description": "Configure regular Raft snapshots and store them securely outside the Vault cluster (e.g., S3 with encryption) to recover state in case of catastrophic failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "critical" + }, + { + "symbolic_name": "auto-unseal-ha", + "title": "Use redundant Cloud KMS for auto-unseal", + "description": "Configure Vault auto-unseal with multiple KMS providers (or highly available KMS setup) to avoid dependency on a single point of failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "health-checks-and-restarts", + "title": "Enable health checks and automated restarts for Vault pods", + "description": "Configure Kubernetes liveness/readiness probes for Vault pods and enable automated restart policies to recover from node/pod failures quickly.", + "threats": [ + "vault-availability-failure" + ], + "status": "active", + "priority": "high" + }, + { + "symbolic_name": "policy-review-process", + "title": "Implement Vault policy review and approval workflow", + "description": "Establish a mandatory peer-review or automated validation process for Vault policies before deployment. Reject policies that include wildcards or grant admin-level capabilities unnecessarily.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "least-privilege-defaults", + "title": "Adopt least-privilege defaults for Vault roles", + "description": "Use policy templates and default role definitions that start with no privileges. Require explicit justification and approval for each added capability.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "policy-linter", + "title": "Automated linting of Vault policies", + "description": "Introduce static analysis (policy linter) to detect dangerous constructs in Vault policies (e.g., wildcards, overly broad paths, admin capabilities) before deployment.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "low" + } + ], + "risks": [ + { + "symbolic_name": "insider-abuse-of-kubernetes-access", + "title": "Insider abuse of Kubernetes access to exfiltrate or tamper with secrets", + "description": "Developers or platform engineers with kubectl access may exec into Vault pods, read Raft storage files, or tamper with Vault audit logs, leading to loss of confidentiality and accountability.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "likelihood": "possible", + "impact": "severe", + "impact_description": "Could result in full compromise of Vault data, bypassing of audit logs, and erosion of operational trust.", + "score": 15, + "level": "high" + }, + { + "symbolic_name": "workload-auth-abuse", + "title": "Compromised workloads abusing Vault authentication", + "description": "A compromised workload (application, CI/CD job) can abuse Kubernetes, AppRole, or IAM auth to escalate privileges and extract secrets beyond intended scope.", + "threats": [ + "compromised-workload-abuse-auth", + "misconfigured-policies-excess-privilege" + ], + "likelihood": "unlikely", + "impact": "severe", + "impact_description": "Widespread credential exposure or lateral movement into other systems and services.", + "score": 10, + "level": "medium" + }, + { + "symbolic_name": "network-exposure-and-mitm", + "title": "Network exposure or misconfiguration leading to interception or Raft compromise", + "description": "If Raft ports (8201) are exposed or TLS is misconfigured at the load balancer, attackers could eavesdrop, tamper with traffic, or attempt to join the Raft cluster.", + "threats": [ + "exposed-raft-port-remote-attack", + "lb-tls-mitm-or-termination-misconfig" + ], + "likelihood": "rare", + "impact": "severe", + "impact_description": "Interception of secrets or compromise of Vault cluster integrity.", + "score": 5, + "level": "medium" + }, + { + "symbolic_name": "vault-availability-risk", + "title": "Loss of Vault availability", + "description": "Failures in Raft consensus, node crashes, or dependency outages (e.g., KMS auto-unseal) could make Vault unavailable, preventing applications from retrieving secrets.", + "threats": [ + "vault-availability-failure" + ], + "likelihood": "unlikely", + "impact": "major", + "impact_description": "Applications relying on Vault could experience outages and service disruption.", + "score": 10, + "level": "high" + } + ] +} \ No newline at end of file diff --git a/tools/src/test/resources/2.0/valid-behavior-process-2.0.json b/tools/src/test/resources/2.0/valid-behavior-process-2.0.json new file mode 100644 index 000000000..e652fd6ff --- /dev/null +++ b/tools/src/test/resources/2.0/valid-behavior-process-2.0.json @@ -0,0 +1,56 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0002-4abc-8def-1122334455bb", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-request-pipeline", + "name": "API request handling pipeline", + "modelTypes": [ + "process" + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "pg-request", + "name": "Request handling pipeline", + "kind": "activity", + "ordering": "sequential", + "trigger": "api-call", + "nodes": [ + { + "bom-ref": "n-receive", + "kind": "activity", + "ordinal": 1, + "behavior": "data:ingestion:receivesRequest", + "name": "Receive request" + }, + { + "bom-ref": "n-authenticate", + "kind": "activity", + "ordinal": 2, + "behavior": "security:authentication:authenticatesUser", + "name": "Authenticate caller" + }, + { + "bom-ref": "n-backend", + "kind": "activity", + "ordinal": 3, + "behavior": "network:connection:establishesConnection", + "name": "Call backend service" + }, + { + "bom-ref": "n-log", + "kind": "activity", + "ordinal": 4, + "behavior": "security:auditing:logsEvent", + "name": "Log the transaction" + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-behavior-statemachine-2.0.json b/tools/src/test/resources/2.0/valid-behavior-statemachine-2.0.json new file mode 100644 index 000000000..3d70f1b7e --- /dev/null +++ b/tools/src/test/resources/2.0/valid-behavior-statemachine-2.0.json @@ -0,0 +1,88 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0001-4abc-8def-1122334455aa", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-connection-behavioral", + "name": "Client connection lifecycle", + "modelTypes": [ + "behavioral" + ], + "assets": [ + { + "bom-ref": "asset-client", + "type": "service", + "name": "Client application" + } + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "sm-connection", + "name": "Connection lifecycle", + "kind": "state-machine", + "subject": "asset-client", + "nodes": [ + { + "bom-ref": "s-idle", + "kind": "initial" + }, + { + "bom-ref": "s-connecting", + "kind": "state", + "name": "Connecting" + }, + { + "bom-ref": "s-connected", + "kind": "state", + "name": "Connected" + }, + { + "bom-ref": "s-closed", + "kind": "final", + "name": "Closed" + } + ], + "transitions": [ + { + "bom-ref": "t-open", + "source": "s-idle", + "target": "s-connecting", + "trigger": "user-initiated" + }, + { + "bom-ref": "t-established", + "source": "s-connecting", + "target": "s-connected", + "trigger": "event-driven", + "guard": "handshake.complete == true" + }, + { + "bom-ref": "t-failed", + "source": "s-connecting", + "target": "s-idle", + "trigger": "event-driven", + "guard": "handshake.complete == false" + }, + { + "bom-ref": "t-reconnect", + "source": "s-connected", + "target": "s-connecting", + "trigger": "signal", + "guard": "heartbeat.lost == true" + }, + { + "bom-ref": "t-close", + "source": "s-connected", + "target": "s-closed", + "trigger": "user-initiated" + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-architecture-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-architecture-2.0.json new file mode 100644 index 000000000..30bc6ae71 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-architecture-2.0.json @@ -0,0 +1,270 @@ +{ + "$comment": "Model type: architecture. This example models the architecture of a fictional online retail platform. It is represented as a blueprint whose assets are the major services (storefront, gateway, catalogue, order, payment) and data stores, grouped into logical zones for the presentation, application, and data tiers. Static structure is expressed with typed relationships (serves, depends-on), runtime exchanges with flows that carry protocols and authentication, and each service exposes typed interfaces. Ownership, scope, a requirement reference, and a compliance assumption complete the view.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a1", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-architecture", + "name": "Acme online retail platform architecture", + "description": "Architecture view of the Acme storefront, showing the major services, their interfaces, and the relationships and exchanges between them across the presentation, application, and data tiers.", + "modelTypes": [ + "architecture" + ], + "metadata": { + "timestamp": "2026-06-05T12:00:00Z", + "authors": [ + { + "roles": [ + { + "role": "author" + } + ], + "person": { + "name": "Dana Lee", + "jobTitle": "Principal Architect" + } + } + ] + }, + "scope": { + "name": "Storefront and checkout", + "description": "Customer-facing browsing and checkout, excluding back-office fulfilment.", + "includedComponents": [ + "asset-storefront", + "asset-order" + ] + }, + "zones": [ + { + "bom-ref": "zone-presentation", + "name": "Presentation tier", + "type": "logical", + "characteristics": [ + "public-facing" + ] + }, + { + "bom-ref": "zone-application", + "name": "Application tier", + "type": "logical" + }, + { + "bom-ref": "zone-data", + "name": "Data tier", + "type": "data", + "constraints": [ + "No direct ingress from the presentation tier" + ] + } + ], + "assets": [ + { + "bom-ref": "asset-storefront", + "type": "service", + "name": "Storefront web application", + "description": "Renders the catalogue and shopping cart for customers.", + "zone": "zone-presentation", + "classification": { + "criticality": "high" + }, + "tags": [ + "customer-facing" + ], + "responsibilities": [ + "Render product pages", + "Manage the shopping cart" + ], + "interfaces": [ + { + "name": "Storefront API", + "type": "rest", + "operations": [ + "browseCatalogue", + "addToCart" + ] + } + ], + "ownership": [ + { + "roles": [ + { + "role": "owner" + } + ], + "organization": { + "name": "Acme Storefront Team" + } + } + ] + }, + { + "bom-ref": "asset-gateway", + "type": "gateway", + "name": "API gateway", + "zone": "zone-application", + "interfaces": [ + { + "name": "Edge API", + "type": "rest" + } + ] + }, + { + "bom-ref": "asset-catalog", + "type": "service", + "name": "Catalogue service", + "zone": "zone-application", + "interfaces": [ + { + "name": "Catalogue gRPC", + "type": "grpc", + "operations": [ + "GetProduct", + "ListProducts" + ] + } + ] + }, + { + "bom-ref": "asset-order", + "type": "service", + "name": "Order service", + "zone": "zone-application", + "classification": { + "criticality": "critical" + } + }, + { + "bom-ref": "asset-payment", + "type": "service", + "name": "Payment service", + "zone": "zone-application", + "classification": { + "criticality": "critical" + }, + "interfaces": [ + { + "name": "Payment API", + "type": "rest", + "authentication": [ + "mtls" + ] + } + ] + }, + { + "bom-ref": "asset-catalog-db", + "type": "data-store", + "name": "Catalogue database", + "zone": "zone-data" + }, + { + "bom-ref": "asset-order-db", + "type": "data-store", + "name": "Order database", + "zone": "zone-data", + "classification": { + "criticality": "critical" + } + } + ], + "relationships": [ + { + "ref": "asset-gateway", + "serves": [ + "asset-catalog", + "asset-order" + ] + }, + { + "ref": "asset-order", + "dependsOn": [ + "asset-payment", + "asset-order-db" + ] + }, + { + "ref": "asset-storefront", + "dependsOn": [ + "asset-gateway" + ] + }, + { + "ref": "asset-catalog", + "dependsOn": [ + "asset-catalog-db" + ] + } + ], + "flows": [ + { + "bom-ref": "flow-browse", + "name": "Browse catalogue", + "type": "data", + "source": "asset-storefront", + "destination": "asset-gateway", + "synchronous": true, + "protocols": [ + "https" + ] + }, + { + "bom-ref": "flow-order", + "name": "Place order", + "type": "data", + "source": "asset-gateway", + "destination": "asset-order", + "synchronous": true, + "protocols": [ + "https" + ] + }, + { + "bom-ref": "flow-pay", + "name": "Authorize payment", + "type": "data", + "source": "asset-order", + "destination": "asset-payment", + "synchronous": true, + "protocols": [ + "https" + ], + "authentication": [ + "mtls" + ] + } + ], + "useCases": [ + { + "assets": [ + "asset-order", + "asset-payment" + ], + "requirements": [ + "req-checkout" + ] + } + ], + "assumptions": [ + { + "bom-ref": "asm-pci", + "description": "The payment service is operated within a PCI DSS compliant environment.", + "topic": "compliance", + "validity": "verified" + } + ] + } + ], + "definitions": { + "requirements": [ + { + "bom-ref": "req-checkout", + "id": "REQ-CHK-001", + "name": "Checkout completes within three seconds", + "priority": "high" + } + ] + } +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-authentication-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-authentication-2.0.json new file mode 100644 index 000000000..62a2c2fda --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-authentication-2.0.json @@ -0,0 +1,56 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:7c6b5a4d-3e2f-4109-8a7b-6c5d4e3f2a1b", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-auth", + "name": "Authentication coverage model", + "modelTypes": [ + "data-flow" + ], + "assets": [ + { + "bom-ref": "asset-gateway", + "type": "gateway", + "name": "API gateway", + "authentication": [ + "mtls", + "oauth2", + "session-cookie", + "totp", + "radius", + "scram", + "eap", + "psk", + "hmac", + "magic-link", + "biometric", + "form", + "pin", + "push", + { + "name": "proprietary-handshake", + "description": "Vendor-specific challenge response used by the legacy partner integration." + } + ] + }, + { + "bom-ref": "asset-webapp", + "type": "service", + "name": "Customer web application", + "authentication": [ + "form", + "session-cookie" + ], + "authorization": [ + "rbac", + "radac", + "capability" + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-behavioral-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-behavioral-2.0.json new file mode 100644 index 000000000..8839431f6 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-behavioral-2.0.json @@ -0,0 +1,137 @@ +{ + "$comment": "Model type: behavioral. This example models the payment lifecycle of a fictional point-of-sale terminal as a behavior graph of kind state-machine. The nodes are states, the transitions fire on triggers under guard conditions, and several states have more than one exit (authorizing leads to authorized or declined, authorized leads to captured or voided), which is the multi-exit shape a linear flow cannot express. Entry and transition effects reference behavior instances drawn from the taxonomy.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a9", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-behavioral", + "name": "Point-of-sale payment lifecycle", + "description": "How a terminal moves a payment from idle through authorization to capture, void, or decline.", + "modelTypes": [ + "behavioral" + ], + "assets": [ + { + "bom-ref": "asset-pos", + "type": "device", + "name": "Point-of-sale terminal" + }, + { + "bom-ref": "asset-acquirer", + "type": "service", + "name": "Acquirer gateway" + } + ], + "behaviors": { + "instances": [ + { + "bom-ref": "bi-auth", + "behavior": "security:authentication:authenticatesUser", + "trigger": "user-initiated", + "acknowledgment": [ + "declared" + ], + "actors": [ + "asset-pos" + ] + }, + { + "bom-ref": "bi-contact", + "behavior": "network:connection:establishesConnection", + "actors": [ + "asset-pos" + ], + "targets": [ + "asset-acquirer" + ] + }, + { + "bom-ref": "bi-log", + "behavior": "security:auditing:logsEvent", + "actors": [ + "asset-pos" + ] + } + ], + "graphs": [ + { + "bom-ref": "sm-payment", + "name": "Payment lifecycle", + "kind": "state-machine", + "subject": "asset-pos", + "nodes": [ + { + "bom-ref": "ps-idle", + "kind": "initial" + }, + { + "bom-ref": "ps-authorizing", + "kind": "state", + "name": "Authorizing", + "onEntry": "bi-contact" + }, + { + "bom-ref": "ps-authorized", + "kind": "state", + "name": "Authorized" + }, + { + "bom-ref": "ps-captured", + "kind": "final", + "name": "Captured" + }, + { + "bom-ref": "ps-voided", + "kind": "final", + "name": "Voided" + }, + { + "bom-ref": "ps-declined", + "kind": "final", + "name": "Declined" + } + ], + "transitions": [ + { + "bom-ref": "pt-start", + "source": "ps-idle", + "target": "ps-authorizing", + "trigger": "user-initiated", + "effect": "bi-auth" + }, + { + "bom-ref": "pt-approve", + "source": "ps-authorizing", + "target": "ps-authorized", + "trigger": "event-driven", + "guard": "acquirer.approved == true" + }, + { + "bom-ref": "pt-decline", + "source": "ps-authorizing", + "target": "ps-declined", + "trigger": "event-driven", + "guard": "acquirer.approved == false" + }, + { + "bom-ref": "pt-capture", + "source": "ps-authorized", + "target": "ps-captured", + "trigger": "event-driven", + "effect": "bi-log" + }, + { + "bom-ref": "pt-void", + "source": "ps-authorized", + "target": "ps-voided", + "trigger": "user-initiated" + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-conceptual-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-conceptual-2.0.json new file mode 100644 index 000000000..8b105148a --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-conceptual-2.0.json @@ -0,0 +1,150 @@ +{ + "$comment": "Model type: conceptual. This example is a technology-neutral conceptual model of a community library. It is represented as a blueprint with no implementation detail: the key business capabilities (Membership, Catalogue, Lending) are assets linked by typed relationships, and the core domain concepts (Member, Item, Branch, Loan) are data objects whose associations are expressed as data relationships with cardinality. There are deliberately no protocols, deployments, keys, or flows, which is what distinguishes a conceptual model from a logical or data-flow one.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a2", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-conceptual", + "name": "Community library conceptual model", + "description": "A technology-neutral conceptual model of a community library, capturing the key business concepts and how they relate, without any implementation detail such as databases, services, or protocols.", + "modelTypes": [ + "conceptual" + ], + "metadata": { + "timestamp": "2026-06-05T12:05:00Z", + "authors": [ + { + "roles": [ + { + "role": "author" + } + ], + "person": { + "name": "Sam Rivera" + } + } + ] + }, + "scope": { + "name": "Lending domain", + "description": "Concepts involved in lending physical items to members." + }, + "assets": [ + { + "bom-ref": "cap-membership", + "type": "subsystem", + "name": "Membership", + "description": "The capability concerned with enrolling and identifying members." + }, + { + "bom-ref": "cap-catalogue", + "type": "subsystem", + "name": "Catalogue", + "description": "The capability concerned with describing and locating items." + }, + { + "bom-ref": "cap-lending", + "type": "subsystem", + "name": "Lending", + "description": "The capability concerned with loans, due dates, and returns." + } + ], + "relationships": [ + { + "ref": "cap-lending", + "dependsOn": [ + "cap-catalogue", + "cap-membership" + ] + } + ], + "dataSets": [ + { + "bom-ref": "ds-library-domain", + "name": "Library domain entities", + "description": "The conceptual entities of the lending domain and their associations.", + "dataObjects": [ + { + "bom-ref": "do-member", + "name": "Member", + "description": "A person enrolled to borrow items.", + "attributes": [ + { + "name": "memberName" + }, + { + "name": "membershipStatus" + } + ] + }, + { + "bom-ref": "do-item", + "name": "Item", + "description": "A borrowable item such as a book or recording.", + "attributes": [ + { + "name": "title" + }, + { + "name": "format" + } + ], + "relationships": [ + { + "name": "held at", + "target": "do-branch", + "cardinality": "many-to-many" + } + ] + }, + { + "bom-ref": "do-branch", + "name": "Branch", + "description": "A physical library location.", + "attributes": [ + { + "name": "branchName" + } + ] + }, + { + "bom-ref": "do-loan", + "name": "Loan", + "description": "The act of a member borrowing an item for a period.", + "attributes": [ + { + "name": "loanDate" + }, + { + "name": "dueDate" + } + ], + "relationships": [ + { + "name": "borrowed by", + "target": "do-member", + "cardinality": "many-to-one" + }, + { + "name": "for item", + "target": "do-item", + "cardinality": "many-to-one" + } + ] + } + ] + } + ], + "assumptions": [ + { + "bom-ref": "asm-one-branch", + "description": "An item belongs to exactly one branch at a time, though it may move between branches.", + "topic": "business", + "validity": "unverified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-data-flow-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-data-flow-2.0.json new file mode 100644 index 000000000..3c82aae85 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-data-flow-2.0.json @@ -0,0 +1,211 @@ +{ + "$comment": "Model type: data-flow. This example models an online banking funds transfer as a data flow diagram, the substrate most commonly used for STRIDE per-element threat analysis. It is represented as a blueprint with an external customer actor, processing services, and data stores arranged across three trust zones (internet, DMZ, core) that are separated by trust boundaries. Flows carry named data objects, authentication, and protocols as they move between zones, so each flow that crosses a boundary is visible. Zones plus boundaries plus typed data flows are the core constructs of this model type. The internet-facing boundary separates its crossingRequirements, the controls applied at each crossing such as authentication and logging, from sessionManagement, the lifecycle of the authenticated session it establishes, which is scoped to the session rather than to any single crossing.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a4", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-data-flow", + "name": "Online banking funds transfer data flow", + "description": "How a customer's login and transfer request moves through the portal, authentication, and transfer services to the account store and audit log, across trust boundaries.", + "modelTypes": [ + "data-flow" + ], + "zones": [ + { + "bom-ref": "zone-internet", + "name": "Internet", + "type": "trust", + "characteristics": [ + "untrusted" + ] + }, + { + "bom-ref": "zone-dmz", + "name": "DMZ", + "type": "trust" + }, + { + "bom-ref": "zone-core", + "name": "Core banking", + "type": "trust", + "characteristics": [ + "highly trusted" + ] + } + ], + "boundaries": [ + { + "bom-ref": "bnd-internet-dmz", + "name": "Internet to DMZ", + "type": "trust", + "zones": [ + "zone-internet", + "zone-dmz" + ], + "crossingRequirements": { + "authentication": [ + "form", + "session-cookie" + ], + "authorization": [ + "rbac" + ], + "protocols": [ + "https" + ], + "logging": true, + "monitoring": true + }, + "sessionManagement": { + "accessTokenExpires": true, + "accessTokenTtl": 900, + "refreshToken": true, + "refreshTokenTtl": 86400, + "idleTimeout": 900, + "absoluteTimeout": 28800, + "userLogout": true, + "systemLogout": true + } + }, + { + "bom-ref": "bnd-dmz-core", + "name": "DMZ to core", + "type": "trust", + "zones": [ + "zone-dmz", + "zone-core" + ] + } + ], + "actors": [ + { + "bom-ref": "act-customer", + "party": { + "roles": [ + { + "role": "end-user" + } + ], + "persona": { + "archetype": "customer" + } + }, + "description": "A retail banking customer initiating a transfer.", + "zone": "zone-internet", + "permissions": [ + "initiate-transfer" + ] + } + ], + "assets": [ + { + "bom-ref": "asset-portal", + "type": "service", + "name": "Web portal", + "zone": "zone-dmz" + }, + { + "bom-ref": "asset-auth", + "type": "service", + "name": "Authentication service", + "zone": "zone-core" + }, + { + "bom-ref": "asset-transfer", + "type": "service", + "name": "Transfer service", + "zone": "zone-core", + "classification": { + "criticality": "critical" + } + }, + { + "bom-ref": "asset-accounts", + "type": "data-store", + "name": "Account store", + "zone": "zone-core", + "classification": { + "criticality": "critical" + } + }, + { + "bom-ref": "asset-audit", + "type": "data-store", + "name": "Audit log", + "zone": "zone-core" + } + ], + "flows": [ + { + "bom-ref": "df-login", + "name": "Login and transfer request", + "type": "data", + "source": "act-customer", + "destination": "asset-portal", + "synchronous": true, + "protocols": [ + "https" + ], + "authentication": [ + "form", + "totp" + ], + "dataObjects": [ + { + "name": "credentials" + }, + { + "name": "transfer-instruction" + } + ] + }, + { + "bom-ref": "df-authenticate", + "name": "Authenticate session", + "type": "data", + "source": "asset-portal", + "destination": "asset-auth", + "synchronous": true, + "protocols": [ + "https" + ] + }, + { + "bom-ref": "df-debit-credit", + "name": "Debit and credit accounts", + "type": "data", + "source": "asset-transfer", + "destination": "asset-accounts", + "synchronous": true, + "authorization": [ + "rbac" + ], + "dataObjects": [ + { + "name": "ledger-entry" + } + ] + }, + { + "bom-ref": "df-audit", + "name": "Write audit record", + "type": "data", + "source": "asset-transfer", + "destination": "asset-audit", + "synchronous": false, + "timing": "asynchronous" + } + ], + "assumptions": [ + { + "bom-ref": "asm-tls", + "description": "All flows that cross a trust boundary are protected with mutually authenticated TLS.", + "topic": "security", + "validity": "verified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-deployment-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-deployment-2.0.json new file mode 100644 index 000000000..a0c9424d1 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-deployment-2.0.json @@ -0,0 +1,134 @@ +{ + "$comment": "Model type: deployment. This example shows how a fictional SaaS checkout application is allocated to runtime and infrastructure. It is represented as a blueprint whose assets are deployment units (load balancer, container workloads, and a worker node) placed into a production deployment zone and an east geographic region. Artifact-on-node allocation and dependencies are expressed with typed relationships (contains, depends-on), the managed database and object store are data stores carrying an environment, and flows complete the topology.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a5", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-deployment", + "name": "Acme checkout deployment topology", + "description": "Production deployment of the checkout workloads onto a cluster node, fronted by a load balancer, with a managed database and object storage.", + "modelTypes": [ + "deployment" + ], + "zones": [ + { + "bom-ref": "zone-prod", + "name": "Production", + "type": "deployment" + }, + { + "bom-ref": "zone-region-east", + "name": "East region", + "type": "geographic" + } + ], + "assets": [ + { + "bom-ref": "asset-lb", + "type": "gateway", + "name": "Load balancer", + "zone": "zone-prod" + }, + { + "bom-ref": "asset-node", + "type": "infrastructure", + "name": "Cluster worker node", + "zone": "zone-prod", + "tags": [ + "kubernetes-node" + ] + }, + { + "bom-ref": "asset-checkout-pod", + "type": "container", + "name": "Checkout workload", + "zone": "zone-prod" + }, + { + "bom-ref": "asset-worker-pod", + "type": "container", + "name": "Async worker workload", + "zone": "zone-prod" + } + ], + "relationships": [ + { + "ref": "asset-node", + "contains": [ + "asset-checkout-pod", + "asset-worker-pod" + ] + }, + { + "ref": "asset-lb", + "serves": [ + "asset-checkout-pod" + ] + }, + { + "ref": "asset-checkout-pod", + "dependsOn": [ + "ds-postgres" + ] + }, + { + "ref": "asset-worker-pod", + "dependsOn": [ + "ds-object" + ] + } + ], + "dataStores": [ + { + "bom-ref": "ds-postgres", + "name": "Managed PostgreSQL", + "type": "relational", + "environment": "production", + "zone": "zone-prod", + "location": "east region" + }, + { + "bom-ref": "ds-object", + "name": "Object storage bucket", + "type": "object", + "environment": "production", + "zone": "zone-prod" + } + ], + "flows": [ + { + "bom-ref": "dflow-ingress", + "name": "Inbound HTTPS", + "type": "data", + "source": "asset-lb", + "destination": "asset-checkout-pod", + "protocols": [ + "https" + ], + "synchronous": true + }, + { + "bom-ref": "dflow-db", + "name": "Database queries", + "type": "data", + "source": "asset-checkout-pod", + "destination": "ds-postgres", + "protocols": [ + "tcp" + ], + "synchronous": true + } + ], + "assumptions": [ + { + "bom-ref": "asm-autoscale", + "description": "The node pool autoscales horizontally under load.", + "topic": "performance", + "validity": "unverified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-logical-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-logical-2.0.json new file mode 100644 index 000000000..ae7f1a919 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-logical-2.0.json @@ -0,0 +1,177 @@ +{ + "$comment": "Model type: logical. This example is a logical data model of a fictional retail bank, independent of any specific database technology. It is represented as a blueprint whose data set holds the entities (Customer, Account, Transaction, Card) as data objects with attribute-level key roles (primary, foreign, unique) and foreign-key references, and whose inter-entity associations are data relationships with cardinality. Logical application components and their typed relationships show how the structure is realised. A logical zone groups the entities.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a3", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-logical", + "name": "Retail bank logical model", + "description": "Logical structure of customers, accounts, transactions, and cards, with the keys and relationships that define the data model independent of implementation.", + "modelTypes": [ + "logical" + ], + "metadata": { + "timestamp": "2026-06-05T12:10:00Z", + "authors": [ + { + "roles": [ + { + "role": "author" + } + ], + "person": { + "name": "Priya Nair" + } + } + ] + }, + "zones": [ + { + "bom-ref": "zone-logical-core", + "name": "Core banking", + "type": "logical" + } + ], + "assets": [ + { + "bom-ref": "comp-accounts", + "type": "component", + "name": "Account management component", + "zone": "zone-logical-core", + "responsibilities": [ + "Open and close accounts", + "Maintain balances" + ] + }, + { + "bom-ref": "comp-payments", + "type": "component", + "name": "Payments component", + "zone": "zone-logical-core" + } + ], + "relationships": [ + { + "ref": "comp-payments", + "dependsOn": [ + "comp-accounts" + ] + } + ], + "dataSets": [ + { + "bom-ref": "ds-bank", + "name": "Core banking entities", + "description": "The logical entities of the core banking domain with keys and relationships.", + "dataObjects": [ + { + "bom-ref": "do-customer", + "name": "Customer", + "attributes": [ + { + "bom-ref": "a-customer-id", + "name": "customer_id", + "key": "primary" + }, + { + "name": "email", + "key": "unique" + }, + { + "name": "full_name" + } + ] + }, + { + "bom-ref": "do-account", + "name": "Account", + "attributes": [ + { + "bom-ref": "a-account-id", + "name": "account_id", + "key": "primary" + }, + { + "bom-ref": "a-account-customer", + "name": "customer_id", + "key": "foreign", + "references": "do-customer" + }, + { + "name": "balance" + } + ], + "relationships": [ + { + "bom-ref": "lrel-account-customer", + "name": "owned by", + "target": "do-customer", + "cardinality": "many-to-one", + "sourceAttributes": [ + "a-account-customer" + ], + "targetAttributes": [ + "a-customer-id" + ] + } + ] + }, + { + "bom-ref": "do-transaction", + "name": "Transaction", + "attributes": [ + { + "bom-ref": "a-txn-id", + "name": "transaction_id", + "key": "primary" + }, + { + "bom-ref": "a-txn-account", + "name": "account_id", + "key": "foreign", + "references": "do-account" + }, + { + "name": "amount" + } + ], + "relationships": [ + { + "name": "posted to", + "target": "do-account", + "cardinality": "many-to-one" + } + ] + }, + { + "bom-ref": "do-card", + "name": "Card", + "attributes": [ + { + "bom-ref": "a-card-id", + "name": "card_id", + "key": "primary" + }, + { + "bom-ref": "a-card-account", + "name": "account_id", + "key": "foreign", + "references": "do-account" + } + ], + "relationships": [ + { + "name": "issued for", + "target": "do-account", + "cardinality": "many-to-one" + } + ] + } + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-network-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-network-2.0.json new file mode 100644 index 000000000..56993f0b6 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-network-2.0.json @@ -0,0 +1,154 @@ +{ + "$comment": "Model type: network. This example models the segmented enterprise network of a fictional company. It is represented as a blueprint whose network zones are the segments (internet, DMZ, internal, management), whose boundaries are the firewalls that connect adjacent segments, and whose assets are the network nodes (edge firewall, core switch, web server, application server, VPN gateway, admin workstation). Flows carry the protocols permitted between segments. Network zones plus boundaries plus protocol-bearing flows are the defining constructs.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a6", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-network", + "name": "Globex enterprise network topology", + "description": "Segmented network with internet, DMZ, internal, and management zones connected through firewalls.", + "modelTypes": [ + "network" + ], + "zones": [ + { + "bom-ref": "net-internet", + "name": "Internet", + "type": "network" + }, + { + "bom-ref": "net-dmz", + "name": "DMZ segment", + "type": "network" + }, + { + "bom-ref": "net-internal", + "name": "Internal segment", + "type": "network" + }, + { + "bom-ref": "net-management", + "name": "Management segment", + "type": "network", + "characteristics": [ + "out-of-band" + ] + } + ], + "boundaries": [ + { + "bom-ref": "fw-edge", + "name": "Edge firewall", + "type": "network", + "zones": [ + "net-internet", + "net-dmz" + ] + }, + { + "bom-ref": "fw-internal", + "name": "Internal firewall", + "type": "network", + "zones": [ + "net-dmz", + "net-internal" + ] + }, + { + "bom-ref": "fw-management", + "name": "Management firewall", + "type": "network", + "zones": [ + "net-internal", + "net-management" + ] + } + ], + "assets": [ + { + "bom-ref": "net-asset-web", + "type": "endpoint", + "name": "Web server", + "zone": "net-dmz" + }, + { + "bom-ref": "net-asset-app", + "type": "endpoint", + "name": "Application server", + "zone": "net-internal" + }, + { + "bom-ref": "net-asset-switch", + "type": "network", + "name": "Core switch", + "zone": "net-internal" + }, + { + "bom-ref": "net-asset-vpn", + "type": "gateway", + "name": "VPN gateway", + "zone": "net-management" + }, + { + "bom-ref": "net-asset-admin", + "type": "device", + "name": "Administrator workstation", + "zone": "net-management" + } + ], + "relationships": [ + { + "ref": "net-asset-web", + "dependsOn": [ + "net-asset-app" + ] + } + ], + "flows": [ + { + "bom-ref": "nflow-https", + "name": "Public HTTPS", + "type": "data", + "source": "net-internet", + "destination": "net-asset-web", + "protocols": [ + "https" + ] + }, + { + "bom-ref": "nflow-app", + "name": "Web to application", + "type": "data", + "source": "net-asset-web", + "destination": "net-asset-app", + "protocols": [ + "tcp" + ] + }, + { + "bom-ref": "nflow-admin", + "name": "Administrative SSH", + "type": "data", + "source": "net-asset-admin", + "destination": "net-asset-app", + "protocols": [ + "ssh" + ], + "authentication": [ + "ssh" + ] + } + ], + "assumptions": [ + { + "bom-ref": "asm-default-deny", + "description": "Each firewall enforces default-deny with explicit allow rules.", + "topic": "security", + "validity": "verified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-operational-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-operational-2.0.json new file mode 100644 index 000000000..b7028a664 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-operational-2.0.json @@ -0,0 +1,157 @@ +{ + "$comment": "Model type: operational. This example models how a fictional service team runs and supports a system in production. The operational procedure is a behavior graph: a start node, a logging activity, an exclusive gateway that escalates on severity, and a final node. Blueprint actors bind the on-call engineer and incident commander with their in-system permissions, and external references point to the human-readable runbooks.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000aa", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-operational", + "name": "Service operations and incident response", + "description": "On-call handling of a database alert, from acknowledgement through severity-based escalation to resolution.", + "modelTypes": [ + "operational" + ], + "externalReferences": [ + { + "url": "https://example.com/runbooks/database-failover", + "type": "documentation", + "comment": "Database failover runbook." + } + ], + "actors": [ + { + "bom-ref": "op-oncall", + "party": { + "roles": [ + { + "role": "operator" + } + ], + "person": { + "name": "On-call engineer" + } + }, + "permissions": [ + "acknowledge-alert", + "execute-runbook" + ] + }, + { + "bom-ref": "op-commander", + "party": { + "roles": [ + { + "role": "principal" + } + ], + "person": { + "name": "Incident commander" + } + } + } + ], + "assets": [ + { + "bom-ref": "op-monitor", + "type": "service", + "name": "Monitoring platform" + }, + { + "bom-ref": "op-pager", + "type": "tool", + "name": "Paging system" + } + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "rb-failover", + "name": "Database failover runbook", + "kind": "activity", + "trigger": "event-driven", + "nodes": [ + { + "bom-ref": "n-alert", + "kind": "initial" + }, + { + "bom-ref": "n-ack", + "kind": "activity", + "behavior": "security:auditing:logsEvent", + "name": "Acknowledge alert", + "actors": [ + "op-oncall" + ], + "targets": [ + "op-monitor" + ] + }, + { + "bom-ref": "n-severity", + "kind": "gateway", + "gatewayKind": "exclusive", + "name": "Severity?" + }, + { + "bom-ref": "n-escalate", + "kind": "event", + "eventType": "on-demand", + "name": "Page incident commander", + "actors": [ + "op-commander" + ] + }, + { + "bom-ref": "n-monitor", + "kind": "event", + "name": "Watch dashboards" + }, + { + "bom-ref": "n-resolved", + "kind": "final", + "name": "Incident resolved" + } + ], + "transitions": [ + { + "source": "n-alert", + "target": "n-ack" + }, + { + "source": "n-ack", + "target": "n-severity" + }, + { + "source": "n-severity", + "target": "n-escalate", + "guard": "severity == 'sev1'" + }, + { + "source": "n-severity", + "target": "n-monitor", + "default": true + }, + { + "source": "n-escalate", + "target": "n-resolved" + }, + { + "source": "n-monitor", + "target": "n-resolved" + } + ] + } + ] + }, + "assumptions": [ + { + "bom-ref": "asm-oncall", + "description": "An on-call engineer is available at all times under the follow-the-sun rota.", + "topic": "operational", + "validity": "verified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-physical-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-physical-2.0.json new file mode 100644 index 000000000..88f88d781 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-physical-2.0.json @@ -0,0 +1,140 @@ +{ + "$comment": "Model type: physical. This example models the physical realisation of a fictional building automation system. It is represented as a blueprint whose assets are tangible devices (PLC, temperature sensor, HVAC actuator, edge gateway, SCADA server) placed in physical and geographic zones. The exchanges between them use the full breadth of flow types: signal (sensor readings), control (commands), energy (power), physical (conditioned air), and data (telemetry). A behavior instance drawn from the hardware taxonomy shows an actuator controlling temperature. Device assets, physical zones, and the energy, signal, and physical flow types are the defining constructs.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a7", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-physical", + "name": "Building automation physical model", + "description": "Physical devices, their power and signal connections, and the conditioned air they move on a plant floor.", + "modelTypes": [ + "physical" + ], + "zones": [ + { + "bom-ref": "phys-plant", + "name": "Plant floor", + "type": "physical" + }, + { + "bom-ref": "phys-control-room", + "name": "Control room", + "type": "physical" + }, + { + "bom-ref": "geo-site", + "name": "Riverside site", + "type": "geographic" + } + ], + "assets": [ + { + "bom-ref": "dev-plc", + "type": "device", + "name": "Programmable logic controller", + "zone": "phys-plant" + }, + { + "bom-ref": "dev-sensor", + "type": "device", + "name": "Temperature sensor", + "zone": "phys-plant" + }, + { + "bom-ref": "dev-hvac", + "type": "device", + "name": "HVAC actuator", + "zone": "phys-plant" + }, + { + "bom-ref": "dev-gateway", + "type": "gateway", + "name": "Edge gateway", + "zone": "phys-control-room" + }, + { + "bom-ref": "dev-scada", + "type": "system", + "name": "SCADA server", + "zone": "phys-control-room" + } + ], + "relationships": [ + { + "ref": "dev-plc", + "dependsOn": [ + "dev-hvac" + ] + } + ], + "flows": [ + { + "bom-ref": "pflow-reading", + "name": "Temperature reading", + "type": "signal", + "source": "dev-sensor", + "destination": "dev-plc" + }, + { + "bom-ref": "pflow-command", + "name": "Actuation command", + "type": "control", + "source": "dev-plc", + "destination": "dev-hvac" + }, + { + "bom-ref": "pflow-power", + "name": "Mains power", + "type": "energy", + "source": "dev-gateway", + "destination": "dev-plc" + }, + { + "bom-ref": "pflow-air", + "name": "Conditioned air", + "type": "physical", + "source": "dev-hvac", + "destination": "phys-plant" + }, + { + "bom-ref": "pflow-telemetry", + "name": "Telemetry upload", + "type": "data", + "source": "dev-gateway", + "destination": "dev-scada", + "protocols": [ + "mqtt" + ] + } + ], + "behaviors": { + "instances": [ + { + "bom-ref": "bi-control-temp", + "behavior": "hardware:actuator:controlsTemperature", + "trigger": "condition-based", + "acknowledgment": [ + "declared" + ], + "actors": [ + "dev-hvac" + ], + "targets": [ + "phys-plant" + ] + } + ] + }, + "assumptions": [ + { + "bom-ref": "asm-power", + "description": "Controllers are backed by an uninterruptible power supply.", + "topic": "availability", + "validity": "unverified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-process-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-process-2.0.json new file mode 100644 index 000000000..4b6fd6760 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-process-2.0.json @@ -0,0 +1,147 @@ +{ + "$comment": "Model type: process. This example models a fictional loan origination process as a behavior graph. The nodes are activities drawn from the behavior taxonomy plus an exclusive gateway that branches on the credit decision; transitions carry the order and the branch guards; and blueprint actors bind the loan officer and underwriter to the steps that perform them. A branching activity graph, with actors, is the defining construct.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a8", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-process", + "name": "Loan origination process", + "description": "From application intake through the credit decision to a recorded outcome.", + "modelTypes": [ + "process" + ], + "actors": [ + { + "bom-ref": "act-officer", + "party": { + "roles": [ + { + "role": "operator" + } + ], + "person": { + "name": "Loan officer", + "jobTitle": "Loan Officer" + } + }, + "permissions": [ + "intake-application" + ] + }, + { + "bom-ref": "act-underwriter", + "party": { + "roles": [ + { + "role": "verifier" + } + ], + "person": { + "name": "Underwriter" + } + } + } + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "pg-loan", + "name": "Loan origination", + "kind": "activity", + "trigger": "user-initiated", + "nodes": [ + { + "bom-ref": "n-start", + "kind": "initial" + }, + { + "bom-ref": "n-receive", + "kind": "activity", + "behavior": "data:ingestion:receivesRequest", + "name": "Receive application", + "actors": [ + "act-officer" + ] + }, + { + "bom-ref": "n-verify", + "kind": "activity", + "behavior": "security:authentication:authenticatesUser", + "name": "Verify applicant identity", + "actors": [ + "act-officer" + ] + }, + { + "bom-ref": "n-decision", + "kind": "gateway", + "gatewayKind": "exclusive", + "name": "Credit decision" + }, + { + "bom-ref": "n-approve", + "kind": "activity", + "behavior": "security:auditing:logsEvent", + "name": "Approve and record", + "actors": [ + "act-underwriter" + ] + }, + { + "bom-ref": "n-decline", + "kind": "event", + "name": "Decline letter sent" + }, + { + "bom-ref": "n-end", + "kind": "final" + } + ], + "transitions": [ + { + "source": "n-start", + "target": "n-receive" + }, + { + "source": "n-receive", + "target": "n-verify" + }, + { + "source": "n-verify", + "target": "n-decision" + }, + { + "source": "n-decision", + "target": "n-approve", + "guard": "creditScore >= 680" + }, + { + "source": "n-decision", + "target": "n-decline", + "default": true + }, + { + "source": "n-approve", + "target": "n-end" + }, + { + "source": "n-decline", + "target": "n-end" + } + ] + } + ] + }, + "assumptions": [ + { + "bom-ref": "asm-credit-bureau", + "description": "A credit score is available from an external bureau at intake.", + "topic": "business", + "validity": "verified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-visualization-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-visualization-2.0.json new file mode 100644 index 000000000..b444461ed --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-visualization-2.0.json @@ -0,0 +1,62 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:2b1c0d9e-7a3f-4c21-9f0a-6d5e4c3b2a10", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-payments", + "name": "Payment service model", + "modelTypes": [ + "data-flow" + ], + "visualizations": [ + { + "bom-ref": "viz-inline-source", + "name": "Payment data flow", + "description": "Inline diagram source carried as an attachment and rendered by the consumer.", + "type": { + "type": "data-flow" + }, + "attachment": { + "mediaType": "text/vnd.mermaid", + "content": "flowchart LR; user-->gateway-->ledger" + }, + "level": "high" + }, + { + "bom-ref": "viz-base64-image", + "name": "Architecture overview", + "type": { + "type": "architecture" + }, + "attachment": { + "mediaType": "image/png", + "encoding": "base64", + "content": "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8z8BQDwAEhQGAhKmMIQAAAABJRU5ErkJggg==" + } + }, + { + "bom-ref": "viz-external-url", + "name": "Deployment topology", + "type": { + "name": "deployment topology" + }, + "url": "https://example.com/diagrams/deployment.svg" + }, + { + "bom-ref": "viz-attack-tree", + "name": "Credential theft attack tree", + "description": "Rendered attack tree exercising a newly added visualization type.", + "type": { + "type": "attack-tree" + }, + "attachment": { + "mediaType": "text/vnd.mermaid", + "content": "flowchart TD; goal-->phish; goal-->stuffing" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-control-cdxa-claim-2.0.json b/tools/src/test/resources/2.0/valid-control-cdxa-claim-2.0.json new file mode 100644 index 000000000..3ca54e84b --- /dev/null +++ b/tools/src/test/resources/2.0/valid-control-cdxa-claim-2.0.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:4b9e7d2f-3a1c-4e6b-8c5d-9f2a6e1b7c34", + "version": 1, + "controls": [ + { + "bom-ref": "control-encryption-at-rest", + "name": "Encryption at rest", + "category": "preventive", + "status": "verified" + }, + { + "bom-ref": "control-key-rotation", + "name": "Automated key rotation", + "category": "preventive", + "status": "planned" + } + ], + "declarations": { + "claims": [ + { + "bom-ref": "claim-encryption-at-rest", + "target": "control-encryption-at-rest", + "predicate": "All customer data volumes are encrypted at rest.", + "mitigationStrategies": [ + "control-key-rotation" + ], + "reasoning": "Storage configuration exports show encryption enabled for all volumes. Key rotation is planned to address key-age findings in the evidence." + } + ] + } +} diff --git a/tools/src/test/resources/2.0/valid-control-full-2.0.json b/tools/src/test/resources/2.0/valid-control-full-2.0.json new file mode 100644 index 000000000..cfce551c0 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-control-full-2.0.json @@ -0,0 +1,107 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:1f8a6b2c-4e7d-4f0a-9c3b-8d5e2a7f6b41", + "version": 1, + "components": [ + { + "type": "library", + "bom-ref": "component-authz-lib", + "name": "acme-authz", + "version": "3.2.1" + } + ], + "services": [ + { + "bom-ref": "service-payment-api", + "name": "Acme Payment API" + } + ], + "definitions": { + "requirements": [ + { + "bom-ref": "requirement-access-enforcement", + "id": "AC-3", + "name": "Access enforcement" + } + ] + }, + "controls": [ + { + "bom-ref": "control-rbac", + "name": "Role-based access control", + "description": "Enforces least-privilege access to the payment API.", + "category": "preventive", + "status": "verified", + "appliesTo": [ + "service-payment-api" + ], + "implementedBy": [ + "component-authz-lib" + ], + "satisfies": [ + "requirement-access-enforcement" + ], + "effectiveness": { + "percentage": 0.95, + "rating": "excellent" + }, + "owner": { + "roles": [ + { + "role": "owner" + } + ], + "organization": { + "name": "Acme Security Office" + } + }, + "externalReferences": [ + { + "type": "documentation", + "url": "https://docs.acme.example.com/controls/rbac" + } + ], + "properties": [ + { + "name": "internal:control-id", + "value": "CTRL-0042" + } + ] + } + ], + "threats": { + "threats": [ + { + "bom-ref": "threat-privilege-escalation", + "name": "Privilege escalation via the payment API", + "mitigations": [ + "control-rbac" + ] + } + ] + }, + "risks": { + "risks": [ + { + "bom-ref": "risk-unauthorized-payment", + "name": "Unauthorized payment initiation", + "statement": "An unauthorized actor initiates payments, resulting in financial loss.", + "responses": [ + { + "bom-ref": "response-enforce-rbac", + "strategy": "reduce", + "controls": [ + "control-rbac" + ], + "status": "implemented", + "effectiveness": { + "rating": "good" + } + } + ] + } + ] + } +} diff --git a/tools/src/test/resources/2.0/valid-control-grc-standalone-2.0.json b/tools/src/test/resources/2.0/valid-control-grc-standalone-2.0.json new file mode 100644 index 000000000..2294973e8 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-control-grc-standalone-2.0.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:9b3d5e1f-7a2c-4d8b-b0e6-4f1a8c6d2e73", + "version": 1, + "definitions": { + "requirements": [ + { + "bom-ref": "requirement-audit-logging", + "id": "AU-2", + "name": "Event logging" + } + ] + }, + "controls": [ + { + "bom-ref": "control-central-logging", + "name": "Centralized audit logging", + "category": "detective", + "status": "recommended", + "satisfies": [ + "requirement-audit-logging" + ] + }, + { + "bom-ref": "control-security-awareness", + "name": "Security awareness training", + "description": "Annual training for all personnel. Applies to the organization as a whole.", + "category": "deterrent", + "status": "implemented" + }, + { + "bom-ref": "control-network-airgap", + "name": "Air-gapped deployment", + "category": "preventive", + "status": "rejected", + "description": "Declined. Operational cost outweighs the benefit; compensating controls cover the risk." + }, + { + "bom-ref": "control-vendor-review", + "name": "Vendor security review", + "category": { + "name": "administrative", + "description": "Procedural controls executed by people rather than systems." + }, + "status": { + "name": "piloting", + "description": "Operating for a subset of vendors before full rollout." + } + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-control-minimal-2.0.json b/tools/src/test/resources/2.0/valid-control-minimal-2.0.json new file mode 100644 index 000000000..a27773cb9 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-control-minimal-2.0.json @@ -0,0 +1,13 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:7c0e4f3a-9d2b-4a1e-8f6c-2b5d9e7a4c10", + "version": 1, + "controls": [ + { + "bom-ref": "control-mfa", + "name": "Multi-factor authentication" + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-data-erd-relationships-2.0.json b/tools/src/test/resources/2.0/valid-data-erd-relationships-2.0.json new file mode 100644 index 000000000..a3facebbc --- /dev/null +++ b/tools/src/test/resources/2.0/valid-data-erd-relationships-2.0.json @@ -0,0 +1,103 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0003-4abc-8def-1122334455cc", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-core-logical", + "name": "Core logical and architecture model", + "modelTypes": [ + "logical", + "architecture" + ], + "assets": [ + { + "bom-ref": "asset-customer-service", + "type": "service", + "name": "Customer service" + }, + { + "bom-ref": "asset-order-service", + "type": "service", + "name": "Order service" + } + ], + "relationships": [ + { + "ref": "asset-order-service", + "dependsOn": [ + "asset-customer-service" + ] + }, + { + "ref": "asset-order-service", + "custom": [ + { + "type": "invokes", + "targets": [ + "asset-customer-service" + ], + "description": "A custom relationship kind for synchronous invocation." + } + ] + } + ], + "dataSets": [ + { + "bom-ref": "ds-core", + "name": "Core entities", + "description": "Logical data model for customers and orders.", + "dataObjects": [ + { + "bom-ref": "do-customer", + "name": "Customer", + "attributes": [ + { + "bom-ref": "attr-customer-id", + "name": "id", + "key": "primary" + }, + { + "name": "email", + "key": "unique" + } + ] + }, + { + "bom-ref": "do-order", + "name": "Order", + "attributes": [ + { + "bom-ref": "attr-order-id", + "name": "id", + "key": "primary" + }, + { + "bom-ref": "attr-order-customerid", + "name": "customer_id", + "key": "foreign", + "references": "do-customer" + } + ], + "relationships": [ + { + "bom-ref": "rel-order-customer", + "name": "placed by", + "target": "do-customer", + "cardinality": "many-to-one", + "sourceAttributes": [ + "attr-order-customerid" + ], + "targetAttributes": [ + "attr-customer-id" + ] + } + ] + } + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json b/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json new file mode 100644 index 000000000..01bb1fb28 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json @@ -0,0 +1,101 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:7c9e6679-7425-40de-944b-e07fc1f90ae7", + "version": 1, + "risks": { + "risks": [ + { + "bom-ref": "risk-model-bias", + "name": "Disparate loan approval rates", + "statement": "The credit model may approve loans at materially different rates across demographic groups, leading to discriminatory outcomes.", + "description": "Identified during fairness evaluation of the underwriting model.", + "domains": [ + { "type": "ethical" }, + { "type": { "name": "model-governance", "description": "Risks specific to the organization's model governance program." } } + ], + "affects": [ "component-credit-model", "data-training-set", "party-loan-applicants" ], + "relatedThreats": [ "threat-data-poisoning" ], + "relatedWeaknesses": [ "weakness-training-imbalance" ], + "relatedRequirements": [ "requirement-fairness-conformance" ], + "relatedStandards": [ "standard-ai-governance" ], + "relatedClaims": [ "claim-fairness-partial" ], + "inherentRisk": { + "likelihood": { + "level": "high", + "probability": 0.7, + "timeframe": "P1Y", + "factors": [ + { "name": "Training data imbalance", "type": "vulnerability", "level": "high" }, + { "name": "Detection coverage", "type": "detectability", "level": "low" }, + { "name": "Bespoke audit pressure", "type": { "name": "regulatory-scrutiny", "description": "Degree of active regulatory attention." }, "level": "medium" } + ], + "rationale": "Historical data is skewed and monitoring is limited." + }, + "impact": { + "level": "major", + "polarity": "harm", + "categories": [ "bias", "discrimination", "human-rights", { "name": "brand-trust" } ], + "factors": [ + { "name": "Discrimination harm", "category": "discrimination", "score": 8, "weight": 0.6 }, + { "name": "Reputation damage", "category": "reputation", "score": 6, "weight": 0.4 } + ], + "range": { "minimum": 6, "mostLikely": 8, "maximum": 9 }, + "quantification": { + "affectedGroups": 3, + "financialLossRange": { "minimum": 100000, "mostLikely": 500000, "maximum": 2000000 }, + "currency": "USD" + }, + "description": "Potential regulatory action and harm to affected applicants." + }, + "score": { "level": "high", "score": 8, "methodology": "owasp-risk-rating" }, + "detectability": { "score": 6, "description": "Bias surfaces only in aggregate metrics, so individual decisions are hard to flag." }, + "confidence": 0.6, + "rationale": "Based on offline fairness metrics." + }, + "residualRisk": { + "impact": { "level": "moderate", "polarity": "harm", "categories": [ "bias" ] }, + "score": { "level": "medium" }, + "confidence": 0.5 + }, + "responses": [ + { + "bom-ref": "response-reweighting", + "strategy": "reduce", + "description": "Apply reweighting and fairness constraints, with ongoing monitoring.", + "controls": [ "requirement-fairness-threshold", "component-bias-monitor" ], + "status": { "name": "in-review", "description": "Pending sign-off from the model risk committee." }, + "effectiveness": { "rating": "good", "percentage": 0.7 }, + "cost": "medium", + "priority": "high", + "owner": "party-ml-team", + "targetDate": "2026-09-30T00:00:00Z" + } + ], + "status": "assessed", + "owner": "party-risk-office" + } + ], + "assessments": [ + { + "bom-ref": "assessment-q2-2026", + "name": "Q2 2026 model risk review", + "type": [ "ai-impact", "model-risk" ], + "cadence": "periodic", + "timestamp": "2026-04-15T00:00:00Z", + "scope": "The credit underwriting model and its training pipeline.", + "status": "completed", + "assessors": [ "party-risk-office", "system-ccm-platform" ], + "summary": "Quarterly fairness and model risk review.", + "risks": [ "risk-model-bias" ], + "overallRisk": { + "method": "average", + "score": { "level": "high", "score": 8, "methodology": "owasp-risk-rating" } + }, + "assumptions": [ "Training data distribution is representative of the applicant population." ], + "recommendations": [ "Expand monitoring to per-segment fairness metrics." ], + "nextReview": "2026-07-15T00:00:00Z" + } + ] + } +} diff --git a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json new file mode 100644 index 000000000..d8d14f032 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json @@ -0,0 +1,219 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "profiles": { + "threatProfiles": [ + { + "bom-ref": "tp-apt", + "name": "Advanced persistent threat", + "sophistication": "advanced", + "resources": "substantial", + "skillSet": [ + "malware-development", + "spear-phishing" + ] + } + ] + }, + "threats": { + "methodologies": [ "STRIDE", "attack-tree" ], + "threats": [ + { + "bom-ref": "threat-credential-theft", + "name": "Credential theft", + "description": "An adversary steals operator credentials to reach protected data.", + "source": "Internal threat-modelling workshop", + "categories": [ + { + "taxonomy": "STRIDE", + "category": "spoofing" + }, + { + "taxonomy": "MITRE-ATTACK", + "category": "credential-access" + } + ], + "weaknesses": [ + { + "bom-ref": "wk-auth", + "name": "Single-factor operator authentication", + "description": "Operators authenticate to the console with a single factor." + } + ], + "attackPatterns": [ + "ap-phishing" + ], + "attackTrees": [ + "at-exfil" + ], + "abuseCases": [ + "abuse-enumeration" + ], + "killChainPhase": "delivery", + "relatedVulnerabilities": [ + "vuln-weak-auth" + ], + "affectedAssets": [ + "asset-datastore" + ], + "relatedBusinessObjectives": [ + "obj-protect-data" + ], + "mitigations": [ + "req-mfa" + ] + } + ], + "scenarios": [ + { + "bom-ref": "ts-credential-theft", + "name": "APT credential theft via spear phishing", + "description": "An advanced persistent threat phishes an operator to steal credentials and reach the data store.", + "threats": [ + "threat-credential-theft" + ], + "actor": "party-attacker", + "threatProfile": "tp-apt", + "motivation": [ + "financial", + "espionage" + ], + "intent": "targeted", + "accessLevel": "external", + "attackVector": { + "type": "network", + "complexity": "low", + "privileges": "none", + "userInteraction": "required" + }, + "riskAttributes": [ + "confidentiality", + "authentication" + ], + "affectedAssets": [ + "asset-datastore" + ], + "relatedRisks": [ + "risk-account-takeover" + ] + } + ], + "attackPatterns": [ + { + "bom-ref": "ap-phishing", + "capecId": 98, + "name": "Phishing", + "description": "An adversary tricks a victim into performing an action or revealing information.", + "techniques": [ + { + "id": "T1566", + "name": "Phishing", + "tactic": "initial-access" + } + ] + } + ], + "attackTrees": [ + { + "bom-ref": "at-exfil", + "name": "Exfiltrate customer data", + "root": "atn-root", + "nodes": [ + { + "bom-ref": "atn-root", + "name": "Exfiltrate customer PII", + "operator": "or", + "children": [ + "atn-creds", + "atn-injection" + ] + }, + { + "bom-ref": "atn-creds", + "name": "Steal operator credentials", + "operator": "or", + "skill": "intermediate", + "children": [ + "atn-phishing", + "atn-stuffing" + ] + }, + { + "bom-ref": "atn-phishing", + "name": "Spear phishing", + "attackPattern": "ap-phishing", + "cost": "low", + "detectability": "moderate" + }, + { + "bom-ref": "atn-stuffing", + "name": "Credential stuffing", + "cost": "low", + "detectability": "high" + }, + { + "bom-ref": "atn-injection", + "name": "Exploit injection", + "operator": "and", + "children": [ + "atn-reach", + "atn-waf" + ] + }, + { + "bom-ref": "atn-reach", + "name": "Reach the endpoint" + }, + { + "bom-ref": "atn-waf", + "name": "Bypass the web application firewall" + } + ] + } + ], + "abuseCases": [ + { + "bom-ref": "abuse-enumeration", + "name": "Bulk account enumeration", + "description": "The adversary enumerates valid accounts through repeated login attempts.", + "abuser": "party-attacker", + "realizes": [ + "threat-credential-theft" + ], + "mainFlow": [ + { + "number": 1, + "description": "The attacker submits many login attempts with candidate usernames." + } + ] + } + ], + "trustBoundaries": [ + { + "bom-ref": "tb-internet-dmz", + "name": "Internet to DMZ", + "boundary": "boundary-internet-dmz", + "trustLevel": "untrusted" + } + ] + }, + "definitions": { + "businessObjectives": [ + { + "bom-ref": "obj-protect-data", + "name": "Protect customer data", + "criticality": "high" + } + ], + "requirements": [ + { + "bom-ref": "req-mfa", + "id": "REQ-MFA-001", + "name": "Require multi-factor authentication for operators", + "priority": "high" + } + ] + } +} diff --git a/tools/src/test/resources/2.0/valid-vex-mitigating-control-2.0.json b/tools/src/test/resources/2.0/valid-vex-mitigating-control-2.0.json new file mode 100644 index 000000000..0a61131a9 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-vex-mitigating-control-2.0.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:8d4f2a1b-6c3e-4b9d-a5f0-1e7c8b2d4a96", + "version": 1, + "components": [ + { + "type": "library", + "bom-ref": "component-xml-parser", + "name": "acme-xml-parser", + "version": "2.4.0" + } + ], + "controls": [ + { + "bom-ref": "control-waf", + "name": "Web application firewall", + "category": "preventive", + "status": "verified", + "appliesTo": [ + "component-xml-parser" + ] + } + ], + "vulnerabilities": [ + { + "bom-ref": "vuln-xxe", + "id": "CVE-2026-99999", + "analysis": { + "state": "not_affected", + "justification": "protected_by_mitigating_control", + "mitigatingControls": [ + "control-waf" + ], + "detail": "External entity payloads are blocked at the perimeter before reaching the parser." + }, + "affects": [ + { + "ref": "component-xml-parser" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-vulnerability-2.0.json b/tools/src/test/resources/2.0/valid-vulnerability-2.0.json index 992629f5f..e78cced99 100644 --- a/tools/src/test/resources/2.0/valid-vulnerability-2.0.json +++ b/tools/src/test/resources/2.0/valid-vulnerability-2.0.json @@ -43,9 +43,15 @@ "justification": "An optional reason for rating the vulnerability as it was" } ], - "cwes": [ - 184, - 502 + "weaknesses": [ + { + "bom-ref": "weakness-184", + "cweId": 184 + }, + { + "bom-ref": "weakness-502", + "cweId": 502 + } ], "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.", "detail": "",