From 9265fba1f965d4f905ab8f0612492b40fcdb5a60 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 9 Jul 2025 10:05:00 -0500 Subject: [PATCH 01/44] Initial commit Signed-off-by: Steve Springett --- .../model/cyclonedx-threat-2.0.schema.json | 53 +++++ .../model/cyclonedx-usecase-2.0.schema.json | 203 ++++++++++++++++++ 2 files changed, 256 insertions(+) create mode 100644 schema/2.0/model/cyclonedx-threat-2.0.schema.json create mode 100644 schema/2.0/model/cyclonedx-usecase-2.0.schema.json diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json new file mode 100644 index 000000000..062a8cd50 --- /dev/null +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-threat-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Threat", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + "riskAttributes": { + "type": "string", + "description": "A classification of security and privacy attributes that represent potential impact areas when a threat is realised. These attributes help identify what is at risk, and can also be used to prioritise which attributes are most important to protect for a given application, system, or threat model.", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data_subject_rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose_limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities.", + "authentication": "Verifying the identity of users, devices, or systems before granting access.", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources.", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified.", + "availability": "Ensuring systems, data, and services are accessible and operational when needed.", + "compliance": "Adherence to applicable laws, regulations, policies, and standards.", + "confidentiality": "Preventing unauthorised access to or disclosure of information.", + "connectivity": "Maintaining secure and reliable communication between systems or components.", + "control": "Enabling individuals to manage how their personal data is used and shared.", + "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors.", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications.", + "possession": "Ensuring control or custody over data or assets, regardless of ownership.", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards.", + "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection.", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing.", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose." + } + } + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json new file mode 100644 index 000000000..8a024e243 --- /dev/null +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -0,0 +1,203 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-usecase-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language: Use Case", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "type": "string", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name or title of the use case." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the use case." + }, + "actors": { + "type": ,"array", + "title": "Actors", + "description": "The stakeholders or users who interact with the system in this use case.", + "items": { + "type": "string" + } + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "description": "Conditions that must be true before the use case can be executed.", + "items": { + "type": "string" + } + }, + "postconditions": { + "type": "array", + "title": "Postconditions", + "description": "Conditions that will be true after the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "description": "The primary sequence of steps that describe the use case.", + "items": { + "$ref": "#/$defs/step" + } + }, + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "description": "Alternative sequences of steps that may occur in the use case.", + "items": { + "$ref": "#/$defs/flow" + } + }, + "exceptions": { + "type": "array", + "title": "Exceptions", + "description": "Error scenarios that may occur during the execution of the use case.", + "items": { + "$ref": "#/$defs/exception" + } + }, + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "description": "Criteria that determine whether the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "notes": { + "type": "array", + "title": "Notes", + "description": "Additional information or comments about the use case.", + "items": { + "type": "string" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "#/$defs/property" + } + } + }, + "$defs": { + "step": { + "type": "object", + "title": "Step", + "description": "A single step in a use case flow.", + "additionalProperties": false, + "properties": { + "number": { + "type": "integer", + "title": "Number", + "description": "The sequence number of the step." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the step." + }, + "actor": { + "type": "string", + "title": "Actor", + "description": "The actor who performs this step." + } + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "A sequence of steps in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the flow." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the flow." + }, + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this alternative flow is executed." + }, + "steps": { + "type": "array", + "title": "Steps", + "description": "The sequence of steps in the flow.", + "items": { + "$ref": "#/$defs/step" + } + } + } + }, + "exception": { + "type": "object", + "title": "Exception", + "description": "An error scenario in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the exception." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the exception." + }, + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this exception occurs." + }, + "handling": { + "type": "string", + "title": "Handling", + "description": "How the exception is handled." + } + } + }, + "property": { + "type": "object", + "title": "Property", + "description": "A name-value property.", + "additionalProperties": false, + "required": [ + "name", + "value" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + } + } +} From 513ef741ae0e3e19f296cf2d52860a790850e7c9 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 23 Jul 2025 10:00:04 -0500 Subject: [PATCH 02/44] Added requirement prototype Signed-off-by: Steve Springett --- .../cyclonedx-requirement-2.0.schema.json | 281 ++++++++++++++++++ 1 file changed, 281 insertions(+) create mode 100644 schema/2.0/model/cyclonedx-requirement-2.0.schema.json diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json new file mode 100644 index 000000000..743f99ecb --- /dev/null +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -0,0 +1,281 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-requirement-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language: Engineering Requirement", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "additionalProperties": false, + "$defs": { + "requirement": { + "type": "object", + "title": "Requirement", + "description": "A requirement represents a specific need, constraint, or capability that must be met.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)." + }, + "name": { + "type": "string", + "title": "Name", + "description": "A short name or title for the requirement." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the requirement." + }, + "type": { + "type": "array", + "title": "Requirement Types", + "description": "The categories or classifications applicable to the requirement.", + "items": { + "$ref": "#/$defs/requirementType" + }, + "uniqueItems": true + }, + "priority": { + "type": "string", + "title": "Priority", + "description": "The priority level of the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "status": { + "$ref": "#/$defs/requirementStatus" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the requirement." + }, + "stakeholders": { + "type": "array", + "title": "Stakeholders", + "description": "The individuals or groups who have an interest in the requirement.", + "items": { + "type": "string" + } + }, + "acceptanceCriteria": { + "type": "array", + "title": "Acceptance Criteria", + "description": "Criteria that must be met for the requirement to be considered satisfied.", + "items": { + "$ref": "#/$defs/acceptanceCriterion" + } + }, + "dependencies": { + "type": "array", + "title": "Dependencies", + "description": "Other requirements that this requirement depends on.", + "items": { + "$ref": "#/$defs/dependency" + } + }, + "parent": { + "type": "string", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The reasoning or justification for the requirement." + }, + "fitCriterion": { + "type": "string", + "title": "Fit Criterion", + "description": "A measurable test that the solution must pass to be acceptable to the stakeholders." + }, + "effort": { + "type": "string", + "title": "Effort Estimation", + "description": "An estimation of the effort required to implement the requirement." + }, + "risk": { + "type": "string", + "title": "Risk", + "description": "The risk level associated with implementing or not implementing the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "attachments": { + "type": "array", + "title": "Attachments", + "description": "Files or documents attached to the requirement.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "requirementType": { + "type": "string", + "title": "Requirement Type", + "description": "The category or classification applicable to the requirement.", + "enum": [ + "accessibility", + "auditability", + "availability", + "business", + "compatibility", + "compliance", + "deployment", + "functional", + "interoperability", + "localization", + "maintainability", + "non-functional", + "other", + "performance", + "portability", + "privacy", + "regulatory", + "reliability", + "scalability", + "security", + "system", + "testability", + "usability", + "user" + ], + "meta:enum": { + "accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.", + "auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.", + "availability": "Requirements describing the uptime and operational availability of systems or services.", + "business": "Requirements derived from organizational goals, strategies, or business processes.", + "compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.", + "compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.", + "deployment": "Requirements related to deploying, configuring, and operating the system in production environments.", + "functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.", + "interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.", + "localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.", + "maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.", + "non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.", + "other": "Requirements that do not clearly fit into other specified categories.", + "performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.", + "portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.", + "privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.", + "regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.", + "reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.", + "scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.", + "security": "Requirements intended to protect systems, data, and users from malicious actions or threats.", + "system": "Technical requirements defining infrastructure, architecture, or underlying technologies.", + "testability": "Requirements ensuring the system can be effectively validated and tested.", + "usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.", + "user": "Requirements captured directly from user needs, tasks, and expectations." + } + }, + "requirementStatus": { + "type": "string", + "title": "Status", + "description": "The current status of the requirement in the development lifecycle.", + "enum": [ + "draft", + "proposed", + "approved", + "implemented", + "verified", + "deferred", + "rejected", + "replaced", + "obsolete" + ] + }, + "acceptanceCriterion": { + "type": "object", + "title": "Acceptance Criterion", + "description": "A specific condition that must be met for the requirement to be considered satisfied.", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the acceptance criterion." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the acceptance criterion." + }, + "status": { + "type": "string", + "title": "Status", + "description": "The current status of the acceptance criterion.", + "enum": [ + "pending", + "passed", + "failed" + ] + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "A dependency on another requirement.", + "additionalProperties": false, + "properties": { + "ref": { + "oneOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "type": { + "type": "string", + "title": "Dependency Type", + "description": "The type of dependency relationship.", + "enum": [ + "requires", + "conflicts-with", + "enhances", + "implements", + "other" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the dependency relationship." + } + } + } + } +} From 83ce9d0284376b58e2ab156a00744e9cfbe5aab9 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 2 Sep 2025 21:58:18 -0500 Subject: [PATCH 03/44] Initial checkin of blueprint and threat model support Signed-off-by: Steve Springett --- .../model/cyclonedx-blueprint-2.0.schema.json | 1235 +++++++++++++++++ .../model/cyclonedx-common-2.0.schema.json | 87 +- .../2.0/model/cyclonedx-risk-2.0.schema.json | 669 +++++++++ .../model/cyclonedx-threat-2.0.schema.json | 806 ++++++++++- .../2.0/valid-threatmodel-simple-2.0.json | 25 + 5 files changed, 2772 insertions(+), 50 deletions(-) create mode 100644 schema/2.0/model/cyclonedx-blueprint-2.0.schema.json create mode 100644 schema/2.0/model/cyclonedx-risk-2.0.schema.json create mode 100644 tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json new file mode 100644 index 000000000..d8c7dc5df --- /dev/null +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -0,0 +1,1235 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language: Blueprint", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": ["modelTypes", "methodologies"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "modelTypes": { + "type": "array", + "minItems": 1, + "description": "The types of models being represented", + "items": { + "$ref": "#/$defs/modelType" + } + }, + "methodologies": { + "type": "array", + "minItems": 1, + "description": "The modeling methodologies used", + "items": { + "$ref": "#/$defs/methodology" + } + }, + "perspectives": { + "type": "array", + "description": "Different viewpoints or perspectives used in the model analysis", + "items": { + "$ref": "#/$defs/perspective" + } + }, + "metadata": { + "$ref": "#/$defs/blueprintMetadata" + }, + "scope": { + "$ref": "#/$defs/scope" + }, + "assets": { + "type": "array", + "items": { + "$ref": "#/$defs/asset" + }, + "description": "The assets (components, services, data, actors) included in the model" + }, + "zones": { + "type": "array", + "items": { + "$ref": "#/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics" + }, + "boundaries": { + "type": "array", + "items": { + "$ref": "#/$defs/boundary" + }, + "description": "Boundaries between zones" + }, + "flows": { + "type": "array", + "items": { + "$ref": "#/$defs/flow" + }, + "description": "Data, control, or process flows between assets" + }, + "assumptions": { + "type": "array", + "items": { + "$ref": "#/$defs/assumption" + }, + "description": "Assumptions made during the modeling process" + }, + "visualizations": { + "type": "array", + "items": { + "$ref": "#/$defs/visualization" + }, + "description": "Visual representations of the model" + }, + "useCases": { + "type": "array", + "items": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-usecase-2.0.schema.json" + }, + { + "properties": { + "assets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets involved in this use case" + }, + "flows": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to flows that are part of this use case" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirements implemented by this use case" + } + } + } + ] + }, + "description": "Use cases analyzed as part of the model" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirement" + }, + "description": "Requirements derived from or related to the model" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + }, + "description": "External references related to the blueprint" + }, + "properties": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + }, + "description": "Additional properties and extensions" + } + }, + "$defs": { + "modelType": { + "type": "object", + "oneOf": [ + { + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "architecture", + "dataFlow", + "process", + "deployment", + "network", + "threat", + "risk", + "privacy", + "operational", + "conceptual", + "logical", + "physical", + "behavioral", + "structural" + ], + "meta:enum": { + "architecture": "System or software architecture model", + "dataFlow": "Data flow model showing how data moves through the system", + "process": "Business or system process model", + "deployment": "Deployment or infrastructure model", + "network": "Network topology or connectivity model", + "threat": "Security threat model", + "risk": "Risk assessment model", + "privacy": "Privacy impact assessment model", + "operational": "Operational model", + "conceptual": "High-level conceptual model", + "logical": "Logical system model", + "physical": "Physical infrastructure model", + "behavioral": "System behavior model", + "structural": "System structure model" + } + } + } + }, + { + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom model type name" + }, + "description": { + "type": "string", + "description": "Description of the custom model type" + } + } + } + ] + }, + "methodology": { + "type": "object", + "oneOf": [ + { + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "C4", + "UML", + "TOGAF", + "Archimate", + "BPMN", + "DFD", + "ERD", + "4+1", + "Zachman", + "SABSA", + "DODAF", + "MODAF", + "NAF", + "Kruchten", + "IDEF", + "SysML", + "STRIDE", + "PASTA", + "LINDDUN", + "OCTAVE", + "ISO27005", + "NIST", + "FAIR" + ], + "meta:enum": { + "C4": "C4 Model for software architecture", + "UML": "Unified Modeling Language", + "TOGAF": "The Open Group Architecture Framework", + "Archimate": "Enterprise architecture modeling language", + "BPMN": "Business Process Model and Notation", + "DFD": "Data Flow Diagrams", + "ERD": "Entity Relationship Diagrams", + "4+1": "4+1 Architectural View Model", + "Zachman": "Zachman Framework", + "SABSA": "Sherwood Applied Business Security Architecture", + "DODAF": "Department of Defense Architecture Framework", + "MODAF": "Ministry of Defence Architecture Framework", + "NAF": "NATO Architecture Framework", + "Kruchten": "Kruchten's 4+1 View Model", + "IDEF": "Integration Definition Methods", + "SysML": "Systems Modeling Language", + "STRIDE": "Microsoft's threat modeling methodology", + "PASTA": "Process for Attack Simulation and Threat Analysis", + "LINDDUN": "Privacy threat modeling methodology", + "OCTAVE": "Operationally Critical Threat, Asset, and Vulnerability Evaluation", + "ISO27005": "ISO/IEC 27005 Information security risk management", + "NIST": "NIST Risk Management Framework", + "FAIR": "Factor Analysis of Information Risk" + } + }, + "version": { + "type": "string", + "description": "Version of the methodology" + } + } + }, + { + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom methodology name" + }, + "version": { + "type": "string", + "description": "Version of the methodology" + }, + "description": { + "type": "string", + "description": "Description of the custom methodology" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + } + ] + }, + "perspective": { + "type": "object", + "required": ["bom-ref", "type", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the perspective" + }, + "type": { + "type": "string", + "enum": [ + "business", + "technical", + "user", + "operational", + "development", + "architectural", + "functional", + "informational", + "contextual", + "conceptual", + "logical", + "physical", + "security", + "compliance", + "risk", + "stakeholder", + "custom" + ], + "meta:enum": { + "business": "Business stakeholder perspective", + "technical": "Technical implementation perspective", + "user": "End user or customer perspective", + "operational": "Operations and maintenance perspective", + "development": "Software development perspective", + "architectural": "System architecture perspective", + "functional": "Functional requirements perspective", + "informational": "Information and data perspective", + "contextual": "Business context perspective", + "conceptual": "High-level conceptual perspective", + "logical": "Logical design perspective", + "physical": "Physical implementation perspective", + "security": "Security perspective", + "compliance": "Regulatory compliance perspective", + "risk": "Risk management perspective", + "stakeholder": "General stakeholder perspective", + "custom": "Custom or other perspective" + } + }, + "name": { + "type": "string", + "description": "Name of the perspective" + }, + "description": { + "type": "string", + "description": "Detailed description of the perspective and its focus" + }, + "role": { + "type": "string", + "description": "The role or persona associated with this perspective" + }, + "objectives": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Primary objectives or goals from this perspective" + }, + "concerns": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Primary concerns from this perspective" + }, + "viewpoint": { + "type": "string", + "description": "The architectural viewpoint this perspective represents" + }, + "scope": { + "type": "string", + "description": "The scope of this perspective" + }, + "properties": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + } + } + } + }, + "blueprintMetadata": { + "type": "object", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was created or last updated" + }, + "authors": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who created the blueprint" + }, + "reviewer": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who reviewed the blueprint" + }, + "reviewDate": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was reviewed" + }, + "approver": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who approved the blueprint" + }, + "approvalDate": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was approved" + }, + "ordinalVersion": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/ordinalVersion" + }, + "lifecycles": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/lifecycles" + }, + "validityPeriod": { + "$ref": "#/$defs/validityPeriod" + } + } + }, + "validityPeriod": { + "type": "object", + "additionalProperties": false, + "properties": { + "start": { + "type": "string", + "format": "date-time", + "description": "When the blueprint becomes valid" + }, + "end": { + "type": "string", + "format": "date-time", + "description": "When the blueprint expires" + }, + "reviewFrequency": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" + } + } + }, + "scope": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the scope" + }, + "description": { + "type": "string", + "description": "Description of what is included and excluded from the model" + }, + "boundaries": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Explicit boundaries of the model" + }, + "includedComponents": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to components explicitly included" + }, + "excludedComponents": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to components explicitly excluded" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "asset": { + "type": "object", + "required": ["bom-ref", "type", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the asset" + }, + "componentRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the component this asset represents" + }, + "serviceRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the service this asset represents" + }, + "type": { + "type": "string", + "enum": [ + "component", + "service", + "dataStore", + "data", + "actor", + "process", + "infrastructure", + "device", + "network", + "container", + "function", + "api", + "queue", + "stream", + "system", + "subsystem", + "module", + "interface", + "endpoint", + "resource" + ], + "meta:enum": { + "component": "Software component or application", + "service": "Service or microservice", + "dataStore": "Database, file system, or data repository", + "data": "Data asset or dataset", + "actor": "User, system, or external entity", + "process": "Business or system process", + "infrastructure": "Infrastructure component", + "device": "Physical or IoT device", + "network": "Network segment or resource", + "container": "Container or orchestration unit", + "function": "Serverless function or lambda", + "api": "API endpoint or interface", + "queue": "Message queue or event bus", + "stream": "Data stream or event stream", + "system": "Complete system or application", + "subsystem": "Part of a larger system", + "module": "Software module or package", + "interface": "System interface or contract", + "endpoint": "Service endpoint or URL", + "resource": "Generic resource or artifact" + } + }, + "name": { + "type": "string", + "description": "Name of the asset" + }, + "description": { + "type": "string", + "description": "Description of the asset's role and purpose" + }, + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the zone containing this asset" + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to parent asset if this is a sub-component" + }, + "classification": { + "$ref": "#/$defs/assetClassification" + }, + "attributes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Generic attributes or tags for the asset" + }, + "responsibilities": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Responsibilities or functions of this asset" + }, + "interfaces": { + "type": "array", + "items": { + "$ref": "#/$defs/interface" + }, + "description": "Interfaces exposed by this asset" + }, + "dependencies": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets this asset depends on" + }, + "useCases": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to use cases that involve this asset" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication methods supported/required" + }, + "authorization": { + "$ref": "#/$defs/authorizationType", + "description": "Authorization model used" + }, + "encryption": { + "$ref": "#/$defs/encryptionType" + }, + "ownership": { + "$ref": "#/$defs/ownership" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "interface": { + "type": "object", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the interface" + }, + "type": { + "type": "string", + "enum": ["rest", "graphql", "grpc", "soap", "messaging", "file", "database", "cli", "gui", "api", "event", "stream"], + "description": "Type of interface" + }, + "description": { + "type": "string", + "description": "Description of the interface" + }, + "specification": { + "type": "string", + "description": "Link or reference to interface specification" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Data format (e.g., JSON, XML, Protocol Buffers)" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + } + }, + "operations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Operations or methods exposed" + } + } + }, + "zone": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the zone" + }, + "description": { + "type": "string", + "description": "Description of the zone's characteristics" + }, + "type": { + "type": "string", + "enum": ["trust", "network", "physical", "logical", "deployment", "organizational", "functional", "security"], + "meta:enum": { + "trust": "Security trust zone", + "network": "Network segmentation zone", + "physical": "Physical location or boundary", + "logical": "Logical grouping or boundary", + "deployment": "Deployment environment (e.g., dev, staging, prod)", + "organizational": "Organizational or administrative boundary", + "functional": "Functional grouping", + "security": "Security zone or perimeter" + } + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to parent zone if this is a sub-zone" + }, + "characteristics": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Key characteristics of this zone" + }, + "constraints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Constraints or limitations of this zone" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "boundary": { + "type": "object", + "required": ["bom-ref", "zones"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the boundary" + }, + "type": { + "type": "string", + "enum": ["trust", "network", "process", "data", "physical", "organizational", "functional"], + "meta:enum": { + "trust": "Trust boundary between different security zones", + "network": "Network boundary or firewall", + "process": "Process or execution boundary", + "data": "Data classification boundary", + "physical": "Physical security boundary", + "organizational": "Organizational boundary", + "functional": "Functional boundary" + } + }, + "zones": { + "type": "array", + "minItems": 2, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "The zones this boundary connects or separates" + }, + "crossingRequirements": { + "$ref": "#/$defs/crossingRequirements" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "crossingRequirements": { + "type": "object", + "additionalProperties": false, + "properties": { + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication required to cross this boundary" + }, + "authorization": { + "$ref": "#/$defs/authorizationType", + "description": "Authorization model at this boundary" + }, + "dataValidation": { + "type": "boolean", + "description": "Whether data is validated when crossing this boundary" + }, + "dataTransformation": { + "type": "boolean", + "description": "Whether data is transformed when crossing this boundary" + }, + "encryption": { + "$ref": "#/$defs/encryptionType", + "description": "Encryption requirements for crossing this boundary" + }, + "logging": { + "type": "boolean", + "description": "Whether crossings are logged" + }, + "monitoring": { + "type": "boolean", + "description": "Whether crossings are monitored" + }, + "rateLimit": { + "type": "string", + "description": "Rate limiting policy" + }, + "protocols": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed protocols for crossing" + } + } + }, + "flow": { + "type": "object", + "required": ["bom-ref", "name", "source", "destination", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or description of the flow" + }, + "description": { + "type": "string", + "description": "Detailed description of what flows and why" + }, + "type": { + "type": "string", + "enum": ["data", "control", "process", "message", "event", "dependency", "interaction"], + "meta:enum": { + "data": "Data or information flow", + "control": "Control or command flow", + "process": "Business process flow", + "message": "Message or communication flow", + "event": "Event or notification flow", + "dependency": "Dependency relationship", + "interaction": "User or system interaction" + } + }, + "source": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the source asset" + }, + "destination": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the destination asset" + }, + "bidirectional": { + "type": "boolean", + "default": false, + "description": "Whether flow occurs in both directions" + }, + "synchronous": { + "type": "boolean", + "description": "Whether the flow is synchronous or asynchronous" + }, + "volume": { + "type": "string", + "description": "Expected volume or frequency of flow" + }, + "timing": { + "type": "string", + "description": "Timing characteristics (real-time, batch, scheduled)" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Format of data in the flow" + }, + "classification": { + "$ref": "#/$defs/dataClassification" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + } + }, + "encryption": { + "$ref": "#/$defs/encryptionType" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "assumption": { + "type": "object", + "required": ["description"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": { + "type": "string", + "description": "The assumption being made" + }, + "category": { + "type": "string", + "enum": ["technical", "business", "operational", "security", "compliance", "performance", "availability"], + "description": "Category of the assumption" + }, + "relatedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets this assumption relates to" + }, + "validity": { + "type": "string", + "enum": ["unknown", "verified", "unverified", "invalid"], + "default": "unknown", + "description": "Whether the assumption has been validated" + }, + "impact": { + "type": "string", + "description": "Impact if this assumption proves false" + }, + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Who owns or is responsible for this assumption" + }, + "validationMethod": { + "type": "string", + "description": "How this assumption can be validated" + }, + "validationDate": { + "type": "string", + "format": "date-time", + "description": "When the assumption was last validated" + } + } + }, + "visualization": { + "type": "object", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or title of the visualization" + }, + "description": { + "type": "string", + "description": "Description of what the visualization shows" + }, + "type": { + "type": "string", + "enum": [ + "architecture", + "dataFlow", + "sequence", + "state", + "deployment", + "network", + "process", + "useCase", + "component", + "class", + "entity", + "activity", + "collaboration", + "context", + "container", + "code" + ], + "meta:enum": { + "architecture": "System architecture diagram", + "dataFlow": "Data flow diagram (DFD)", + "sequence": "Sequence or interaction diagram", + "state": "State machine diagram", + "deployment": "Deployment or infrastructure diagram", + "network": "Network topology diagram", + "process": "Business process diagram", + "useCase": "Use case diagram", + "component": "Component diagram", + "class": "Class or object diagram", + "entity": "Entity relationship diagram", + "activity": "Activity or workflow diagram", + "collaboration": "Collaboration diagram", + "context": "Context diagram", + "container": "Container diagram (C4)", + "code": "Code structure diagram" + } + }, + "format": { + "type": "string", + "enum": ["mermaid", "graphviz", "plantuml", "drawio", "svg", "png", "jpeg", "d3", "cytoscape", "visio", "archimate"], + "meta:enum": { + "mermaid": "Mermaid diagram language", + "graphviz": "GraphViz DOT language", + "plantuml": "PlantUML diagram language", + "drawio": "Draw.io/diagrams.net format", + "svg": "Scalable Vector Graphics", + "png": "Portable Network Graphics", + "jpeg": "JPEG image format", + "d3": "D3.js visualization", + "cytoscape": "Cytoscape graph format", + "visio": "Microsoft Visio format", + "archimate": "ArchiMate model format" + } + }, + "content": { + "type": "string", + "description": "The diagram content (source code or base64 encoded image)" + }, + "url": { + "type": "string", + "format": "iri-reference", + "description": "URL to the diagram if stored externally" + }, + "level": { + "type": "string", + "enum": ["overview", "high", "medium", "detailed"], + "description": "Level of detail in the visualization" + }, + "perspective": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the perspective this visualization represents" + }, + "elements": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to elements shown in this visualization" + }, + "interactive": { + "type": "boolean", + "description": "Whether the visualization is interactive" + }, + "layers": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Layers or views available in the visualization" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "assetClassification": { + "type": "object", + "additionalProperties": false, + "properties": { + "criticality": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality" + }, + "sensitivity": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/dataSensitivity" + }, + "dataClassification": { + "$ref": "#/$defs/dataClassification" + }, + "tier": { + "type": "string", + "enum": ["tier0", "tier1", "tier2", "tier3", "tier4"], + "meta:enum": { + "tier0": "Mission critical - highest priority", + "tier1": "Business critical - high priority", + "tier2": "Business important - medium priority", + "tier3": "Business supporting - low priority", + "tier4": "Non-critical - minimal priority" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Business or technical categories" + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tags for classification and search" + } + } + }, + "dataClassification": { + "type": "object", + "additionalProperties": false, + "properties": { + "sensitivity": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/dataSensitivity" + }, + "dataTypes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specific types of data" + }, + "handling": { + "type": "string", + "description": "Data handling requirements" + }, + "retention": { + "type": "string", + "description": "Data retention requirements" + }, + "disposal": { + "type": "string", + "description": "Data disposal requirements" + }, + "regulations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Applicable regulations" + } + } + }, + "ownership": { + "type": "object", + "additionalProperties": false, + "properties": { + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Primary owner of the asset" + }, + "steward": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Steward responsible for the asset" + }, + "custodian": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Custodian responsible for protecting the asset" + }, + "users": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Primary users of the asset" + } + } + }, + "authenticationType": { + "type": "string", + "enum": [ + "none", + "basic", + "bearer", + "digest", + "certificate", + "apiKey", + "oauth1", + "oauth2", + "openIdConnect", + "saml", + "kerberos", + "ntlm", + "jwt", + "custom" + ], + "description": "Authentication method", + "meta:enum": { + "none": "No authentication required", + "basic": "Basic authentication (username/password)", + "bearer": "Bearer token authentication", + "digest": "Digest authentication", + "certificate": "Certificate-based authentication", + "apiKey": "API key authentication", + "oauth1": "OAuth 1.0 authentication", + "oauth2": "OAuth 2.0 authentication", + "openIdConnect": "OpenID Connect authentication", + "saml": "SAML authentication", + "kerberos": "Kerberos authentication", + "ntlm": "NTLM authentication", + "jwt": "JSON Web Token authentication", + "custom": "Custom authentication method" + } + }, + "authorizationType": { + "type": "string", + "enum": ["none", "acl", "rbac", "abac", "mac", "dac", "pbac", "cbac", "custom"], + "description": "Authorization model", + "meta:enum": { + "none": "No authorization controls", + "acl": "Access Control Lists", + "rbac": "Role-Based Access Control", + "abac": "Attribute-Based Access Control", + "mac": "Mandatory Access Control", + "dac": "Discretionary Access Control", + "pbac": "Policy-Based Access Control", + "cbac": "Claims-Based Access Control", + "custom": "Custom authorization model" + } + }, + "encryptionType": { + "type": "object", + "additionalProperties": false, + "properties": { + "inTransit": { + "type": "boolean", + "description": "Whether data is encrypted in transit" + }, + "atRest": { + "type": "boolean", + "description": "Whether data is encrypted at rest" + }, + "inProcessing": { + "type": "boolean", + "description": "Whether data is encrypted during processing" + } + } + } + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-common-2.0.schema.json b/schema/2.0/model/cyclonedx-common-2.0.schema.json index dfa83ebf0..e158505ee 100644 --- a/schema/2.0/model/cyclonedx-common-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-common-2.0.schema.json @@ -392,6 +392,12 @@ } } }, + "organizationalEntityOrContact": { + "oneOf": [ + { "$ref": "#/$defs/organizationalEntity" }, + { "$ref": "#/$defs/organizationalContact" } + ] + }, "properties": { "type": "array", "title": "Properties", @@ -458,12 +464,81 @@ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." }, - - - - - - + "ordinalVersion": { + "title": "Ordinal Version", + "description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.", + "type": "string", + "pattern": "^\\d+(\\.\\d+)*$", + "examples": [ + "1", + "1.2", + "1.2.3", + "2025.09.02", + "10.4.7.3" + ] + }, + "lifecycle": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "title": "Pre-Defined Phase", + "required": ["phase"], + "additionalProperties": false, + "properties": { + "phase": { + "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.", + "enum": [ + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" + ], + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } + } + } + }, + { + "title": "Custom Phase", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" + } + } + } + ] + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "Lifecycles communicate the stage(s) in which data was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", + "items": { + "$ref": "#/$defs/lifecycle" + } + }, "commit": { "type": "object", "title": "Commit", diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json new file mode 100644 index 000000000..0e07128f9 --- /dev/null +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -0,0 +1,669 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/model/cyclonedx-risk-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language: Risk", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An optional identifier which can be used to reference the risk assessment elsewhere in the BOM" + }, + "domains": { + "type": "array", + "description": "Risk domains covered by this assessment", + "items": { + "$ref": "#/$defs/riskDomain" + } + }, + "scenarios": { + "type": "array", + "items": { + "$ref": "#/$defs/scenario" + }, + "description": "Risk scenarios identified" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/mitigation" + }, + "description": "Controls, countermeasures, or mitigations to address identified risks" + }, + "assessments": { + "type": "array", + "items": { + "$ref": "#/$defs/assessment" + }, + "description": "Risk assessments and evaluations" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + }, + "$defs": { + "riskDomain": { + "type": "object", + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply_chain", + "technical", + "project" + ], + "meta:enum": { + "security": "Information security and cybersecurity risks", + "privacy": "Data protection and privacy risks", + "operational": "Business operations and continuity risks", + "financial": "Financial loss and economic impact risks", + "compliance": "Regulatory and legal compliance risks", + "strategic": "Strategic business and market risks", + "reputational": "Brand and reputation damage risks", + "safety": "Human safety and physical security risks", + "environmental": "Environmental impact and sustainability risks", + "supply_chain": "Supply chain and third-party risks", + "technical": "Technical and technology risks", + "project": "Project delivery and execution risks" + } + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "description": { + "type": "string", + "description": "Additional context for this risk domain" + } + } + }, + "riskAttribute": { + "type": "string", + "description": "A classification of security and privacy attributes that represent potential impact areas when a risk is realized", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data_subject_rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose_limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities", + "authentication": "Verifying the identity of users, devices, or systems before granting access", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified", + "availability": "Ensuring systems, data, and services are accessible and operational when needed", + "compliance": "Adherence to applicable laws, regulations, policies, and standards", + "confidentiality": "Preventing unauthorised access to or disclosure of information", + "connectivity": "Maintaining secure and reliable communication between systems or components", + "control": "Enabling individuals to manage how their personal data is used and shared", + "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", + "possession": "Ensuring control or custody over data or assets, regardless of ownership", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", + "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose" + } + }, + "scenario": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the risk scenario" + }, + "description": { + "type": "string", + "description": "Detailed description of the scenario" + }, + "type": { + "type": "string", + "enum": ["threat", "vulnerability", "weakness", "risk", "incident", "opportunity", "hazard"], + "meta:enum": { + "threat": "Security threat scenario", + "vulnerability": "Exploitable vulnerability", + "weakness": "System or design weakness", + "risk": "General risk scenario", + "incident": "Potential incident scenario", + "opportunity": "Positive risk (opportunity)", + "hazard": "Safety hazard scenario" + } + }, + "domain": { + "$ref": "#/$defs/riskDomain" + }, + "category": { + "type": "string", + "description": "Category or classification of the scenario" + }, + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + }, + "description": "Risk attributes affected by this scenario" + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to affected assets" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to mitigations that address this scenario" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "likelihood": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["veryLow", "low", "medium", "high", "veryHigh", "certain"], + "description": "Likelihood level", + "meta:enum": { + "veryLow": "Very unlikely to occur (< 10%)", + "low": "Unlikely to occur (10-30%)", + "medium": "Possible to occur (30-60%)", + "high": "Likely to occur (60-90%)", + "veryHigh": "Very likely to occur (> 90%)", + "certain": "Will certainly occur (100%)" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric likelihood score" + }, + "probability": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Probability as a decimal (0-1)" + }, + "rationale": { + "type": "string", + "description": "Justification for the likelihood rating" + } + } + }, + "impact": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["negligible", "low", "moderate", "high", "severe", "catastrophic"], + "description": "Impact severity level", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences", + "low": "Minor impact with limited consequences", + "moderate": "Moderate impact affecting some operations", + "high": "Significant impact with serious consequences", + "severe": "Severe impact with critical consequences", + "catastrophic": "Catastrophic impact with existential consequences" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric impact score" + }, + "categories": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality", + "integrity": "Impact on data or system integrity", + "availability": "Impact on service availability", + "financial": "Financial loss or impact", + "reputation": "Reputational damage", + "regulatory": "Regulatory compliance impact", + "safety": "Human safety impact", + "privacy": "Privacy violation impact", + "operational": "Operational disruption", + "strategic": "Strategic business impact" + } + }, + "description": "Categories of impact" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + }, + "description": "Risk attributes affected" + }, + "quantification": { + "$ref": "#/$defs/impactQuantification" + }, + "description": { + "type": "string", + "description": "Description of the potential impact" + } + } + }, + "impactQuantification": { + "type": "object", + "additionalProperties": false, + "properties": { + "financialLoss": { + "type": "number", + "description": "Estimated financial loss in currency units" + }, + "currency": { + "type": "string", + "pattern": "^[A-Z]{3}$", + "description": "ISO 4217 currency code" + }, + "affectedUsers": { + "type": "integer", + "description": "Number of affected users" + }, + "downtime": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Expected downtime as ISO 8601 duration" + }, + "dataRecords": { + "type": "integer", + "description": "Number of data records affected" + }, + "recovery": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Recovery time as ISO 8601 duration" + } + } + }, + "riskScore": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["info", "low", "medium", "high", "critical"], + "description": "Overall risk level", + "meta:enum": { + "info": "Informational - no immediate action required", + "low": "Low risk - monitor and address in normal cycle", + "medium": "Medium risk - plan mitigation activities", + "high": "High risk - prioritize mitigation efforts", + "critical": "Critical risk - immediate action required" + } + }, + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric risk score" + }, + "vector": { + "type": "string", + "description": "Risk scoring vector (e.g., L:H/I:M)" + }, + "methodology": { + "type": "string", + "description": "Risk scoring methodology used" + } + } + }, + "mitigation": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the mitigation" + }, + "description": { + "type": "string", + "description": "Description of what the mitigation does" + }, + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Protective measure", + "practice": "Risk management practice", + "procedure": "Documented procedure" + } + }, + "strategy": { + "type": "string", + "enum": ["prevent", "detect", "respond", "recover"], + "meta:enum": { + "prevent": "Prevents the risk from occurring", + "detect": "Detects when the risk occurs", + "respond": "Responds to the risk when detected", + "recover": "Recovers from the impact" + } + }, + "status": { + "type": "string", + "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "effectiveness": { + "$ref": "#/$defs/effectiveness" + }, + "cost": { + "type": "string", + "enum": ["trivial", "low", "medium", "high", "extreme"], + "meta:enum": { + "trivial": "Minimal cost and effort", + "low": "Low cost and effort", + "medium": "Moderate cost and effort", + "high": "High cost and significant effort", + "extreme": "Extreme cost and major effort" + } + }, + "addresses": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to scenarios this mitigation addresses" + }, + "implementedBy": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets that implement this mitigation" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "effectiveness": { + "type": "object", + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 100, + "description": "Effectiveness as percentage" + }, + "rating": { + "type": "string", + "enum": ["ineffective", "marginal", "adequate", "good", "excellent"], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk", + "marginal": "Slightly reduces risk", + "adequate": "Adequately reduces risk", + "good": "Significantly reduces risk", + "excellent": "Nearly eliminates risk" + } + } + } + }, + "assessment": { + "type": "object", + "required": ["bom-ref", "type", "timestamp"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "type": { + "type": "string", + "enum": ["initial", "periodic", "continuous", "triggered"], + "meta:enum": { + "initial": "Initial risk assessment", + "periodic": "Scheduled periodic assessment", + "continuous": "Continuous monitoring assessment", + "triggered": "Event-triggered assessment" + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the assessment was performed" + }, + "assessor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Who performed the assessment" + }, + "summary": { + "type": "string", + "description": "Executive summary of the assessment" + }, + "findings": { + "type": "array", + "items": { + "$ref": "#/$defs/finding" + }, + "description": "Specific findings from the assessment" + }, + "overallRisk": { + "$ref": "#/$defs/riskScore", + "description": "Overall risk score/level" + }, + "recommendations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Recommendations from the assessment" + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When the next review should occur" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "finding": { + "type": "object", + "required": ["title", "severity"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "title": { + "type": "string", + "description": "Title of the finding" + }, + "description": { + "type": "string", + "description": "Detailed description of the finding" + }, + "severity": { + "$ref": "#/$defs/severity" + }, + "relatedScenarios": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Scenarios related to this finding" + }, + "relatedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets affected by this finding" + }, + "remediation": { + "type": "string", + "description": "Recommended remediation" + }, + "status": { + "type": "string", + "enum": ["open", "inProgress", "resolved", "accepted"], + "meta:enum": { + "open": "Finding is open and unaddressed", + "inProgress": "Remediation is in progress", + "resolved": "Finding has been resolved", + "accepted": "Risk has been accepted" + } + } + } + }, + "priority": { + "type": "string", + "enum": ["none", "low", "medium", "high", "critical"], + "description": "Priority level", + "meta:enum": { + "none": "No priority assigned", + "low": "Low priority - address when convenient", + "medium": "Medium priority - address in normal cycle", + "high": "High priority - address soon", + "critical": "Critical priority - address immediately" + } + }, + "severity": { + "type": "string", + "enum": ["info", "low", "medium", "high", "critical"], + "description": "Severity level", + "meta:enum": { + "info": "Informational finding", + "low": "Low severity issue", + "medium": "Medium severity issue", + "high": "High severity issue", + "critical": "Critical severity issue" + } + }, + "criticality": { + "type": "string", + "enum": ["minimal", "low", "moderate", "high", "critical"], + "description": "Business criticality level", + "meta:enum": { + "minimal": "Minimal impact on business operations", + "low": "Low impact with minor inconvenience", + "moderate": "Moderate impact affecting some operations", + "high": "High impact affecting critical operations", + "critical": "Critical impact with severe business consequences" + } + }, + "dataSensitivity": { + "type": "string", + "enum": ["public", "internal", "confidential", "restricted", "secret"], + "description": "Data sensitivity classification", + "meta:enum": { + "public": "Public information that can be freely shared", + "internal": "Internal use only within the organization", + "confidential": "Confidential information requiring protection", + "restricted": "Highly restricted information with limited access", + "secret": "Secret information requiring special handling" + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index 062a8cd50..51d3173ef 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -1,52 +1,770 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "http://localhost:8080/schema/2.0/cyclonedx-threat-2.0.schema.json", - "type": "null", + "$id": "http://localhost:8080/schema/2.0/model/cyclonedx-threat-2.0.schema.json", + "type": "object", "title": "CycloneDX Transparency Expression Language: Threat", "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", "$defs": { - "riskAttributes": { - "type": "string", - "description": "A classification of security and privacy attributes that represent potential impact areas when a threat is realised. These attributes help identify what is at risk, and can also be used to prioritise which attributes are most important to protect for a given application, system, or threat model.", - "enum": [ - "accountability", - "authentication", - "authorization", - "authenticity", - "availability", - "compliance", - "confidentiality", - "connectivity", - "control", - "data_subject_rights", - "integrity", - "minimisation", - "non-repudiation", - "possession", - "privacy", - "purpose_limitation", - "transparency", - "utility" - ], - "meta:enum": { - "accountability": "Assigning responsibility for actions and decisions to individuals or entities.", - "authentication": "Verifying the identity of users, devices, or systems before granting access.", - "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources.", - "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified.", - "availability": "Ensuring systems, data, and services are accessible and operational when needed.", - "compliance": "Adherence to applicable laws, regulations, policies, and standards.", - "confidentiality": "Preventing unauthorised access to or disclosure of information.", - "connectivity": "Maintaining secure and reliable communication between systems or components.", - "control": "Enabling individuals to manage how their personal data is used and shared.", - "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.", - "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors.", - "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", - "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications.", - "possession": "Ensuring control or custody over data or assets, regardless of ownership.", - "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards.", - "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection.", - "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing.", - "utility": "Ensuring data is usable and in a format suitable for the intended purpose." + "threatScenario": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/scenario" + }, + { + "properties": { + "threatCategory": { + "type": "string", + "description": "Threat category based on methodology (e.g., STRIDE category)" + }, + "threatActor": { + "$ref": "#/$defs/threatActorProfile" + }, + "attackVector": { + "$ref": "#/$defs/attackVector" + }, + "attackPattern": { + "$ref": "#/$defs/attackPatternReference" + }, + "weakness": { + "$ref": "#/$defs/weaknessReference" + }, + "exploitability": { + "$ref": "#/$defs/exploitability" + }, + "indicators": { + "$ref": "#/$defs/indicators" + }, + "killChainPhase": { + "type": "string", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target", + "weaponization": "Creating malicious payloads", + "delivery": "Transmitting weapon to target", + "exploitation": "Exploiting vulnerabilities", + "installation": "Installing malware or backdoors", + "command-and-control": "Establishing C2 channel", + "actions-on-objectives": "Achieving attack goals" + } + }, + "technicalImpact": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "unauthorized-access", + "data-breach", + "data-corruption", + "service-disruption", + "privilege-escalation", + "code-execution", + "information-disclosure", + "denial-of-service" + ] + } + } + } + } + ] + }, + "threatActor": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or identifier of the threat actor" + }, + "description": { + "type": "string", + "description": "Description of the threat actor" + }, + "type": { + "type": "string", + "enum": ["individual", "group", "organization", "nation-state", "unknown"], + "meta:enum": { + "individual": "Individual threat actor", + "group": "Organized group or collective", + "organization": "Corporate or criminal organization", + "nation-state": "Nation-state sponsored actor", + "unknown": "Unknown threat actor type" + } + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Known aliases or alternative names" + }, + "profile": { + "$ref": "#/$defs/threatActorProfile" + }, + "observedTTPs": { + "type": "array", + "items": { + "$ref": "#/$defs/ttp" + }, + "description": "Observed tactics, techniques, and procedures" + }, + "attributedAttacks": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Attacks attributed to this actor" + }, + "targeting": { + "$ref": "#/$defs/targeting" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "threatActorProfile": { + "type": "object", + "additionalProperties": false, + "properties": { + "sophistication": { + "type": "string", + "enum": ["none", "minimal", "intermediate", "advanced", "expert"], + "meta:enum": { + "none": "No technical sophistication", + "minimal": "Script kiddie level", + "intermediate": "Intermediate technical skills", + "advanced": "Advanced persistent threat", + "expert": "Nation-state level capabilities" + } + }, + "motivation": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ] + }, + "description": "Primary motivations" + }, + "capability": { + "type": "string", + "enum": ["minimal", "limited", "moderate", "significant", "advanced"], + "description": "Overall capability level" + }, + "intent": { + "type": "string", + "enum": ["accidental", "opportunistic", "targeted", "persistent"], + "description": "Intent level" + }, + "resources": { + "type": "string", + "enum": ["minimal", "limited", "moderate", "substantial", "unlimited"], + "description": "Resource availability" + }, + "accessLevel": { + "type": "string", + "enum": ["none", "external", "internal", "privileged", "physical"], + "description": "Level of access to target systems" + }, + "skillSet": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specific skills possessed" + } + } + }, + "attackVector": { + "type": "object", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": ["network", "adjacent", "local", "physical"], + "meta:enum": { + "network": "Remotely exploitable via network", + "adjacent": "Exploitable from adjacent network", + "local": "Requires local access", + "physical": "Requires physical access" + } + }, + "complexity": { + "type": "string", + "enum": ["low", "high"], + "description": "Attack complexity" + }, + "privileges": { + "type": "string", + "enum": ["none", "low", "high"], + "description": "Privileges required" + }, + "userInteraction": { + "type": "string", + "enum": ["none", "required"], + "description": "User interaction requirement" + }, + "scope": { + "type": "string", + "enum": ["unchanged", "changed"], + "description": "Scope impact" + } + } + }, + "attackPattern": { + "type": "object", + "required": ["bom-ref", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "capecId": { + "type": "integer", + "description": "CAPEC (Common Attack Pattern Enumeration and Classification) ID" + }, + "name": { + "type": "string", + "description": "Name of the attack pattern" + }, + "description": { + "type": "string", + "description": "Description of the attack pattern" + }, + "severity": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/severity" + }, + "likelihood": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Likelihood of this pattern being used" + }, + "prerequisites": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Prerequisites for the attack" + }, + "techniques": { + "type": "array", + "items": { + "$ref": "#/$defs/technique" + }, + "description": "Techniques used in the attack" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to mitigations" + }, + "examples": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Real-world examples" + } + } + }, + "attackPatternReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "patternRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to attack pattern" + }, + "capecId": { + "type": "integer", + "description": "CAPEC ID if not referencing internal pattern" + }, + "customization": { + "type": "string", + "description": "How this pattern is customized for the specific scenario" + } + } + }, + "technique": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "description": "Technique ID (e.g., MITRE ATT&CK ID)" + }, + "name": { + "type": "string", + "description": "Name of the technique" + }, + "tactic": { + "type": "string", + "description": "Associated tactic" + }, + "procedure": { + "type": "string", + "description": "Specific procedure" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools used with this technique" + } + } + }, + "weakness": { + "type": "object", + "required": ["bom-ref"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "cweId": { + "type": "integer", + "description": "CWE (Common Weakness Enumeration) ID" + }, + "name": { + "type": "string", + "description": "Name of the weakness" + }, + "description": { + "type": "string", + "description": "Description of the weakness" + }, + "abstraction": { + "type": "string", + "enum": ["pillar", "class", "base", "variant", "compound"], + "meta:enum": { + "pillar": "Most abstract type of weakness", + "class": "Weakness described in generic terms", + "base": "Weakness described in abstract terms", + "variant": "Weakness specific to a resource/technology", + "compound": "Combination of two or more weaknesses" + } + }, + "ordinality": { + "type": "string", + "enum": ["primary", "resultant", "indirect"], + "meta:enum": { + "primary": "Weakness exists independent of other weaknesses", + "resultant": "Weakness is caused by another weakness", + "indirect": "Weakness is indirectly caused by another weakness" + } + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets affected by this weakness" + }, + "exploitationDifficulty": { + "type": "string", + "enum": ["trivial", "easy", "moderate", "difficult", "impractical"], + "description": "Difficulty of exploiting this weakness" + }, + "detectionMethods": { + "type": "array", + "items": { + "$ref": "#/$defs/detectionMethod" + }, + "description": "Methods for detecting this weakness" + } + } + }, + "weaknessReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "weaknessRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to weakness" + }, + "cweId": { + "type": "integer", + "description": "CWE ID if not referencing internal weakness" + }, + "instance": { + "type": "string", + "description": "Specific instance or manifestation of the weakness" + } + } + }, + "exploitability": { + "type": "object", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["theoretical", "proof-of-concept", "functional", "weaponized"], + "meta:enum": { + "theoretical": "Theoretically possible but not demonstrated", + "proof-of-concept": "Proof of concept exists", + "functional": "Functional exploit exists", + "weaponized": "Weaponized exploit in the wild" + } + }, + "complexity": { + "type": "string", + "enum": ["trivial", "low", "medium", "high", "very-high"], + "description": "Complexity to exploit" + }, + "skillRequired": { + "type": "string", + "enum": ["none", "basic", "intermediate", "advanced", "expert"], + "description": "Skill level required" + }, + "toolsRequired": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools required for exploitation" + }, + "timeRequired": { + "type": "string", + "description": "Estimated time to develop exploit" + }, + "reliability": { + "type": "string", + "enum": ["unreliable", "occasional", "reliable", "highly-reliable"], + "description": "Reliability of exploitation" + }, + "automatable": { + "type": "boolean", + "description": "Whether exploitation can be automated" + } + } + }, + "indicators": { + "type": "object", + "additionalProperties": false, + "properties": { + "compromise": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of compromise" + }, + "attack": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of attack" + }, + "behavioral": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Behavioral indicators" + }, + "signatures": { + "type": "array", + "items": { + "$ref": "#/$defs/signature" + }, + "description": "Detection signatures" + } + } + }, + "signature": { + "type": "object", + "required": ["type", "value"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": ["yara", "snort", "regex", "hash", "behavior"], + "description": "Type of signature" + }, + "value": { + "type": "string", + "description": "Signature value or pattern" + }, + "description": { + "type": "string", + "description": "Description of what the signature detects" + }, + "confidence": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Confidence level of detection" + } + } + }, + "ttp": { + "type": "object", + "additionalProperties": false, + "properties": { + "tactic": { + "type": "string", + "description": "High-level tactic" + }, + "technique": { + "$ref": "#/$defs/technique" + }, + "procedure": { + "type": "string", + "description": "Specific implementation" + }, + "tools": { + "type": "array", + "items": { + "$ref": "#/$defs/tool" + }, + "description": "Tools used" + }, + "infrastructure": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Infrastructure used" + } + } + }, + "tool": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Tool name" + }, + "type": { + "type": "string", + "enum": ["exploit", "scanner", "fuzzer", "proxy", "framework", "custom"], + "description": "Type of tool" + }, + "version": { + "type": "string", + "description": "Tool version" + }, + "capabilities": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tool capabilities" + } + } + }, + "targeting": { + "type": "object", + "additionalProperties": false, + "properties": { + "sectors": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted sectors or industries" + }, + "regions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted geographic regions" + }, + "technologies": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted technologies or platforms" + }, + "dataTypes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Types of data targeted" + } + } + }, + "detectionMethod": { + "type": "object", + "required": ["method"], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": ["static-analysis", "dynamic-analysis", "penetration-test", "code-review", "architecture-review", "automated-scan"], + "description": "Detection method type" + }, + "description": { + "type": "string", + "description": "Description of the detection method" + }, + "effectiveness": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Effectiveness of the method" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools that implement this method" + } + } + }, + "securityPolicy": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Policy name" + }, + "type": { + "type": "string", + "enum": ["access-control", "data-protection", "network-security", "application-security", "operational-security", "compliance"], + "description": "Type of security policy" + }, + "description": { + "type": "string", + "description": "Policy description" + }, + "requirements": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy requirements" + }, + "enforcement": { + "type": "string", + "enum": ["mandatory", "recommended", "optional"], + "description": "Enforcement level" + }, + "appliesTo": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets this policy applies to" + }, + "exceptions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy exceptions" + } + } + }, + "trustBoundary": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-blueprint-2.0.schema.json#/$defs/boundary" + }, + { + "properties": { + "trustLevel": { + "type": "string", + "enum": ["untrusted", "semi-trusted", "trusted", "highly-trusted"], + "description": "Trust level differential" + }, + "securityRequirements": { + "$ref": "#/$defs/boundarySecurityRequirements" + }, + "threatsAtBoundary": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Threats that could exploit this boundary" + }, + "controlsAtBoundary": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Controls implemented at this boundary" + } + } + } + ] + }, + "boundarySecurityRequirements": { + "type": "object", + "additionalProperties": false, + "properties": { + "authenticationStrength": { + "type": "string", + "enum": ["none", "weak", "moderate", "strong", "very-strong"], + "description": "Required authentication strength" + }, + "authorizationGranularity": { + "type": "string", + "enum": ["coarse", "medium", "fine", "very-fine"], + "description": "Authorization granularity required" + }, + "integrityVerification": { + "type": "boolean", + "description": "Whether integrity verification is required" + }, + "confidentialityProtection": { + "type": "boolean", + "description": "Whether confidentiality protection is required" + }, + "auditingLevel": { + "type": "string", + "enum": ["none", "basic", "detailed", "comprehensive"], + "description": "Level of auditing required" + }, + "dataValidationRules": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Data validation rules at boundary" + } } } } diff --git a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json new file mode 100644 index 000000000..88724de3f --- /dev/null +++ b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json @@ -0,0 +1,25 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "metadata": { + + }, + "threatModel": { + // References the threat model schema + "modelTypes": [{"type": "threat"}], + "methodologies": [{"type": "STRIDE"}], + "domains": [{"type": "security"}], + + // Blueprint elements + "assets": [...], + "zones": [...], + "boundaries": [...], + "flows": [...], + + // Threat-specific elements + "scenarios": [...], + "threatActors": [...], + "mitigations": [...], + "assessments": [...] + } +} \ No newline at end of file From f4d10d4b8ee55e9b694869754bb8bee9d812edab Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Wed, 29 Oct 2025 09:54:28 -0500 Subject: [PATCH 04/44] Adding threat models Signed-off-by: steve.springett --- .../cyclonedx-2.0-prototype.json | 71 + .../hashicorp-vault-threat-model.json | 1258 +++++++++++++++++ 2 files changed, 1329 insertions(+) create mode 100644 tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json create mode 100644 tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json new file mode 100644 index 000000000..e36ec28ab --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json @@ -0,0 +1,71 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "blueprints": [ + { + "bom-ref": "blueprint-1", + "blueprintMetadata":{ + "timestamp": "2025-09-12T15:42:30Z", + "authors": [], + "reviewers": [], + "reviewDate": "2025-09-03", + "approvers": [], + "approvalDate": "2025-09-12", + "ordinalVersion": "1.0", + "lifecycles": [ + { + "phase": "operations" + } + ], + "validityPeriod": { + "start": "", + "end": "", + "reviewFrequency": "P3M" + } + }, + "modelTypes": [ + "threat", + "dataFlow", + "logical" + ], + "methodologies": [ + "STRIDE", + "LINDDUN" + ], + "perspectives": [ + { + "bom-ref": "perspective-1", + "type": "security", + "name": "", + "role": "Security Architect", + "objectives": [], + "concerns": [], + "viewpoint": "" + ], + "scope": { + "bom-ref": "scope-1", + "name": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "$comment": "Business criticality, data sensitivity, and tier are defined on the individual assets. Exposure is not defined yet.", + "boundaries": [], + "includedComponents": [], + "excludedComponents": [] + + }, + "visualizations": [ + + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://developer.hashicorp.com/vault/docs" + }, + { + "type": "vcs", + "url": "https://github.com/hashicorp/vault" + } + ] + } + } + ] + } \ No newline at end of file diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json new file mode 100644 index 000000000..d549195a3 --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json @@ -0,0 +1,1258 @@ +{ + "$schema": "https://github.com/OWASP/www-project-threat-model-library/blob/v1.0.1/threat-model.schema.json", + "version": "1.0", + "scope": { + "title": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "business_criticality": "high", + "data_sensitivity": [ + "biz", + "cred", + "pii" + ], + "exposure": "internal", + "tier": "mission_critical" + }, + "description": "Enterprise secrets management and cryptographic services for applications and operators.", + "frozen": false, + "release_docs_link": "https://developer.hashicorp.com/vault/docs", + "reviewed_at": "2025-09-03", + "repo_link": "https://github.com/hashicorp/vault", + "diagrams": [ + { + "title": "AWS Deployment with K8s and a load balancer","type": "mermaid", + "source": "flowchart LR; AU[\"App User\"]; DEV[\"Developer\"]; PE[\"Platform Engineer\"]; APP1[\"Client Application (App 1)\"]; CLI[\"Vault CLI / API Client\"]; subgraph VPC[\"Internal AWS VPC\"]; direction LR; VPN[\"VPN Gateway (AWS SSO)\"]; LB[\"AWS Load Balancer\"]; subgraph EKS[\"EKS Cluster\"]; direction TB; APISERVER[\"Kubernetes API Server\"]; subgraph NS[\"K8s Namespace: vault\"]; direction LR; SVC[\"K8s Service: vault-internal\"]; SVC_EP[\"Service Endpoint\"]; subgraph VAULT[\"Vault HA Deployment (StatefulSet)\"]; direction LR; V1[\"Vault Pod 1 (Active)\"]; V2[\"Vault Pod 2 (Standby)\"]; V3[\"Vault Pod 3 (Standby)\"]; API[\"Vault API (:8200)\"]; AUTH[\"Vault Auth Methods\"]; SE[\"Vault Secret Engines\"]; AUDDEV[\"Vault Audit Devices\"]; subgraph RAFT[\"Integrated Storage (Raft :8201 mTLS)\"]; R1[\"Raft Peer (Pod 1)\"]; R2[\"Raft Peer (Pod 2)\"]; R3[\"Raft Peer (Pod 3)\"]; end; end; end; end; KMS[\"Vault Auto-Unseal (Cloud KMS)\"]; end; AU -->|Login/API| APP1; APP1 -- \"TLS :8200\" --> LB; DEV -->|\"VPN + AWS SSO\"| VPN; PE -->|\"VPN + AWS SSO\"| VPN; DEV -->|\"Uses Vault CLI\"| CLI; PE -->|\"Uses Vault CLI\"| CLI; CLI -->|\"Tunnel via VPN\"| VPN; VPN -->|\"Forward to VPC\"| LB; CLI -- \"TLS :8200 (via VPN)\" --> LB; VPN -. \"kubectl (AWS SSO)\" .-> APISERVER; LB -->|\"TLS :8200\"| SVC_EP; SVC_EP --> V1; SVC_EP --> V2; SVC_EP --> V3; V1 --- API; V2 --- API; V3 --- API; API --> AUTH; API --> SE; API --> AUDDEV; V1 --- R1; V2 --- R2; V3 --- R3; R1 <-->|\"Raft :8201 mTLS\"| R2; R1 <-->|\"Raft :8201 mTLS\"| R3; R2 <-->|\"Raft :8201 mTLS\"| R3; VAULT -. \"Auto-Unseal\" .-> KMS;" + } + ], + "trust_zones": [ + { + "symbolic_name": "public", + "title": "Public Internet Zone", + "description": "External clients and actors including applications, CI/CD pipelines, and operators that connect to Vault over TLS (8200)." + }, + { + "symbolic_name": "aws-vpc", + "title": "Internal AWS VPC", + "description": "Private AWS VPC hosting the EKS cluster and load balancer. Provides network isolation and segmentation for Vault components." + }, + { + "symbolic_name": "eks-cluster", + "title": "EKS Cluster Zone", + "description": "Amazon EKS cluster providing the orchestration environment for Vault pods and services." + }, + { + "symbolic_name": "k8s-namespace-vault", + "title": "Vault Kubernetes Namespace", + "description": "Dedicated Kubernetes namespace (`vault`) that contains the Vault StatefulSet, Service, and Raft integrated storage peers." + } + ], + "trust_boundaries": [ + { + "trust_zone_a": "public-internet", + "trust_zone_b": "aws-vpc", + "access_control_methods": [ + "acl", + "rbac" + ], + "authentication_methods": [ + "public_key", + "token", + "sso" + + ] + }, + { + "trust_zone_a": "aws-vpc", + "trust_zone_b": "eks-cluster", + "access_control_methods": [ + "rbac", + "acl" + ], + "authentication_methods": [ + "public_key" + ] + }, + { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault", + "access_control_methods": [ + "rbac", + "acl", + "mac" + ], + "authentication_methods": [ + "token" + ] + } + ], + "actors": [ + { + "symbolic_name": "platform-engineer", + "title": "Platform Engineer", + "description": "Responsible for deploying, operating, and maintaining the Vault cluster. Manages HA configuration, upgrades, storage backends, and operational tasks like initialization, unseal, and monitoring.", + "type": "engineer", + "permissions": "Deploy and upgrade Vault; configure Raft or Consul storage; perform initialization and unseal operations; enable/disable auth and secrets engines; monitor health and performance.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "developer", + "title": "Application Developer", + "description": "A developer who builds and maintains applications that consume secrets from Vault. In this scenario, developers also have access to the Kubernetes cluster where Vault is deployed, as well as Vault audit logs. This gives them significant power to access, modify, and observe secret-related operations.", + "type": "engineer", + "permissions": "Push and retrieve secrets; configure application roles for development; read Vault audit logs; access the Kubernetes cluster including the Vault namespace, which may allow tampering with Vault pods, services, or Raft storage.", + "trust_zone": "aws-vpc" + }, + + { + "symbolic_name": "app-user", + "title": "End User of Client Application", + "description": "An end user (internal employee or external customer) who interacts with an application that relies on Vault for secrets management or cryptographic operations.", + "type": "user", + "permissions": "Indirect access to Vault-protected resources through the client application; cannot interact with Vault directly.", + "trust_zone": "public" + } + ], + "components": [ + { + "symbolic_name": "client-app-1", + "title": "Client Application (App 1)", + "description": "External application that end users interact with. Relies on Vault for secrets or cryptographic operations.", + "trust_zone": "public-internet" + }, + { + "symbolic_name": "vpn-gateway", + "title": "VPN Gateway", + "description": "Provides secure entry for engineers and developers into the AWS VPC hosting Vault.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "aws-lb", + "title": "AWS Load Balancer", + "description": "DMZ load balancer that forwards client requests over TLS to the Vault Kubernetes Service endpoint.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "eks-cluster", + "title": "Amazon EKS Cluster", + "description": "Managed Kubernetes control plane and worker nodes that run the Vault namespace.", + "trust_zone": "eks-cluster" + }, + { + "symbolic_name": "k8s-service-vault-internal", + "title": "Kubernetes Service: vault-internal", + "description": "Cluster-internal service endpoint that routes traffic from the AWS Load Balancer to Vault pods.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-ha-statefulset", + "title": "Vault HA Deployment (StatefulSet)", + "description": "Vault pods (1 active leader, 2 standbys) running in high availability mode and exposing the Vault API.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-auth-methods", + "title": "Vault Authentication Methods", + "description": "Pluggable authentication backends (e.g., AppRole, Kubernetes, AWS IAM, OIDC) that validate identities and issue scoped Vault tokens.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-secret-engines", + "title": "Vault Secret Engines", + "description": "Pluggable backends for secrets management and cryptographic operations, including KV, PKI, Transit, Database, and dynamic secrets engines.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-audit-devices", + "title": "Vault Audit Devices", + "description": "Configured audit sinks (file, syslog, socket, etc.) that record all requests and responses for security and compliance monitoring.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-cli", + "title": "Vault CLI / API Client", + "description": "The Vault command-line interface and HTTP API used by engineers and automation tools to interact with Vault.", + "trust_zone": "public-internet-client-zone", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-auto-unseal", + "title": "Vault Auto-Unseal (Cloud KMS Integration)", + "description": "Integration with external Key Management Services (AWS KMS, GCP KMS, Azure Key Vault) to automate the unseal process.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-api", + "title": "Vault API", + "description": "The HTTP API exposed by Vault pods on port 8200. Provides entry points to authentication methods, secret engines, and application endpoints.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + } + ], + "data_stores": [ + { + "symbolic_name": "vault-raft-storage", + "title": "Vault Integrated Storage (Raft)", + "description": "Embedded Raft storage peers that persist encrypted Vault data. Provides replication and consensus across Vault pods.", + "type": "key_value", + "vendor": "HashiCorp", + "product": "Vault Raft Storage", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-audit-logs", + "title": "Vault Audit Logs", + "description": "Audit device output streams (file, syslog, socket) that contain records of every Vault request and response for compliance and monitoring.", + "type": "object", + "vendor": "HashiCorp", + "product": "Vault Audit Devices", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "cloud-kms", + "title": "Cloud KMS for Auto-Unseal", + "description": "External Key Management Service used by Vault for auto-unseal operations and master key encryption.", + "type": "key_value", + "vendor": "AWS", + "product": "AWS KMS", + "trust_zone": "aws-vpc" + } + ], + "data_sets": [ + { + "symbolic_name": "vault-secrets", + "title": "Vault Stored Secrets", + "description": "Static and dynamic secrets stored and managed within Vault, including credentials, API keys, and tokens. Encrypted at rest within the Raft storage backend.", + "placements": [ + { + "data_store": "vault-raft-storage", + "encrypted": true + } + ], + "record_count": 5000, + "data_sensitivity": [ + "cred", + "pii", + "biz" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-audit-records", + "title": "Vault Audit Log Records", + "description": "Detailed records of Vault API requests and responses, containing metadata on who accessed what, when, and how.", + "placements": [ + { + "data_store": "vault-audit-logs", + "encrypted": false + } + ], + "record_count": 1000000, + "data_sensitivity": [ + "biz", + "pii" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-unseal-keys", + "title": "Vault Master Key and Unseal Keys", + "description": "Key shares or cloud KMS-encrypted master keys used for unsealing Vault and securing the root of trust.", + "placements": [ + { + "data_store": "cloud-kms", + "encrypted": true + } + ], + "record_count": 5, + "data_sensitivity": [ + "cred" + ], + "access_control_methods": [ + "acl", + "rbac" + ] + } + ], + "data_flows": [ + { + "symbolic_name": "developer-to-cli", + "title": "Developer to Vault CLI", + "description": "Developer issues commands to the local Vault CLI binary, which acts as the client interface to Vault.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "platform-engineer-to-cli", + "title": "Platform Engineer to Vault CLI", + "description": "Platform Engineer issues commands to the local Vault CLI binary for managing Vault operations and configurations.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "app-user-to-client-app", + "title": "App User to Client Application", + "description": "An end user interacts with the client-facing application, which relies on Vault for secrets or cryptographic operations.", + "source": { + "type": "actor", + "object": "app-user" + }, + "destination": { + "type": "component", + "object": "client-app-1" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "client-app-to-aws-lb", + "title": "Client Application to AWS Load Balancer", + "description": "Client Application (App 1) sends requests to Vault via the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "client-app-1" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "cli-to-vpn", + "title": "Vault CLI to VPN Gateway", + "description": "Vault CLI tunnels traffic through the VPN Gateway, which enforces AWS SSO before allowing access into the VPC.", + "source": { + "type": "component", + "object": "vault-cli" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vpn-to-aws-lb", + "title": "VPN Gateway to AWS Load Balancer", + "description": "VPN Gateway forwards authenticated engineer traffic (AWS SSO) into the VPC, delivering Vault CLI/API requests to the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "vpn-gateway" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "aws-lb-to-eks", + "title": "AWS Load Balancer to EKS Cluster", + "description": "The Load Balancer forwards TLS :8200 traffic into the EKS cluster.", + "source": { + "type": "component", + "object": "aws-lb" + }, + "destination": { + "type": "component", + "object": "eks-cluster" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "k8s-service-to-vault-ha", + "title": "Kubernetes Service to Vault HA StatefulSet", + "description": "The Service load balances requests to Vault pods.", + "source": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "destination": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "eks-cluster-to-k8s-service", + "title": "EKS Cluster to Kubernetes Service (vault-internal)", + "description": "EKS networking routes traffic internally to the cluster Service endpoint for Vault.", + "source": { + "type": "component", + "object": "eks-cluster" + }, + "destination": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-vault-api", + "title": "Vault Pod to Vault API", + "description": "Requests arriving at a Vault pod are handled by the Vault API listener on :8200.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-api" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-auth", + "title": "Vault API to Auth Methods", + "description": "Login requests (/auth/*) dispatched to configured authentication backends.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-auth-methods" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-secrets", + "title": "Vault API to Secret Engines", + "description": "Secret read/write and cryptographic operations routed to secrets engines.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-secret-engines" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-audit", + "title": "Vault API to Audit Devices", + "description": "Vault writes request/response metadata to audit devices (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-audit-devices" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-core-to-raft", + "title": "Vault Core to Raft Storage", + "description": "Vault Core persists encrypted state via the storage barrier into Integrated Storage (Raft).", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-auto-unseal", + "title": "Vault to Auto-Unseal Integration", + "description": "Vault contacts the Cloud KMS integration to decrypt master key material during startup/unseal.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-auto-unseal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Audit devices append structured records to the audit log store.", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "auto-unseal-to-cloud-kms", + "title": "Auto-Unseal to Cloud KMS", + "description": "Auto-unseal integration calls Cloud KMS to decrypt the master key material.", + "source": { + "type": "component", + "object": "vault-auto-unseal" + }, + "destination": { + "type": "data_store", + "object": "cloud-kms" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "developer-to-vpn", + "title": "Developer to VPN (AWS SSO)", + "description": "Developer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "platform-engineer-to-vpn", + "title": "Platform Engineer to VPN (AWS SSO)", + "description": "Platform Engineer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "vault-audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Vault pods (audit devices) write structured audit records to the audit log store (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-developer", + "title": "Developer reads Vault Audit Logs", + "description": "Developer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-platform-engineer", + "title": "Platform Engineer reads Vault Audit Logs", + "description": "Platform Engineer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage", + "title": "Developer reads Raft Storage", + "description": "Developer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage-platform-engineer", + "title": "Platform Engineer reads Raft Storage", + "description": "Platform Engineer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + } + ], + "assumptions": [ + { + "description": "All communication between clients, load balancers, Kubernetes services, and Vault pods occurs over TLS (8200).", + "validity": "confirmed" + }, + { + "description": "Vault Raft storage is encrypted at rest by the Vault barrier, and requires master key material (from KMS or Shamir unseal) for decryption.", + "validity": "confirmed" + }, + { + "description": "Vault pods run inside a dedicated Kubernetes namespace with RBAC, NetworkPolicies, and IAM roles scoped to the namespace.", + "validity": "confirmed" + }, + { + "description": "VPN gateway enforces AWS SSO authentication for Developers and Platform Engineers before they can access the AWS VPC and EKS cluster.", + "validity": "confirmed" + }, + { + "description": "Cloud KMS (AWS KMS) keys used for auto-unseal are properly scoped and only accessible by Vault service accounts.", + "validity": "confirmed" + }, + { + "description": "Audit devices are configured and cannot be disabled without privileged administrator actions.", + "validity": "confirmed" + }, + { + "description": "Developers and Platform Engineers with kubectl access could bypass the Vault API to access logs and storage directly, introducing insider risk.", + "validity": "confirmed" + }, + { + "description": "Raft replication between Vault pods uses mutual TLS on port 8201 with certificate pinning/verification.", + "validity": "confirmed" + }, + { + "description": "VPN Gateway enforces AWS SSO (MFA) for Developers and Platform Engineers before access to the VPC and EKS control plane.", + "validity": "confirmed" + }, + { + "description": "EKS API access requires VPN + SSO and is logged; direct Internet access to the cluster or nodes is blocked.", + "validity": "confirmed" + } + ], + "threat_personas": [ + { + "symbolic_name": "darius", + "title": "Darius the Compromised / Malicious Developer", + "description": "An insider developer whose account or workstation is compromised (or who has turned malicious). Has kubectl access to the EKS cluster and can read Vault audit logs and pod files. Could exfiltrate secrets, tamper with Raft storage, or disable/modify logging.", + "is_person": true, + "skill_level": "engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "high" + }, + { + "symbolic_name": "sofia", + "title": "Sofia the Rogue Platform Engineer", + "description": "An insider with elevated privileges over Vault’s deployment, networking, and storage backends. Capable of modifying StatefulSets, Service configurations, or intercepting API traffic.", + "is_person": true, + "skill_level": "expert_engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "low" + }, + { + "symbolic_name": "li-wei", + "title": "Li Wei the External Attacker", + "description": "An attacker on the public Internet attempting to exploit misconfigurations, weak authentication methods, or exposed APIs to gain unauthorized access to Vault.", + "is_person": true, + "skill_level": "script_kid", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "giovanni", + "title": "Giovanni the Curious Administrator", + "description": "A well-meaning but overcurious administrator who inspects Vault audit logs or Raft storage beyond their intended duties, creating insider risk without direct malicious intent.", + "is_person": true, + "skill_level": "insider", + "access_level": "admin", + "malicious_intent": false, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "alejandra", + "title": "Alejandra the OC-Sponsored Operator", + "description": "An operator working on behalf of organized crime (ransomware/credential resale). Skilled at exploiting exposed services, social engineering, and purchasing insider access; targets Vault to harvest credentials and secrets for monetization.", + "is_person": true, + "skill_level": "oc_sponsored", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "high" + } + ], + "threats": [ + { + "symbolic_name": "insider-exfiltrate-secrets-via-kubectl", + "title": "Insider exfiltrates secrets and configuration via kubectl (pod exec / file copy)", + "description": "A developer or platform engineer with kubectl access execs into Vault pods or mounts pod volumes to read Raft storage files and configuration, allowing exfiltration of encrypted state and metadata which can be used for offline attacks or tampering.", + "threat_persona": "darius", + "event": "unauthorized data exfiltration / tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 284, + "cwe_title": "Improper Access Control" + }, + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "insider-read-tamper-audit-logs", + "title": "Insider reads or tampers with audit logs", + "description": "An actor with cluster access directly reads Vault audit files or streams pod logs (kubectl logs). They can exfiltrate sensitive audit trails, or delete/modify logs to remove traces of malicious activity.", + "threat_persona": "darius", + "event": "information disclosure / evidence tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "rogue-platform-tamper-ha-config", + "title": "Rogue platform engineer tampers with Vault deployment to cause DoS or capture secrets", + "description": "A platform engineer modifies StatefulSet, Service, or network rules (or injects sidecars) to disrupt Vault availability (DoS), redirect traffic to a malicious endpoint, or capture secrets in transit.", + "threat_persona": "sofia", + "event": "denial of service / credential capture / traffic interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 210, + "capec_title": "Abuse Existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 732, + "cwe_title": "Incorrect Permission Assignment for Critical Resource" + }, + { + "cwe_id": 269, + "cwe_title": "Improper Privilege Management" + } + ] + }, + { + "symbolic_name": "compromised-workload-abuse-auth", + "title": "Compromised workload abuses auth (Kubernetes/AppRole/IAM) to exfiltrate secrets and access various services with these secrets", + "description": "A compromised application or CI job uses stolen credentials, stolen service account tokens, or abused auth bindings to obtain Vault tokens, then reads secrets or requests dynamic credentials beyond its intended scope.", + "threat_persona": "li-wei", + "event": "unauthorized secret access", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 555, + "capec_title": "Remote Services with Stolen Credentials" + } + ], + "weaknesses": [ + { + "cwe_id": 287, + "cwe_title": "Improper Authentication" + }, + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "exposed-raft-port-remote-attack", + "title": "Exposed Raft/consensus ports allow remote access to storage", + "description": "If Raft ports (8201) or the pod network are exposed outside the cluster/VPC, an attacker could discover services, attempt to join/replicate, extract data, or cause cluster instability.", + "threat_persona": "li-wei", + "event": "confidentiality breach / data exfiltration / cluster compromise", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 310, + "capec_title": "Scanning for Vulnerable Software" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "lb-tls-mitm-or-termination-misconfig", + "title": "TLS termination/misconfiguration at Load Balancer leads to MITM or credential leak", + "description": "If the AWS Load Balancer is misconfigured (terminates TLS without re-encrypting, or uses an untrusted certificate), an attacker or compromised LB control plane could intercept or tamper with Vault API traffic.", + "threat_persona": "alejandra", + "event": "man-in-the-middle / data interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 117, + "capec_title": "Interception" + } + ], + "weaknesses": [ + { + "cwe_id": 295, + "cwe_title": "Improper Certificate Validation" + } + ] + }, + { + "symbolic_name": "vault-availability-failure", + "title": "Loss of availability of secret material due to failure", + "description": "Failures in cluster nodes, Raft replication, or storage can cause Vault to become unavailable, preventing applications from retrieving secrets or performing cryptographic operations.", + "threat_persona": "sofia", + "event": "denial of service / loss of availability", + "sources": [ + "failure" + ], + "attack_mechanisms": [ + { + "capec_id": 125, + "capec_title": "Flooding" + } + ], + "weaknesses": [ + { + "cwe_id": 400, + "cwe_title": "Uncontrolled Resource Consumption" + }, + { + "cwe_id": 664, + "cwe_title": "Improper Control of a Resource Through its Lifetime" + } + ] + }, + { + "symbolic_name": "misconfigured-policies-excess-privilege", + "title": "Over-permissive Vault policies allow lateral movement or secret theft", + "description": "Misconfigured Vault policies or overly-broad role bindings grant principals capabilities they don't need (e.g., wildcard admin policies), enabling actors to list/read secrets or create tokens for escalation.", + "threat_persona": "giovanni", + "event": "unauthorized access / privilege escalation", + "sources": [ + "human_error" + ], + "attack_mechanisms": [ + { + "capec_id": 212, + "capec_title": "Abuse existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + } + ] + } + ], + "controls": [ + { + "symbolic_name": "restrict-k8s-rbac", + "title": "Restrict Kubernetes RBAC for developers and engineers", + "description": "Limit Kubernetes RoleBindings/ClusterRoleBindings so that developers and engineers cannot exec into Vault pods, read pod volumes, or access Raft storage directly. Only platform engineers should have restricted administrative access under break-glass conditions.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "pod-security-policies", + "title": "Apply Pod Security Standards / OPA Gatekeeper", + "description": "Use Kubernetes Pod Security Standards (restricted profile) or OPA/Gatekeeper policies to prevent privileged containers and block direct volume mounts that would expose Raft data to kubectl exec or copy commands.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "audit-kubectl-commands", + "title": "Audit kubectl exec and cp usage", + "description": "Enable Kubernetes audit logging to track all kubectl exec and copy commands. Send logs to a SIEM for real-time detection of suspicious access attempts.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs" + + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "vault-multiple-audit-devices", + "title": "Configure multiple Vault audit devices", + "description": "Enable at least two Vault audit devices (e.g., file and syslog). Even if one sink is tampered with or deleted, other sinks continue to capture activity.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "immutable-storage-for-audit", + "title": "Store Vault audit logs in immutable storage", + "description": "Use append-only storage (e.g., WORM S3 buckets or immutable syslog servers) for Vault audit logs so they cannot be deleted or modified retroactively.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "deployment-change-control", + "title": "Require change control for Vault deployment manifests", + "description": "Enforce code review and approval workflows (e.g., GitOps, Infrastructure as Code pipelines) for changes to Vault StatefulSets, Services, and ConfigMaps. Prevent direct kubectl edits in production.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "k8s-admission-controls", + "title": "Apply Kubernetes admission controls for Vault workloads", + "description": "Use admission controllers (OPA Gatekeeper, Kyverno) to enforce security policies on Vault pods (no sidecars, no privilege escalation, no host networking) and reject unauthorized changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "monitor-k8s-config-changes", + "title": "Monitor and alert on Kubernetes configuration changes", + "description": "Enable auditing of Kubernetes API server for changes to StatefulSets, Services, and ConfigMaps in the Vault namespace. Send to SIEM for alerting on unexpected changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "constrain-auth-methods", + "title": "Constrain Vault authentication methods", + "description": "Configure Vault auth methods (AppRole, Kubernetes, IAM) with least privilege. Require role bindings to be tightly scoped (limited CIDRs, bounded service accounts, short-lived tokens).", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "short-lived-tokens", + "title": "Use short-lived Vault tokens and dynamic secrets", + "description": "Configure Vault roles and policies to issue ephemeral tokens and dynamic credentials that automatically expire, limiting impact of stolen tokens.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "bind-secrets-to-identity", + "title": "Bind secrets tightly to workload identity", + "description": "Restrict Vault roles to specific Kubernetes service accounts, IAM roles, or AppRoles. Enforce identity binding so compromised workloads cannot escalate or impersonate others.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "restrict-raft-network-access", + "title": "Restrict Raft port access to Vault cluster nodes only", + "description": "Use Kubernetes NetworkPolicies and AWS Security Groups to restrict port 8201 so only Vault pods can communicate with each other. Block all external or client access to Raft traffic.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "raft-mtls-cert-validation", + "title": "Enforce mutual TLS for Raft replication", + "description": "Require Vault nodes to authenticate Raft peers with mTLS certificates. Configure strict certificate validation and rotation to prevent unauthorized Raft peers from joining the cluster.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "monitor-raft-consensus-health", + "title": "Monitor Raft consensus health", + "description": "Enable monitoring and alerting on Raft replication status, quorum health, and node membership changes. Detect anomalies that may indicate tampering or external Raft join attempts.", + "threats": [ + "exposed-raft-port-remote-attack", + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "end-to-end-strong-tls", + "title": "Enforce end-to-end TLS from clients to Vault pods. Enforce TLS versions (1.2+), secure cipher suites, and valid CA-signed certificates. Disable weak ciphers and enforce certificate pinning where possible.", + "description": "Configure the AWS Load Balancer for TCP passthrough (no TLS termination), or ensure re-encryption is used with trusted server certificates so traffic is encrypted all the way to Vault pods.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "monitor-lb-config", + "title": "Monitor and alert on Load Balancer TLS configuration changes", + "description": "Continuously check AWS Load Balancer TLS configuration (e.g., via AWS Config or Security Hub). Alert if TLS termination is enabled unexpectedly or insecure parameters are set.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "multi-az-deployment", + "title": "Deploy Vault cluster across multiple Availability Zones", + "description": "Distribute Vault pods and Raft peers across multiple AWS Availability Zones to ensure quorum and service availability during AZ-level outages.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "raft-backup-snapshots", + "title": "Enable automated Raft snapshots and backup", + "description": "Configure regular Raft snapshots and store them securely outside the Vault cluster (e.g., S3 with encryption) to recover state in case of catastrophic failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "critical" + }, + { + "symbolic_name": "auto-unseal-ha", + "title": "Use redundant Cloud KMS for auto-unseal", + "description": "Configure Vault auto-unseal with multiple KMS providers (or highly available KMS setup) to avoid dependency on a single point of failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "health-checks-and-restarts", + "title": "Enable health checks and automated restarts for Vault pods", + "description": "Configure Kubernetes liveness/readiness probes for Vault pods and enable automated restart policies to recover from node/pod failures quickly.", + "threats": [ + "vault-availability-failure" + ], + "status": "active", + "priority": "high" + }, + { + "symbolic_name": "policy-review-process", + "title": "Implement Vault policy review and approval workflow", + "description": "Establish a mandatory peer-review or automated validation process for Vault policies before deployment. Reject policies that include wildcards or grant admin-level capabilities unnecessarily.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "least-privilege-defaults", + "title": "Adopt least-privilege defaults for Vault roles", + "description": "Use policy templates and default role definitions that start with no privileges. Require explicit justification and approval for each added capability.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "policy-linter", + "title": "Automated linting of Vault policies", + "description": "Introduce static analysis (policy linter) to detect dangerous constructs in Vault policies (e.g., wildcards, overly broad paths, admin capabilities) before deployment.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "low" + } + ], + "risks": [ + { + "symbolic_name": "insider-abuse-of-kubernetes-access", + "title": "Insider abuse of Kubernetes access to exfiltrate or tamper with secrets", + "description": "Developers or platform engineers with kubectl access may exec into Vault pods, read Raft storage files, or tamper with Vault audit logs, leading to loss of confidentiality and accountability.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "likelihood": "possible", + "impact": "severe", + "impact_description": "Could result in full compromise of Vault data, bypassing of audit logs, and erosion of operational trust.", + "score": 15, + "level": "high" + }, + { + "symbolic_name": "workload-auth-abuse", + "title": "Compromised workloads abusing Vault authentication", + "description": "A compromised workload (application, CI/CD job) can abuse Kubernetes, AppRole, or IAM auth to escalate privileges and extract secrets beyond intended scope.", + "threats": [ + "compromised-workload-abuse-auth", + "misconfigured-policies-excess-privilege" + ], + "likelihood": "unlikely", + "impact": "severe", + "impact_description": "Widespread credential exposure or lateral movement into other systems and services.", + "score": 10, + "level": "medium" + }, + { + "symbolic_name": "network-exposure-and-mitm", + "title": "Network exposure or misconfiguration leading to interception or Raft compromise", + "description": "If Raft ports (8201) are exposed or TLS is misconfigured at the load balancer, attackers could eavesdrop, tamper with traffic, or attempt to join the Raft cluster.", + "threats": [ + "exposed-raft-port-remote-attack", + "lb-tls-mitm-or-termination-misconfig" + ], + "likelihood": "rare", + "impact": "severe", + "impact_description": "Interception of secrets or compromise of Vault cluster integrity.", + "score": 5, + "level": "medium" + }, + { + "symbolic_name": "vault-availability-risk", + "title": "Loss of Vault availability", + "description": "Failures in Raft consensus, node crashes, or dependency outages (e.g., KMS auto-unseal) could make Vault unavailable, preventing applications from retrieving secrets.", + "threats": [ + "vault-availability-failure" + ], + "likelihood": "unlikely", + "impact": "major", + "impact_description": "Applications relying on Vault could experience outages and service disruption.", + "score": 10, + "level": "high" + } + ] +} \ No newline at end of file From 7a04e959066b963ef3ff909e1221df66bc4e99a8 Mon Sep 17 00:00:00 2001 From: Petra Date: Sun, 23 Nov 2025 22:33:58 +0000 Subject: [PATCH 05/44] Modified risk and model schemas --- .../model/cyclonedx-blueprint-2.0.schema.json | 308 ++++++++++++- .../2.0/model/cyclonedx-risk-2.0.schema.json | 409 +++++++++++++----- 2 files changed, 595 insertions(+), 122 deletions(-) diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index d8c7dc5df..0659c6599 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -46,6 +46,20 @@ }, "description": "The assets (components, services, data, actors) included in the model" }, + "dataStores": { + "type": "array", + "items": { + "$ref": "#/$defs/dataStore" + }, + "description": "Structured description of data stores used in the model" + }, + "dataSets": { + "type": "array", + "items": { + "$ref": "#/$defs/dataSet" + }, + "description": "Datasets handled by the system, including placements and sensitivity" + }, "zones": { "type": "array", "items": { @@ -321,6 +335,9 @@ "compliance", "risk", "stakeholder", + "use-case", + "abuse-case", + "design-review", "custom" ], "meta:enum": { @@ -340,6 +357,8 @@ "compliance": "Regulatory compliance perspective", "risk": "Risk management perspective", "stakeholder": "General stakeholder perspective", + "use-case": "A high level persepctive that captures the data-flows of the use case, rather than deep granularity of systems", + "abuse-case": "A high level persepctive that captures the data-flows of a certain abuse case, rather than deep granularity of systems", "custom": "Custom or other perspective" } }, @@ -535,7 +554,7 @@ "component": "Software component or application", "service": "Service or microservice", "dataStore": "Database, file system, or data repository", - "data": "Data asset or dataset", + "data": "Dataset", "actor": "User, system, or external entity", "process": "Business or system process", "infrastructure": "Infrastructure component", @@ -616,8 +635,8 @@ "description": "Authentication methods supported/required" }, "authorization": { - "$ref": "#/$defs/authorizationType", - "description": "Authorization model used" + "$ref": "#/$defs/accessControlType", + "description": "Access control model used" }, "encryption": { "$ref": "#/$defs/encryptionType" @@ -636,6 +655,169 @@ } } }, + "dataStore": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the data store" + }, + "description": { + "type": "string", + "description": "Purpose and contents of the store" + }, + "type": { + "type": "string", + "enum": [ + "sql", + "keyValue", + "document", + "object", + "graph", + "timeSeries", + "file", + "blob", + "cache", + "custom" + ], + "meta:enum": { + "sql": "Relational database", + "keyValue": "Key-value store", + "document": "Document database (e.g., MongoDB)", + "object": "Object storage", + "graph": "Graph database", + "timeSeries": "Time-series database", + "file": "File system or NAS", + "blob": "Binary/blob storage", + "cache": "Caching tier", + "custom": "Other or mixed storage technology" + } + }, + "vendor": { + "type": "string" + }, + "product": { + "type": "string" + }, + "version": { + "type": "string" + }, + "environment": { + "type": "string", + "description": "Deployment environment (prod, test, etc.)" + }, + "trustZone": { + "$ref": "#/$defs/trustZoneRef" + }, + "location": { + "type": "string", + "description": "Physical or logical hosting location" + }, + "technologies": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Supporting technologies or services" + }, + "dataSets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to data sets stored here" + }, + "accessControl": { + "$ref": "#/$defs/accessControlType" + }, + "encryption": { + "$ref": "#/$defs/encryptionType" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataSet": { + "type": "object", + "required": ["bom-ref", "name", "description"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the dataset" + }, + "description": { + "type": "string", + "description": "What information is contained and why it exists" + }, + "classification": { + "$ref": "#/$defs/dataClassification" + }, + "dataTypes": { + "type": "array", + "items": { + "$ref": "#/$defs/dataObjectType" + }, + "description": "Categories of data stored (PII, PHI, etc.)" + }, + "recordCount": { + "type": "integer", + "description": "Approximate number of records" + }, + "owners": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" + }, + "regulations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Applicable regulations or contracts" + }, + "accessControl": { + "$ref": "#/$defs/accessControlType" + }, + "placements": { + "type": "array", + "items": { + "type": "object", + "required": ["dataStore"], + "additionalProperties": false, + "properties": { + "dataStore": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the store holding this dataset" + }, + "encrypted": { + "type": "boolean", + "description": "Whether the dataset is encrypted at this location" + }, + "retention": { + "type": "string", + "description": "Retention policy for this placement" + }, + "replicated": { + "type": "boolean", + "description": "Indicates if this placement is a replica" + } + } + }, + "description": "Where the dataset resides" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, "interface": { "type": "object", "required": ["name", "type"], @@ -787,8 +969,8 @@ "description": "Authentication required to cross this boundary" }, "authorization": { - "$ref": "#/$defs/authorizationType", - "description": "Authorization model at this boundary" + "$ref": "#/$defs/accessControlType", + "description": "Access control model at this boundary" }, "dataValidation": { "type": "boolean", @@ -888,6 +1070,13 @@ "classification": { "$ref": "#/$defs/dataClassification" }, + "dataObjects": { + "type": "array", + "items": { + "$ref": "#/$defs/dataObject" + }, + "description": "The data object(s) transported in this flow" + }, "authentication": { "type": "array", "items": { @@ -897,6 +1086,11 @@ "encryption": { "$ref": "#/$defs/encryptionType" }, + "sequence": { + "type": "integer", + "minimum": 0, + "description": "Ordering hint so flows can be assembled into sequence diagrams" + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } @@ -914,10 +1108,10 @@ "type": "string", "description": "The assumption being made" }, - "category": { + "topic": { "type": "string", "enum": ["technical", "business", "operational", "security", "compliance", "performance", "availability"], - "description": "Category of the assumption" + "description": "Topic of the assumption" }, "relatedAssets": { "type": "array", @@ -1071,9 +1265,6 @@ "criticality": { "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality" }, - "sensitivity": { - "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/dataSensitivity" - }, "dataClassification": { "$ref": "#/$defs/dataClassification" }, @@ -1108,8 +1299,16 @@ "type": "object", "additionalProperties": false, "properties": { - "sensitivity": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/dataSensitivity" + "level": { + "type": "string", + "enum": ["public", "internal", "confidential", "restricted"], + "description": "Data sensitivity classification", + "meta:enum": { + "public": "Public information that can be freely shared", + "internal": "Internal use only within the organization", + "confidential": "Confidential information requiring protection", + "restricted": "Highly restricted information with limited access and special protection measures" + } }, "dataTypes": { "type": "array", @@ -1139,6 +1338,85 @@ } } }, + "dataObject": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this data object" + }, + "name": { + "type": "string", + "description": "Name of the transported data object" + }, + "description": { + "type": "string", + "description": "Additional details about the data contents" + }, + "classification": { + "$ref": "#/$defs/dataClassification", + "description": "Inline classification details for this data object" + }, + "classificationRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to a shared classification definition elsewhere in the model" + }, + "type": { + "$ref": "#/$defs/dataObjectType", + "description": "Type of data (PII, PHI, PCI, etc.)" + }, + "schema": { + "type": "string", + "description": "Reference to a schema contract or document describing the data structure" + }, + "format": { + "type": "string", + "description": "Serialization or encoding format (JSON, HL7, CSV, etc.)" + }, + "attributes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Key attributes or fields transported" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataObjectType": { + "type": "string", + "enum": [ + "pii", + "phi", + "pci", + "financial", + "intellectualProperty", + "telemetry", + "logs", + "credentials", + "safety", + "operational", + "custom" + ], + "description": "Common data object classifications", + "meta:enum": { + "pii": "Personally identifiable information", + "phi": "Protected health information", + "pci": "Payment card industry data", + "financial": "Financial statements or transaction data", + "intellectualProperty": "Intellectual property or trade secrets", + "telemetry": "System or product telemetry data", + "logs": "Operational or security log data", + "credentials": "Secrets, tokens, or credentials", + "safety": "Safety critical data or signals", + "operational": "Operational or process data", + "custom": "Other data types not covered by the enumerated values" + } + }, "ownership": { "type": "object", "additionalProperties": false, @@ -1230,6 +1508,10 @@ "description": "Whether data is encrypted during processing" } } + }, + "trustZoneRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to a zone entry whose type is 'trust'" } } -} \ No newline at end of file +} diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index 0e07128f9..2aa6783c2 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -24,6 +24,13 @@ }, "description": "Risk scenarios identified" }, + "risks": { + "type": "array", + "items": { + "$ref": "#/$defs/risk" + }, + "description": "Documented risks derived from scenarios" + }, "mitigations": { "type": "array", "items": { @@ -164,10 +171,6 @@ "domain": { "$ref": "#/$defs/riskDomain" }, - "category": { - "type": "string", - "description": "Category or classification of the scenario" - }, "likelihood": { "$ref": "#/$defs/likelihood" }, @@ -204,6 +207,118 @@ "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" } }, + "compliance": { + "type": "array", + "items": { + "type": "object", + "required": ["framework", "controlId"], + "additionalProperties": false, + "properties": { + "framework": { + "type": "string", + "description": "Name of the compliance program or framework" + }, + "controlId": { + "type": "string", + "description": "Identifier of the control within the framework" + }, + "reference": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference", + "description": "Link or citation to the requirement or control documentation" + }, + "description": { + "type": "string", + "description": "Optional notes describing the mapping" + } + } + }, + "description": "Compliance frameworks and control references this mitigation supports" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "risk": { + "type": "object", + "required": ["bom-ref", "name", "statement"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or identifier for the risk" + }, + "statement": { + "type": "string", + "description": "Structured risk statement describing source, event, and impact" + }, + "description": { + "type": "string", + "description": "Additional narrative about the risk" + }, + "domains": { + "type": "array", + "items": { + "$ref": "#/$defs/riskDomain" + }, + "description": "Risk domains impacted" + }, + "scenarios": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to scenarios this risk addresses" + }, + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + } + }, + "responses": { + "type": "array", + "items": { + "$ref": "#/$defs/riskResponse" + }, + "description": "Risk responses or mitigation plans applied to this risk" + }, + "relatedThreats": { + "type": "array", + "items": { + "$ref": "cyclonedx-threat-2.0.schema.json#/$defs/threatScenario" + }, + "description": "Related threat scenarios informing this risk" + }, + "status": { + "type": "string", + "enum": ["identified", "assessed", "mitigated", "accepted", "transferred", "retired"], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated", + "assessed": "Risk has been assessed and prioritized", + "mitigated": "Mitigations are in place reducing this risk", + "accepted": "Risk has been formally accepted", + "transferred": "Risk has been transferred to another party", + "retired": "Risk no longer applies" + } + }, + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Owner or accountable party for this risk" + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } @@ -219,18 +334,17 @@ "enum": ["veryLow", "low", "medium", "high", "veryHigh", "certain"], "description": "Likelihood level", "meta:enum": { - "veryLow": "Very unlikely to occur (< 10%)", - "low": "Unlikely to occur (10-30%)", - "medium": "Possible to occur (30-60%)", - "high": "Likely to occur (60-90%)", - "veryHigh": "Very likely to occur (> 90%)", - "certain": "Will certainly occur (100%)" + "rare": "Very unlikely to occur (< 10%)", + "unlikely": "Unlikely to occur (10-30%)", + "possible": "Possible to occur (30-60%)", + "likely": "Likely to occur (60-90%)", + "almostCertain": "Very likely to occur (> 90%)" } }, "score": { "type": "number", "minimum": 0, - "maximum": 10, + "maximum": 5, "description": "Numeric likelihood score" }, "probability": { @@ -239,6 +353,13 @@ "maximum": 1, "description": "Probability as a decimal (0-1)" }, + "factors": { + "type": "array", + "items": { + "$ref": "#/$defs/likelihoodFactor" + }, + "description": "Factors considered when determining the likelihood level" + }, "rationale": { "type": "string", "description": "Justification for the likelihood rating" @@ -252,14 +373,13 @@ "properties": { "level": { "type": "string", - "enum": ["negligible", "low", "moderate", "high", "severe", "catastrophic"], + "enum": ["negligible", "low", "moderate", "major", "catastrophic"], "description": "Impact severity level", "meta:enum": { "negligible": "Minimal impact with no significant consequences", "low": "Minor impact with limited consequences", "moderate": "Moderate impact affecting some operations", - "high": "Significant impact with serious consequences", - "severe": "Severe impact with critical consequences", + "major": "Significant impact with serious consequences", "catastrophic": "Catastrophic impact with existential consequences" } }, @@ -368,7 +488,7 @@ }, "score": { "type": "number", - "minimum": 0, + "minimum": 1, "description": "Numeric risk score" }, "vector": { @@ -381,46 +501,39 @@ } } }, - "mitigation": { + "riskResponse": { "type": "object", - "required": ["bom-ref", "name", "type"], + "required": ["bom-ref", "mitigations", "mitigationPlan"], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "name": { - "type": "string", - "description": "Name of the mitigation" + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/mitigation" + }, + "description": "Mitigations applied to this risk response" }, - "description": { - "type": "string", - "description": "Description of what the mitigation does" + "mitigationPlan": { + "$ref": "#/$defs/mitigationPlan" + } + } + }, + "mitigation": { + "type": "object", + "required": ["bom-ref", "reference"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this mitigation entry so it can be referenced by a plan" }, - "type": { - "type": "string", - "enum": [ - "avoid", - "reduce", - "transfer", - "accept", - "control", - "countermeasure", - "safeguard", - "practice", - "procedure" - ], - "meta:enum": { - "avoid": "Avoid the risk entirely", - "reduce": "Reduce likelihood or impact", - "transfer": "Transfer risk to another party", - "accept": "Accept the risk", - "control": "Preventive or detective control", - "countermeasure": "Reactive measure to counter risks", - "safeguard": "Protective measure", - "practice": "Risk management practice", - "procedure": "Documented procedure" - } + "reference": { + "description": "Reference to a mitigation/control implementing the response.", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, "strategy": { "type": "string", @@ -432,6 +545,21 @@ "recover": "Recovers from the impact" } }, + "type": { + "type": "string", + "enum": [ + "control", + "countermeasure", + "procedure", + "removal" + ], + "meta:enum": { + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "procedure": "Documented procedure", + "removal": "Removing a risky component or asset" + } + }, "status": { "type": "string", "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], @@ -466,14 +594,14 @@ "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "description": "References to scenarios this mitigation addresses" + "description": "References to scenarios this plan addresses" }, "implementedBy": { "type": "array", "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "description": "References to assets that implement this mitigation" + "description": "References to assets that implement this plan" }, "externalReferences": { "type": "array", @@ -486,6 +614,75 @@ } } }, + "mitigationPlan": { + "type": "object", + "required": ["name", "type", "status", "mitigations"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the mitigation plan" + }, + "description": { + "type": "string", + "description": "Description of what the plan covers" + }, + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Safeguards mitigating adverse events", + "practice": "Operational or governance practice", + "procedure": "Documented procedure" + } + }, + "status": { + "type": "string", + "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "List of mitigation bom-refs chosen for this plan" + } + } + }, "effectiveness": { "type": "object", "additionalProperties": false, @@ -493,8 +690,8 @@ "percentage": { "type": "number", "minimum": 0, - "maximum": 100, - "description": "Effectiveness as percentage" + "maximum": 1, + "description": "Effectiveness as decimal" }, "rating": { "type": "string", @@ -540,16 +737,32 @@ "type": "string", "description": "Executive summary of the assessment" }, - "findings": { + "risks": { "type": "array", "items": { - "$ref": "#/$defs/finding" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "description": "Specific findings from the assessment" + "description": "References to risk entries evaluated in this assessment" }, "overallRisk": { - "$ref": "#/$defs/riskScore", - "description": "Overall risk score/level" + "type": "object", + "required": ["method", "score"], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": ["sum", "average", "custom"], + "description": "Aggregation method used to derive the overall risk" + }, + "score": { + "$ref": "#/$defs/riskScore" + }, + "description": { + "type": "string", + "description": "Optional explanation for custom aggregation approaches" + } + }, + "description": "Aggregated risk result for this assessment" }, "recommendations": { "type": "array", @@ -568,55 +781,6 @@ } } }, - "finding": { - "type": "object", - "required": ["title", "severity"], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "title": { - "type": "string", - "description": "Title of the finding" - }, - "description": { - "type": "string", - "description": "Detailed description of the finding" - }, - "severity": { - "$ref": "#/$defs/severity" - }, - "relatedScenarios": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "Scenarios related to this finding" - }, - "relatedAssets": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "Assets affected by this finding" - }, - "remediation": { - "type": "string", - "description": "Recommended remediation" - }, - "status": { - "type": "string", - "enum": ["open", "inProgress", "resolved", "accepted"], - "meta:enum": { - "open": "Finding is open and unaddressed", - "inProgress": "Remediation is in progress", - "resolved": "Finding has been resolved", - "accepted": "Risk has been accepted" - } - } - } - }, "priority": { "type": "string", "enum": ["none", "low", "medium", "high", "critical"], @@ -653,16 +817,43 @@ "critical": "Critical impact with severe business consequences" } }, - "dataSensitivity": { + "dataClassification": { "type": "string", - "enum": ["public", "internal", "confidential", "restricted", "secret"], + "enum": ["public", "internal", "confidential", "restricted"], "description": "Data sensitivity classification", "meta:enum": { "public": "Public information that can be freely shared", "internal": "Internal use only within the organization", "confidential": "Confidential information requiring protection", - "restricted": "Highly restricted information with limited access", - "secret": "Secret information requiring special handling" + "restricted": "Highly restricted information with limited access and special protection measures" + } + }, + "likelihoodFactor": { + "type": "string", + "enum": [ + "threatCapability", + "threatIntent", + "exploitMaturity", + "vulnerabilityExposure", + "controlStrength", + "detectionCoverage", + "environmentalChange", + "historicalFrequency", + "businessCycle", + "custom" + ], + "description": "Elements that influence likelihood estimations", + "meta:enum": { + "threatCapability": "Attacker skill, resources, or capacity to execute the scenario", + "threatIntent": "Motivation or intent of threats targeting the asset", + "exploitMaturity": "Availability and maturity of exploits or tooling", + "vulnerabilityExposure": "How exposed or accessible the vulnerable asset is", + "controlStrength": "Effectiveness of preventive controls in place", + "detectionCoverage": "Ability to detect attempts before success", + "environmentalChange": "External conditions (regulatory, geopolitical, seasonal) that shift likelihood", + "historicalFrequency": "Past occurrence rate or intelligence reporting", + "businessCycle": "Operational cadence (peak seasons, release cycles) that increases risk", + "custom": "Other organization-specific factors" } } } From 1bc014f11f80a2c2fd384069dc49d09b69bef873 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Dec 2025 15:27:13 -0600 Subject: [PATCH 06/44] Added .DS_Store to ignore Signed-off-by: Steve Springett --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 2628a5390..18e738864 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.DS_Store .idea/ .vscode/ tools/target/ From 83e8122d5268f7195d7ad2bc51050c8b6979c713 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Dec 2025 16:29:46 -0600 Subject: [PATCH 07/44] Minor corrections to get bundle to compile. Signed-off-by: Steve Springett --- .../model/cyclonedx-blueprint-2.0.schema.json | 12 +++++------ .../2.0/model/cyclonedx-data-2.0.schema.json | 12 +++++++++++ .../cyclonedx-requirement-2.0.schema.json | 13 ++++++------ .../2.0/model/cyclonedx-risk-2.0.schema.json | 21 ++++--------------- .../model/cyclonedx-threat-2.0.schema.json | 8 +++---- .../model/cyclonedx-usecase-2.0.schema.json | 11 +++++----- 6 files changed, 37 insertions(+), 40 deletions(-) diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index d8c7dc5df..2b01b3fd4 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -1,9 +1,9 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "http://localhost:8080/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json", - "type": "object", - "title": "CycloneDX Transparency Expression Language: Blueprint", - "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json", + "type": "null", + "title": "CycloneDX Blueprint Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "required": ["modelTypes", "methodologies"], "additionalProperties": false, "properties": { @@ -1072,7 +1072,7 @@ "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality" }, "sensitivity": { - "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/dataSensitivity" + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" }, "dataClassification": { "$ref": "#/$defs/dataClassification" @@ -1109,7 +1109,7 @@ "additionalProperties": false, "properties": { "sensitivity": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/dataSensitivity" + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" }, "dataTypes": { "type": "array", diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index 598f9098d..665ed5ed1 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -10,6 +10,18 @@ "title": "Data Classification", "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." }, + "dataSensitivity": { + "type": "string", + "enum": ["public", "internal", "confidential", "restricted", "secret"], + "description": "Data sensitivity classification", + "meta:enum": { + "public": "Public information that can be freely shared", + "internal": "Internal use only within the organization", + "confidential": "Confidential information requiring protection", + "restricted": "Highly restricted information with limited access", + "secret": "Secret information requiring special handling" + } + }, "dataGovernance": { "type": "object", "title": "Data Governance", diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json index 743f99ecb..bee371df5 100644 --- a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -1,10 +1,9 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "http://localhost:8080/schema/2.0/cyclonedx-requirement-2.0.schema.json", - "type": "object", - "title": "CycloneDX Transparency Expression Language: Engineering Requirement", - "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", - "additionalProperties": false, + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-requirement-2.0.schema.json", + "type": "null", + "title": "CycloneDX Engineering Requirement Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "requirement": { "type": "object", @@ -250,11 +249,11 @@ "oneOf": [ { "title": "Ref", - "$ref": "#/definitions/refLinkType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, { "title": "BOM-Link Element", - "$ref": "#/definitions/bomLinkElementType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/bomLinkElementType" } ] }, diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index 0e07128f9..abf35b5ca 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -1,10 +1,9 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "http://localhost:8080/schema/2.0/model/cyclonedx-risk-2.0.schema.json", - "type": "object", - "title": "CycloneDX Transparency Expression Language: Risk", - "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", - "additionalProperties": false, + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-risk-2.0.schema.json", + "type": "null", + "title": "CycloneDX Risk Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "properties": { "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", @@ -652,18 +651,6 @@ "high": "High impact affecting critical operations", "critical": "Critical impact with severe business consequences" } - }, - "dataSensitivity": { - "type": "string", - "enum": ["public", "internal", "confidential", "restricted", "secret"], - "description": "Data sensitivity classification", - "meta:enum": { - "public": "Public information that can be freely shared", - "internal": "Internal use only within the organization", - "confidential": "Confidential information requiring protection", - "restricted": "Highly restricted information with limited access", - "secret": "Secret information requiring special handling" - } } } } diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index 51d3173ef..95270ec11 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -1,9 +1,9 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "http://localhost:8080/schema/2.0/model/cyclonedx-threat-2.0.schema.json", - "type": "object", - "title": "CycloneDX Transparency Expression Language: Threat", - "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-threat-2.0.schema.json", + "type": "null", + "title": "CycloneDX Threat Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "threatScenario": { "type": "object", diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json index 8a024e243..4f08e1326 100644 --- a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -1,10 +1,9 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "http://localhost:8080/schema/2.0/cyclonedx-usecase-2.0.schema.json", - "type": "object", - "title": "CycloneDX Transparency Expression Language: Use Case", - "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", - "additionalProperties": false, + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-usecase-2.0.schema.json", + "type": "null", + "title": "CycloneDX Use Case Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "properties": { "bom-ref": { "type": "string", @@ -22,7 +21,7 @@ "description": "A detailed description of the use case." }, "actors": { - "type": ,"array", + "type": "array", "title": "Actors", "description": "The stakeholders or users who interact with the system in this use case.", "items": { From f52760aeca10ce9543b8b2c9e96c2fcd3d4fdf0d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 5 Dec 2025 22:30:02 +0000 Subject: [PATCH 08/44] chore: update bundled schemas [skip ci] --- .../2.0/cyclonedx-2.0-bundled.min.schema.json | 2 +- schema/2.0/cyclonedx-2.0-bundled.schema.json | 12522 ++++++++++------ 2 files changed, 8044 insertions(+), 4480 deletions(-) diff --git a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json index f48b23cbe..54f292d09 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json @@ -1 +1 @@ -{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","enum":["inbound","outbound","bi-directional","unknown"],"meta:enum":{"inbound":"Data that enters a service.","outbound":"Data that exits a service.","bi-directional":"Data flows in and out of the service.","unknown":"The directional flow of data is not known."},"title":"Data flow direction","description":"Specifies the flow direction of the data. Direction is relative to the service."}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file +{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","required":["modelTypes","methodologies"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"modelTypes":{"type":"array","minItems":1,"description":"The types of models being represented","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"methodologies":{"type":"array","minItems":1,"description":"The modeling methodologies used","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/methodology"}},"perspectives":{"type":"array","description":"Different viewpoints or perspectives used in the model analysis","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/perspective"}},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata"},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model"},"zones":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics"},"boundaries":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones"},"flows":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets"},"assumptions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process"},"visualizations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model"},"useCases":{"type":"array","items":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-usecase-2.0"},{"properties":{"assets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets involved in this use case"},"flows":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to flows that are part of this use case"},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirements implemented by this use case"}}}]},"description":"Use cases analyzed as part of the model"},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"Requirements derived from or related to the model"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"description":"External references related to the blueprint"},"properties":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},"description":"Additional properties and extensions"}},"$defs":{"modelType":{"type":"object","oneOf":[{"required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["architecture","dataFlow","process","deployment","network","threat","risk","privacy","operational","conceptual","logical","physical","behavioral","structural"],"meta:enum":{"architecture":"System or software architecture model","dataFlow":"Data flow model showing how data moves through the system","process":"Business or system process model","deployment":"Deployment or infrastructure model","network":"Network topology or connectivity model","threat":"Security threat model","risk":"Risk assessment model","privacy":"Privacy impact assessment model","operational":"Operational model","conceptual":"High-level conceptual model","logical":"Logical system model","physical":"Physical infrastructure model","behavioral":"System behavior model","structural":"System structure model"}}}},{"required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Custom model type name"},"description":{"type":"string","description":"Description of the custom model type"}}}]},"methodology":{"type":"object","oneOf":[{"required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["C4","UML","TOGAF","Archimate","BPMN","DFD","ERD","4+1","Zachman","SABSA","DODAF","MODAF","NAF","Kruchten","IDEF","SysML","STRIDE","PASTA","LINDDUN","OCTAVE","ISO27005","NIST","FAIR"],"meta:enum":{"C4":"C4 Model for software architecture","UML":"Unified Modeling Language","TOGAF":"The Open Group Architecture Framework","Archimate":"Enterprise architecture modeling language","BPMN":"Business Process Model and Notation","DFD":"Data Flow Diagrams","ERD":"Entity Relationship Diagrams","4+1":"4+1 Architectural View Model","Zachman":"Zachman Framework","SABSA":"Sherwood Applied Business Security Architecture","DODAF":"Department of Defense Architecture Framework","MODAF":"Ministry of Defence Architecture Framework","NAF":"NATO Architecture Framework","Kruchten":"Kruchten's 4+1 View Model","IDEF":"Integration Definition Methods","SysML":"Systems Modeling Language","STRIDE":"Microsoft's threat modeling methodology","PASTA":"Process for Attack Simulation and Threat Analysis","LINDDUN":"Privacy threat modeling methodology","OCTAVE":"Operationally Critical Threat, Asset, and Vulnerability Evaluation","ISO27005":"ISO/IEC 27005 Information security risk management","NIST":"NIST Risk Management Framework","FAIR":"Factor Analysis of Information Risk"}},"version":{"type":"string","description":"Version of the methodology"}}},{"required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Custom methodology name"},"version":{"type":"string","description":"Version of the methodology"},"description":{"type":"string","description":"Description of the custom methodology"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}}]},"perspective":{"type":"object","required":["bom-ref","type","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the perspective"},"type":{"type":"string","enum":["business","technical","user","operational","development","architectural","functional","informational","contextual","conceptual","logical","physical","security","compliance","risk","stakeholder","custom"],"meta:enum":{"business":"Business stakeholder perspective","technical":"Technical implementation perspective","user":"End user or customer perspective","operational":"Operations and maintenance perspective","development":"Software development perspective","architectural":"System architecture perspective","functional":"Functional requirements perspective","informational":"Information and data perspective","contextual":"Business context perspective","conceptual":"High-level conceptual perspective","logical":"Logical design perspective","physical":"Physical implementation perspective","security":"Security perspective","compliance":"Regulatory compliance perspective","risk":"Risk management perspective","stakeholder":"General stakeholder perspective","custom":"Custom or other perspective"}},"name":{"type":"string","description":"Name of the perspective"},"description":{"type":"string","description":"Detailed description of the perspective and its focus"},"role":{"type":"string","description":"The role or persona associated with this perspective"},"objectives":{"type":"array","items":{"type":"string"},"description":"Primary objectives or goals from this perspective"},"concerns":{"type":"array","items":{"type":"string"},"description":"Primary concerns from this perspective"},"viewpoint":{"type":"string","description":"The architectural viewpoint this perspective represents"},"scope":{"type":"string","description":"The scope of this perspective"},"properties":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"blueprintMetadata":{"type":"object","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","description":"When the blueprint was created or last updated"},"authors":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who created the blueprint"},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who reviewed the blueprint"},"reviewDate":{"type":"string","format":"date-time","description":"When the blueprint was reviewed"},"approver":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who approved the blueprint"},"approvalDate":{"type":"string","format":"date-time","description":"When the blueprint was approved"},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","additionalProperties":false,"properties":{"start":{"type":"string","format":"date-time","description":"When the blueprint becomes valid"},"end":{"type":"string","format":"date-time","description":"When the blueprint expires"},"reviewFrequency":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)"}}},"scope":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the scope"},"description":{"type":"string","description":"Description of what is included and excluded from the model"},"boundaries":{"type":"array","items":{"type":"string"},"description":"Explicit boundaries of the model"},"includedComponents":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly included"},"excludedComponents":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly excluded"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","required":["bom-ref","type","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset"},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the component this asset represents"},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the service this asset represents"},"type":{"type":"string","enum":["component","service","dataStore","data","actor","process","infrastructure","device","network","container","function","api","queue","stream","system","subsystem","module","interface","endpoint","resource"],"meta:enum":{"component":"Software component or application","service":"Service or microservice","dataStore":"Database, file system, or data repository","data":"Data asset or dataset","actor":"User, system, or external entity","process":"Business or system process","infrastructure":"Infrastructure component","device":"Physical or IoT device","network":"Network segment or resource","container":"Container or orchestration unit","function":"Serverless function or lambda","api":"API endpoint or interface","queue":"Message queue or event bus","stream":"Data stream or event stream","system":"Complete system or application","subsystem":"Part of a larger system","module":"Software module or package","interface":"System interface or contract","endpoint":"Service endpoint or URL","resource":"Generic resource or artifact"}},"name":{"type":"string","description":"Name of the asset"},"description":{"type":"string","description":"Description of the asset's role and purpose"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone containing this asset"},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent asset if this is a sub-component"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"attributes":{"type":"array","items":{"type":"string"},"description":"Generic attributes or tags for the asset"},"responsibilities":{"type":"array","items":{"type":"string"},"description":"Responsibilities or functions of this asset"},"interfaces":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset"},"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets this asset depends on"},"useCases":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to use cases that involve this asset"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required"},"authorization":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType","description":"Authorization model used"},"encryption":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType"},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface"},"type":{"type":"string","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"],"description":"Type of interface"},"description":{"type":"string","description":"Description of the interface"},"specification":{"type":"string","description":"Link or reference to interface specification"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed"}}},"zone":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the zone"},"description":{"type":"string","description":"Description of the zone's characteristics"},"type":{"type":"string","enum":["trust","network","physical","logical","deployment","organizational","functional","security"],"meta:enum":{"trust":"Security trust zone","network":"Network segmentation zone","physical":"Physical location or boundary","logical":"Logical grouping or boundary","deployment":"Deployment environment (e.g., dev, staging, prod)","organizational":"Organizational or administrative boundary","functional":"Functional grouping","security":"Security zone or perimeter"}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent zone if this is a sub-zone"},"characteristics":{"type":"array","items":{"type":"string"},"description":"Key characteristics of this zone"},"constraints":{"type":"array","items":{"type":"string"},"description":"Constraints or limitations of this zone"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the boundary"},"type":{"type":"string","enum":["trust","network","process","data","physical","organizational","functional"],"meta:enum":{"trust":"Trust boundary between different security zones","network":"Network boundary or firewall","process":"Process or execution boundary","data":"Data classification boundary","physical":"Physical security boundary","organizational":"Organizational boundary","functional":"Functional boundary"}},"zones":{"type":"array","minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"The zones this boundary connects or separates"},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","additionalProperties":false,"properties":{"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary"},"authorization":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType","description":"Authorization model at this boundary"},"dataValidation":{"type":"boolean","description":"Whether data is validated when crossing this boundary"},"dataTransformation":{"type":"boolean","description":"Whether data is transformed when crossing this boundary"},"encryption":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType","description":"Encryption requirements for crossing this boundary"},"logging":{"type":"boolean","description":"Whether crossings are logged"},"monitoring":{"type":"boolean","description":"Whether crossings are monitored"},"rateLimit":{"type":"string","description":"Rate limiting policy"},"protocols":{"type":"array","items":{"type":"string"},"description":"Allowed protocols for crossing"}}},"flow":{"type":"object","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or description of the flow"},"description":{"type":"string","description":"Detailed description of what flows and why"},"type":{"type":"string","enum":["data","control","process","message","event","dependency","interaction"],"meta:enum":{"data":"Data or information flow","control":"Control or command flow","process":"Business process flow","message":"Message or communication flow","event":"Event or notification flow","dependency":"Dependency relationship","interaction":"User or system interaction"}},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the source asset"},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the destination asset"},"bidirectional":{"type":"boolean","default":false,"description":"Whether flow occurs in both directions"},"synchronous":{"type":"boolean","description":"Whether the flow is synchronous or asynchronous"},"volume":{"type":"string","description":"Expected volume or frequency of flow"},"timing":{"type":"string","description":"Timing characteristics (real-time, batch, scheduled)"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Format of data in the flow"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"encryption":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","description":"The assumption being made"},"category":{"type":"string","enum":["technical","business","operational","security","compliance","performance","availability"],"description":"Category of the assumption"},"relatedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this assumption relates to"},"validity":{"type":"string","enum":["unknown","verified","unverified","invalid"],"default":"unknown","description":"Whether the assumption has been validated"},"impact":{"type":"string","description":"Impact if this assumption proves false"},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who owns or is responsible for this assumption"},"validationMethod":{"type":"string","description":"How this assumption can be validated"},"validationDate":{"type":"string","format":"date-time","description":"When the assumption was last validated"}}},"visualization":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or title of the visualization"},"description":{"type":"string","description":"Description of what the visualization shows"},"type":{"type":"string","enum":["architecture","dataFlow","sequence","state","deployment","network","process","useCase","component","class","entity","activity","collaboration","context","container","code"],"meta:enum":{"architecture":"System architecture diagram","dataFlow":"Data flow diagram (DFD)","sequence":"Sequence or interaction diagram","state":"State machine diagram","deployment":"Deployment or infrastructure diagram","network":"Network topology diagram","process":"Business process diagram","useCase":"Use case diagram","component":"Component diagram","class":"Class or object diagram","entity":"Entity relationship diagram","activity":"Activity or workflow diagram","collaboration":"Collaboration diagram","context":"Context diagram","container":"Container diagram (C4)","code":"Code structure diagram"}},"format":{"type":"string","enum":["mermaid","graphviz","plantuml","drawio","svg","png","jpeg","d3","cytoscape","visio","archimate"],"meta:enum":{"mermaid":"Mermaid diagram language","graphviz":"GraphViz DOT language","plantuml":"PlantUML diagram language","drawio":"Draw.io/diagrams.net format","svg":"Scalable Vector Graphics","png":"Portable Network Graphics","jpeg":"JPEG image format","d3":"D3.js visualization","cytoscape":"Cytoscape graph format","visio":"Microsoft Visio format","archimate":"ArchiMate model format"}},"content":{"type":"string","description":"The diagram content (source code or base64 encoded image)"},"url":{"type":"string","format":"iri-reference","description":"URL to the diagram if stored externally"},"level":{"type":"string","enum":["overview","high","medium","detailed"],"description":"Level of detail in the visualization"},"perspective":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the perspective this visualization represents"},"elements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to elements shown in this visualization"},"interactive":{"type":"boolean","description":"Whether the visualization is interactive"},"layers":{"type":"array","items":{"type":"string"},"description":"Layers or views available in the visualization"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataClassification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification"},"tier":{"type":"string","enum":["tier0","tier1","tier2","tier3","tier4"],"meta:enum":{"tier0":"Mission critical - highest priority","tier1":"Business critical - high priority","tier2":"Business important - medium priority","tier3":"Business supporting - low priority","tier4":"Non-critical - minimal priority"}},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search"}}},"dataClassification":{"type":"object","additionalProperties":false,"properties":{"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Specific types of data"},"handling":{"type":"string","description":"Data handling requirements"},"retention":{"type":"string","description":"Data retention requirements"},"disposal":{"type":"string","description":"Data disposal requirements"},"regulations":{"type":"array","items":{"type":"string"},"description":"Applicable regulations"}}},"ownership":{"type":"object","additionalProperties":false,"properties":{"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary owner of the asset"},"steward":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Steward responsible for the asset"},"custodian":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Custodian responsible for protecting the asset"},"users":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary users of the asset"}}},"authenticationType":{"type":"string","enum":["none","basic","bearer","digest","certificate","apiKey","oauth1","oauth2","openIdConnect","saml","kerberos","ntlm","jwt","custom"],"description":"Authentication method","meta:enum":{"none":"No authentication required","basic":"Basic authentication (username/password)","bearer":"Bearer token authentication","digest":"Digest authentication","certificate":"Certificate-based authentication","apiKey":"API key authentication","oauth1":"OAuth 1.0 authentication","oauth2":"OAuth 2.0 authentication","openIdConnect":"OpenID Connect authentication","saml":"SAML authentication","kerberos":"Kerberos authentication","ntlm":"NTLM authentication","jwt":"JSON Web Token authentication","custom":"Custom authentication method"}},"authorizationType":{"type":"string","enum":["none","acl","rbac","abac","mac","dac","pbac","cbac","custom"],"description":"Authorization model","meta:enum":{"none":"No authorization controls","acl":"Access Control Lists","rbac":"Role-Based Access Control","abac":"Attribute-Based Access Control","mac":"Mandatory Access Control","dac":"Discretionary Access Control","pbac":"Policy-Based Access Control","cbac":"Claims-Based Access Control","custom":"Custom authorization model"}},"encryptionType":{"type":"object","additionalProperties":false,"properties":{"inTransit":{"type":"boolean","description":"Whether data is encrypted in transit"},"atRest":{"type":"boolean","description":"Whether data is encrypted at rest"},"inProcessing":{"type":"boolean","description":"Whether data is encrypted during processing"}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataSensitivity":{"type":"string","enum":["public","internal","confidential","restricted","secret"],"description":"Data sensitivity classification","meta:enum":{"public":"Public information that can be freely shared","internal":"Internal use only within the organization","confidential":"Confidential information requiring protection","restricted":"Highly restricted information with limited access","secret":"Secret information requiring special handling"}},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","enum":["inbound","outbound","bi-directional","unknown"],"meta:enum":{"inbound":"Data that enters a service.","outbound":"Data that exits a service.","bi-directional":"Data flows in and out of the service.","unknown":"The directional flow of data is not known."},"title":"Data flow direction","description":"Specifies the flow direction of the data. Direction is relative to the service."}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"}},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"}},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"}},"parent":{"type":"string","title":"Parent BOM Reference","description":"The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"externalReferences":{"type":"array","title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the risk assessment elsewhere in the BOM"},"domains":{"type":"array","description":"Risk domains covered by this assessment","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"}},"scenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},"description":"Risk scenarios identified"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Controls, countermeasures, or mitigations to address identified risks"},"assessments":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Risk assessments and evaluations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}},"$defs":{"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply_chain","technical","project"],"meta:enum":{"security":"Information security and cybersecurity risks","privacy":"Data protection and privacy risks","operational":"Business operations and continuity risks","financial":"Financial loss and economic impact risks","compliance":"Regulatory and legal compliance risks","strategic":"Strategic business and market risks","reputational":"Brand and reputation damage risks","safety":"Human safety and physical security risks","environmental":"Environmental impact and sustainability risks","supply_chain":"Supply chain and third-party risks","technical":"Technical and technology risks","project":"Project delivery and execution risks"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain"}}},"riskAttribute":{"type":"string","description":"A classification of security and privacy attributes that represent potential impact areas when a risk is realized","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data_subject_rights","integrity","minimisation","non-repudiation","possession","privacy","purpose_limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities","authentication":"Verifying the identity of users, devices, or systems before granting access","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified","availability":"Ensuring systems, data, and services are accessible and operational when needed","compliance":"Adherence to applicable laws, regulations, policies, and standards","confidentiality":"Preventing unauthorised access to or disclosure of information","connectivity":"Maintaining secure and reliable communication between systems or components","control":"Enabling individuals to manage how their personal data is used and shared","data_subject_rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorised actors","minimisation":"Limiting data collection and retention to what is strictly necessary for the intended purpose","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications","possession":"Ensuring control or custody over data or assets, regardless of ownership","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards","purpose_limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing","utility":"Ensuring data is usable and in a format suitable for the intended purpose"}},"scenario":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the risk scenario"},"description":{"type":"string","description":"Detailed description of the scenario"},"type":{"type":"string","enum":["threat","vulnerability","weakness","risk","incident","opportunity","hazard"],"meta:enum":{"threat":"Security threat scenario","vulnerability":"Exploitable vulnerability","weakness":"System or design weakness","risk":"General risk scenario","incident":"Potential incident scenario","opportunity":"Positive risk (opportunity)","hazard":"Safety hazard scenario"}},"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"category":{"type":"string","description":"Category or classification of the scenario"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected by this scenario"},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to affected assets"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations that address this scenario"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["veryLow","low","medium","high","veryHigh","certain"],"description":"Likelihood level","meta:enum":{"veryLow":"Very unlikely to occur (< 10%)","low":"Unlikely to occur (10-30%)","medium":"Possible to occur (30-60%)","high":"Likely to occur (60-90%)","veryHigh":"Very likely to occur (> 90%)","certain":"Will certainly occur (100%)"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric likelihood score"},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal (0-1)"},"rationale":{"type":"string","description":"Justification for the likelihood rating"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","high","severe","catastrophic"],"description":"Impact severity level","meta:enum":{"negligible":"Minimal impact with no significant consequences","low":"Minor impact with limited consequences","moderate":"Moderate impact affecting some operations","high":"Significant impact with serious consequences","severe":"Severe impact with critical consequences","catastrophic":"Catastrophic impact with existential consequences"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric impact score"},"categories":{"type":"array","items":{"type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic"],"meta:enum":{"confidentiality":"Impact on data confidentiality","integrity":"Impact on data or system integrity","availability":"Impact on service availability","financial":"Financial loss or impact","reputation":"Reputational damage","regulatory":"Regulatory compliance impact","safety":"Human safety impact","privacy":"Privacy violation impact","operational":"Operational disruption","strategic":"Strategic business impact"}},"description":"Categories of impact"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected"},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"Description of the potential impact"}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"Estimated financial loss in currency units"},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"ISO 4217 currency code"},"affectedUsers":{"type":"integer","description":"Number of affected users"},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Expected downtime as ISO 8601 duration"},"dataRecords":{"type":"integer","description":"Number of data records affected"},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Recovery time as ISO 8601 duration"}}},"riskScore":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Overall risk level","meta:enum":{"info":"Informational - no immediate action required","low":"Low risk - monitor and address in normal cycle","medium":"Medium risk - plan mitigation activities","high":"High risk - prioritize mitigation efforts","critical":"Critical risk - immediate action required"}},"score":{"type":"number","minimum":0,"description":"Numeric risk score"},"vector":{"type":"string","description":"Risk scoring vector (e.g., L:H/I:M)"},"methodology":{"type":"string","description":"Risk scoring methodology used"}}},"mitigation":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the mitigation"},"description":{"type":"string","description":"Description of what the mitigation does"},"type":{"type":"string","enum":["avoid","reduce","transfer","accept","control","countermeasure","safeguard","practice","procedure"],"meta:enum":{"avoid":"Avoid the risk entirely","reduce":"Reduce likelihood or impact","transfer":"Transfer risk to another party","accept":"Accept the risk","control":"Preventive or detective control","countermeasure":"Reactive measure to counter risks","safeguard":"Protective measure","practice":"Risk management practice","procedure":"Documented procedure"}},"strategy":{"type":"string","enum":["prevent","detect","respond","recover"],"meta:enum":{"prevent":"Prevents the risk from occurring","detect":"Detects when the risk occurs","respond":"Responds to the risk when detected","recover":"Recovers from the impact"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"effectiveness":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/effectiveness"},"cost":{"type":"string","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort","low":"Low cost and effort","medium":"Moderate cost and effort","high":"High cost and significant effort","extreme":"Extreme cost and major effort"}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this mitigation addresses"},"implementedBy":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets that implement this mitigation"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"effectiveness":{"type":"object","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":100,"description":"Effectiveness as percentage"},"rating":{"type":"string","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk","marginal":"Slightly reduces risk","adequate":"Adequately reduces risk","good":"Significantly reduces risk","excellent":"Nearly eliminates risk"}}}},"assessment":{"type":"object","required":["bom-ref","type","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"type":{"type":"string","enum":["initial","periodic","continuous","triggered"],"meta:enum":{"initial":"Initial risk assessment","periodic":"Scheduled periodic assessment","continuous":"Continuous monitoring assessment","triggered":"Event-triggered assessment"}},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed"},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who performed the assessment"},"summary":{"type":"string","description":"Executive summary of the assessment"},"findings":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/finding"},"description":"Specific findings from the assessment"},"overallRisk":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore","description":"Overall risk score/level"},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment"},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"finding":{"type":"object","required":["title","severity"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"title":{"type":"string","description":"Title of the finding"},"description":{"type":"string","description":"Detailed description of the finding"},"severity":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/severity"},"relatedScenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Scenarios related to this finding"},"relatedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this finding"},"remediation":{"type":"string","description":"Recommended remediation"},"status":{"type":"string","enum":["open","inProgress","resolved","accepted"],"meta:enum":{"open":"Finding is open and unaddressed","inProgress":"Remediation is in progress","resolved":"Finding has been resolved","accepted":"Risk has been accepted"}}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level","meta:enum":{"none":"No priority assigned","low":"Low priority - address when convenient","medium":"Medium priority - address in normal cycle","high":"High priority - address soon","critical":"Critical priority - address immediately"}},"severity":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Severity level","meta:enum":{"info":"Informational finding","low":"Low severity issue","medium":"Medium severity issue","high":"High severity issue","critical":"Critical severity issue"}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level","meta:enum":{"minimal":"Minimal impact on business operations","low":"Low impact with minor inconvenience","moderate":"Moderate impact affecting some operations","high":"High impact affecting critical operations","critical":"Critical impact with severe business consequences"}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threatScenario":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},{"properties":{"threatCategory":{"type":"string","description":"Threat category based on methodology (e.g., STRIDE category)"},"threatActor":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"attackPattern":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference"},"weakness":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"killChainPhase":{"type":"string","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target","weaponization":"Creating malicious payloads","delivery":"Transmitting weapon to target","exploitation":"Exploiting vulnerabilities","installation":"Installing malware or backdoors","command-and-control":"Establishing C2 channel","actions-on-objectives":"Achieving attack goals"}},"technicalImpact":{"type":"array","items":{"type":"string","enum":["unauthorized-access","data-breach","data-corruption","service-disruption","privilege-escalation","code-execution","information-disclosure","denial-of-service"]}}}}]},"threatActor":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier of the threat actor"},"description":{"type":"string","description":"Description of the threat actor"},"type":{"type":"string","enum":["individual","group","organization","nation-state","unknown"],"meta:enum":{"individual":"Individual threat actor","group":"Organized group or collective","organization":"Corporate or criminal organization","nation-state":"Nation-state sponsored actor","unknown":"Unknown threat actor type"}},"aliases":{"type":"array","items":{"type":"string"},"description":"Known aliases or alternative names"},"profile":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"observedTTPs":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/ttp"},"description":"Observed tactics, techniques, and procedures"},"attributedAttacks":{"type":"array","items":{"type":"string"},"description":"Attacks attributed to this actor"},"targeting":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/targeting"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"threatActorProfile":{"type":"object","additionalProperties":false,"properties":{"sophistication":{"type":"string","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication","minimal":"Script kiddie level","intermediate":"Intermediate technical skills","advanced":"Advanced persistent threat","expert":"Nation-state level capabilities"}},"motivation":{"type":"array","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"]},"description":"Primary motivations"},"capability":{"type":"string","enum":["minimal","limited","moderate","significant","advanced"],"description":"Overall capability level"},"intent":{"type":"string","enum":["accidental","opportunistic","targeted","persistent"],"description":"Intent level"},"resources":{"type":"string","enum":["minimal","limited","moderate","substantial","unlimited"],"description":"Resource availability"},"accessLevel":{"type":"string","enum":["none","external","internal","privileged","physical"],"description":"Level of access to target systems"},"skillSet":{"type":"array","items":{"type":"string"},"description":"Specific skills possessed"}}},"attackVector":{"type":"object","additionalProperties":false,"properties":{"type":{"type":"string","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via network","adjacent":"Exploitable from adjacent network","local":"Requires local access","physical":"Requires physical access"}},"complexity":{"type":"string","enum":["low","high"],"description":"Attack complexity"},"privileges":{"type":"string","enum":["none","low","high"],"description":"Privileges required"},"userInteraction":{"type":"string","enum":["none","required"],"description":"User interaction requirement"},"scope":{"type":"string","enum":["unchanged","changed"],"description":"Scope impact"}}},"attackPattern":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"capecId":{"type":"integer","description":"CAPEC (Common Attack Pattern Enumeration and Classification) ID"},"name":{"type":"string","description":"Name of the attack pattern"},"description":{"type":"string","description":"Description of the attack pattern"},"severity":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/severity"},"likelihood":{"type":"string","enum":["low","medium","high"],"description":"Likelihood of this pattern being used"},"prerequisites":{"type":"array","items":{"type":"string"},"description":"Prerequisites for the attack"},"techniques":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"Techniques used in the attack"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations"},"examples":{"type":"array","items":{"type":"string"},"description":"Real-world examples"}}},"attackPatternReference":{"type":"object","additionalProperties":false,"properties":{"patternRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to attack pattern"},"capecId":{"type":"integer","description":"CAPEC ID if not referencing internal pattern"},"customization":{"type":"string","description":"How this pattern is customized for the specific scenario"}}},"technique":{"type":"object","additionalProperties":false,"properties":{"id":{"type":"string","description":"Technique ID (e.g., MITRE ATT&CK ID)"},"name":{"type":"string","description":"Name of the technique"},"tactic":{"type":"string","description":"Associated tactic"},"procedure":{"type":"string","description":"Specific procedure"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools used with this technique"}}},"weakness":{"type":"object","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"cweId":{"type":"integer","description":"CWE (Common Weakness Enumeration) ID"},"name":{"type":"string","description":"Name of the weakness"},"description":{"type":"string","description":"Description of the weakness"},"abstraction":{"type":"string","enum":["pillar","class","base","variant","compound"],"meta:enum":{"pillar":"Most abstract type of weakness","class":"Weakness described in generic terms","base":"Weakness described in abstract terms","variant":"Weakness specific to a resource/technology","compound":"Combination of two or more weaknesses"}},"ordinality":{"type":"string","enum":["primary","resultant","indirect"],"meta:enum":{"primary":"Weakness exists independent of other weaknesses","resultant":"Weakness is caused by another weakness","indirect":"Weakness is indirectly caused by another weakness"}},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this weakness"},"exploitationDifficulty":{"type":"string","enum":["trivial","easy","moderate","difficult","impractical"],"description":"Difficulty of exploiting this weakness"},"detectionMethods":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod"},"description":"Methods for detecting this weakness"}}},"weaknessReference":{"type":"object","additionalProperties":false,"properties":{"weaknessRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to weakness"},"cweId":{"type":"integer","description":"CWE ID if not referencing internal weakness"},"instance":{"type":"string","description":"Specific instance or manifestation of the weakness"}}},"exploitability":{"type":"object","additionalProperties":false,"properties":{"level":{"type":"string","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Theoretically possible but not demonstrated","proof-of-concept":"Proof of concept exists","functional":"Functional exploit exists","weaponized":"Weaponized exploit in the wild"}},"complexity":{"type":"string","enum":["trivial","low","medium","high","very-high"],"description":"Complexity to exploit"},"skillRequired":{"type":"string","enum":["none","basic","intermediate","advanced","expert"],"description":"Skill level required"},"toolsRequired":{"type":"array","items":{"type":"string"},"description":"Tools required for exploitation"},"timeRequired":{"type":"string","description":"Estimated time to develop exploit"},"reliability":{"type":"string","enum":["unreliable","occasional","reliable","highly-reliable"],"description":"Reliability of exploitation"},"automatable":{"type":"boolean","description":"Whether exploitation can be automated"}}},"indicators":{"type":"object","additionalProperties":false,"properties":{"compromise":{"type":"array","items":{"type":"string"},"description":"Indicators of compromise"},"attack":{"type":"array","items":{"type":"string"},"description":"Indicators of attack"},"behavioral":{"type":"array","items":{"type":"string"},"description":"Behavioral indicators"},"signatures":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"Detection signatures"}}},"signature":{"type":"object","required":["type","value"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["yara","snort","regex","hash","behavior"],"description":"Type of signature"},"value":{"type":"string","description":"Signature value or pattern"},"description":{"type":"string","description":"Description of what the signature detects"},"confidence":{"type":"string","enum":["low","medium","high"],"description":"Confidence level of detection"}}},"ttp":{"type":"object","additionalProperties":false,"properties":{"tactic":{"type":"string","description":"High-level tactic"},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"procedure":{"type":"string","description":"Specific implementation"},"tools":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/tool"},"description":"Tools used"},"infrastructure":{"type":"array","items":{"type":"string"},"description":"Infrastructure used"}}},"tool":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Tool name"},"type":{"type":"string","enum":["exploit","scanner","fuzzer","proxy","framework","custom"],"description":"Type of tool"},"version":{"type":"string","description":"Tool version"},"capabilities":{"type":"array","items":{"type":"string"},"description":"Tool capabilities"}}},"targeting":{"type":"object","additionalProperties":false,"properties":{"sectors":{"type":"array","items":{"type":"string"},"description":"Targeted sectors or industries"},"regions":{"type":"array","items":{"type":"string"},"description":"Targeted geographic regions"},"technologies":{"type":"array","items":{"type":"string"},"description":"Targeted technologies or platforms"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Types of data targeted"}}},"detectionMethod":{"type":"object","required":["method"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["static-analysis","dynamic-analysis","penetration-test","code-review","architecture-review","automated-scan"],"description":"Detection method type"},"description":{"type":"string","description":"Description of the detection method"},"effectiveness":{"type":"string","enum":["low","medium","high"],"description":"Effectiveness of the method"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools that implement this method"}}},"securityPolicy":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Policy name"},"type":{"type":"string","enum":["access-control","data-protection","network-security","application-security","operational-security","compliance"],"description":"Type of security policy"},"description":{"type":"string","description":"Policy description"},"requirements":{"type":"array","items":{"type":"string"},"description":"Policy requirements"},"enforcement":{"type":"string","enum":["mandatory","recommended","optional"],"description":"Enforcement level"},"appliesTo":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this policy applies to"},"exceptions":{"type":"array","items":{"type":"string"},"description":"Policy exceptions"}}},"trustBoundary":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},{"properties":{"trustLevel":{"type":"string","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"description":"Trust level differential"},"securityRequirements":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements"},"threatsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Threats that could exploit this boundary"},"controlsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Controls implemented at this boundary"}}}]},"boundarySecurityRequirements":{"type":"object","additionalProperties":false,"properties":{"authenticationStrength":{"type":"string","enum":["none","weak","moderate","strong","very-strong"],"description":"Required authentication strength"},"authorizationGranularity":{"type":"string","enum":["coarse","medium","fine","very-fine"],"description":"Authorization granularity required"},"integrityVerification":{"type":"boolean","description":"Whether integrity verification is required"},"confidentialityProtection":{"type":"boolean","description":"Whether confidentiality protection is required"},"auditingLevel":{"type":"string","enum":["none","basic","detailed","comprehensive"],"description":"Level of auditing required"},"dataValidationRules":{"type":"array","items":{"type":"string"},"description":"Data validation rules at boundary"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","properties":{"bom-ref":{"type":"string","title":"BOM Reference","description":"An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name or title of the use case."},"description":{"type":"string","title":"Description","description":"A detailed description of the use case."},"actors":{"type":"array","title":"Actors","description":"The stakeholders or users who interact with the system in this use case.","items":{"type":"string"}},"preconditions":{"type":"array","title":"Preconditions","description":"Conditions that must be true before the use case can be executed.","items":{"type":"string"}},"postconditions":{"type":"array","title":"Postconditions","description":"Conditions that will be true after the use case has been successfully executed.","items":{"type":"string"}},"mainFlow":{"type":"array","title":"Main Flow","description":"The primary sequence of steps that describe the use case.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"}},"alternativeFlows":{"type":"array","title":"Alternative Flows","description":"Alternative sequences of steps that may occur in the use case.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"}},"exceptions":{"type":"array","title":"Exceptions","description":"Error scenarios that may occur during the execution of the use case.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"}},"successCriteria":{"type":"array","title":"Success Criteria","description":"Criteria that determine whether the use case has been successfully executed.","items":{"type":"string"}},"notes":{"type":"array","title":"Notes","description":"Additional information or comments about the use case.","items":{"type":"string"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/property"}}},"$defs":{"step":{"type":"object","title":"Step","description":"A single step in a use case flow.","additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","description":"The sequence number of the step."},"description":{"type":"string","title":"Description","description":"A description of the step."},"actor":{"type":"string","title":"Actor","description":"The actor who performs this step."}}},"flow":{"type":"object","title":"Flow","description":"A sequence of steps in a use case.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the flow."},"description":{"type":"string","title":"Description","description":"A description of the flow."},"condition":{"type":"string","title":"Condition","description":"The condition under which this alternative flow is executed."},"steps":{"type":"array","title":"Steps","description":"The sequence of steps in the flow.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"}}}},"exception":{"type":"object","title":"Exception","description":"An error scenario in a use case.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the exception."},"description":{"type":"string","title":"Description","description":"A description of the exception."},"condition":{"type":"string","title":"Condition","description":"The condition under which this exception occurs."},"handling":{"type":"string","title":"Handling","description":"How the exception is handled."}}},"property":{"type":"object","title":"Property","description":"A name-value property.","additionalProperties":false,"required":["name","value"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property."},"value":{"type":"string","title":"Value","description":"The value of the property."}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file diff --git a/schema/2.0/cyclonedx-2.0-bundled.schema.json b/schema/2.0/cyclonedx-2.0-bundled.schema.json index e9f8174fc..8c216fecb 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.schema.json @@ -777,2207 +777,3578 @@ } } }, - "cyclonedx-citation-2.0": { + "cyclonedx-blueprint-2.0": { "type": "null", - "title": "CycloneDX Citation Model", - "$defs": { - "citations": { + "title": "CycloneDX Blueprint Model", + "required": [ + "modelTypes", + "methodologies" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "modelTypes": { "type": "array", + "minItems": 1, + "description": "The types of models being represented", "items": { - "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation" + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/modelType" + } + }, + "methodologies": { + "type": "array", + "minItems": 1, + "description": "The modeling methodologies used", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/methodology" + } + }, + "perspectives": { + "type": "array", + "description": "Different viewpoints or perspectives used in the model analysis", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/perspective" + } + }, + "metadata": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata" + }, + "scope": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/scope" + }, + "assets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/asset" }, - "uniqueItems": true, - "title": "Citations", - "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." + "description": "The assets (components, services, data, actors) included in the model" }, - "citation": { + "zones": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics" + }, + "boundaries": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" + }, + "description": "Boundaries between zones" + }, + "flows": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/flow" + }, + "description": "Data, control, or process flows between assets" + }, + "assumptions": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assumption" + }, + "description": "Assumptions made during the modeling process" + }, + "visualizations": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualization" + }, + "description": "Visual representations of the model" + }, + "useCases": { + "type": "array", + "items": { + "type": "object", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-usecase-2.0" + }, + { + "properties": { + "assets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to assets involved in this use case" + }, + "flows": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to flows that are part of this use case" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirements implemented by this use case" + } + } + } + ] + }, + "description": "Use cases analyzed as part of the model" + }, + "requirements": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirement" + }, + "description": "Requirements derived from or related to the model" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + }, + "description": "External references related to the blueprint" + }, + "properties": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + "description": "Additional properties and extensions" + } + }, + "$defs": { + "modelType": { "type": "object", - "title": "Citation", - "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", + "oneOf": [ + { + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "architecture", + "dataFlow", + "process", + "deployment", + "network", + "threat", + "risk", + "privacy", + "operational", + "conceptual", + "logical", + "physical", + "behavioral", + "structural" + ], + "meta:enum": { + "architecture": "System or software architecture model", + "dataFlow": "Data flow model showing how data moves through the system", + "process": "Business or system process model", + "deployment": "Deployment or infrastructure model", + "network": "Network topology or connectivity model", + "threat": "Security threat model", + "risk": "Risk assessment model", + "privacy": "Privacy impact assessment model", + "operational": "Operational model", + "conceptual": "High-level conceptual model", + "logical": "Logical system model", + "physical": "Physical infrastructure model", + "behavioral": "System behavior model", + "structural": "System structure model" + } + } + } + }, + { + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom model type name" + }, + "description": { + "type": "string", + "description": "Description of the custom model type" + } + } + } + ] + }, + "methodology": { + "type": "object", + "oneOf": [ + { + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "C4", + "UML", + "TOGAF", + "Archimate", + "BPMN", + "DFD", + "ERD", + "4+1", + "Zachman", + "SABSA", + "DODAF", + "MODAF", + "NAF", + "Kruchten", + "IDEF", + "SysML", + "STRIDE", + "PASTA", + "LINDDUN", + "OCTAVE", + "ISO27005", + "NIST", + "FAIR" + ], + "meta:enum": { + "C4": "C4 Model for software architecture", + "UML": "Unified Modeling Language", + "TOGAF": "The Open Group Architecture Framework", + "Archimate": "Enterprise architecture modeling language", + "BPMN": "Business Process Model and Notation", + "DFD": "Data Flow Diagrams", + "ERD": "Entity Relationship Diagrams", + "4+1": "4+1 Architectural View Model", + "Zachman": "Zachman Framework", + "SABSA": "Sherwood Applied Business Security Architecture", + "DODAF": "Department of Defense Architecture Framework", + "MODAF": "Ministry of Defence Architecture Framework", + "NAF": "NATO Architecture Framework", + "Kruchten": "Kruchten's 4+1 View Model", + "IDEF": "Integration Definition Methods", + "SysML": "Systems Modeling Language", + "STRIDE": "Microsoft's threat modeling methodology", + "PASTA": "Process for Attack Simulation and Threat Analysis", + "LINDDUN": "Privacy threat modeling methodology", + "OCTAVE": "Operationally Critical Threat, Asset, and Vulnerability Evaluation", + "ISO27005": "ISO/IEC 27005 Information security risk management", + "NIST": "NIST Risk Management Framework", + "FAIR": "Factor Analysis of Information Risk" + } + }, + "version": { + "type": "string", + "description": "Version of the methodology" + } + } + }, + { + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Custom methodology name" + }, + "version": { + "type": "string", + "description": "Version of the methodology" + }, + "description": { + "type": "string", + "description": "Description of the custom methodology" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } + } + } + ] + }, + "perspective": { + "type": "object", + "required": [ + "bom-ref", + "type", + "name" + ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference" + "description": "Unique identifier for the perspective" }, - "pointers": { + "type": { + "type": "string", + "enum": [ + "business", + "technical", + "user", + "operational", + "development", + "architectural", + "functional", + "informational", + "contextual", + "conceptual", + "logical", + "physical", + "security", + "compliance", + "risk", + "stakeholder", + "custom" + ], + "meta:enum": { + "business": "Business stakeholder perspective", + "technical": "Technical implementation perspective", + "user": "End user or customer perspective", + "operational": "Operations and maintenance perspective", + "development": "Software development perspective", + "architectural": "System architecture perspective", + "functional": "Functional requirements perspective", + "informational": "Information and data perspective", + "contextual": "Business context perspective", + "conceptual": "High-level conceptual perspective", + "logical": "Logical design perspective", + "physical": "Physical implementation perspective", + "security": "Security perspective", + "compliance": "Regulatory compliance perspective", + "risk": "Risk management perspective", + "stakeholder": "General stakeholder perspective", + "custom": "Custom or other perspective" + } + }, + "name": { + "type": "string", + "description": "Name of the perspective" + }, + "description": { + "type": "string", + "description": "Detailed description of the perspective and its focus" + }, + "role": { + "type": "string", + "description": "The role or persona associated with this perspective" + }, + "objectives": { "type": "array", "items": { - "type": "string", - "title": "Field Reference", - "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies." + "type": "string" }, - "minItems": 1, - "title": "Field References", - "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + "description": "Primary objectives or goals from this perspective" }, - "expressions": { + "concerns": { "type": "array", "items": { - "type": "string", - "title": "Path Expression", - "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM." + "type": "string" }, - "minItems": 1, - "title": "Path Expressions", - "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + "description": "Primary concerns from this perspective" + }, + "viewpoint": { + "type": "string", + "description": "The architectural viewpoint this perspective represents" }, + "scope": { + "type": "string", + "description": "The scope of this perspective" + }, + "properties": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + } + } + }, + "blueprintMetadata": { + "type": "object", + "additionalProperties": false, + "properties": { "timestamp": { "type": "string", "format": "date-time", - "title": "Timestamp", - "description": "The date and time when the attribution was made or the information was supplied." + "description": "When the blueprint was created or last updated" }, - "attributedTo": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Attributed To", - "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + "authors": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who created the blueprint" }, - "process": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Process Reference", - "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + "reviewer": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who reviewed the blueprint" }, - "note": { + "reviewDate": { "type": "string", - "title": "Note", - "description": "A description or comment about the context or quality of the data attribution." + "format": "date-time", + "description": "When the blueprint was reviewed" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "A digital signature verifying the authenticity or integrity of the attribution." - } - }, - "required": [ - "timestamp" - ], - "anyOf": [ - { - "required": [ - "attributedTo" - ] + "approver": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who approved the blueprint" }, - { - "required": [ - "process" - ] - } - ], - "oneOf": [ - { - "required": [ - "pointers" - ] + "approvalDate": { + "type": "string", + "format": "date-time", + "description": "When the blueprint was approved" }, - { - "required": [ - "expressions" - ] + "ordinalVersion": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion" + }, + "lifecycles": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + }, + "validityPeriod": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod" } - ] - } - } - }, - "cyclonedx-common-2.0": { - "type": "null", - "title": "CycloneDX Common Model", - "$defs": { - "refType": { - "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "type": "string", - "minLength": 1, - "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" - }, - "refLinkType": { - "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "bomLinkDocumentType": { - "title": "BOM-Link Document", - "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", - "type": "string", - "format": "iri-reference", - "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", - "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" - }, - "bomLinkElementType": { - "title": "BOM-Link Element", - "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", - "type": "string", - "format": "iri-reference", - "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", - "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + } }, - "bomLink": { - "title": "BOM-Link", - "anyOf": [ - { - "title": "BOM-Link Document", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType" + "validityPeriod": { + "type": "object", + "additionalProperties": false, + "properties": { + "start": { + "type": "string", + "format": "date-time", + "description": "When the blueprint becomes valid" }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + "end": { + "type": "string", + "format": "date-time", + "description": "When the blueprint expires" + }, + "reviewFrequency": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" } - ] + } }, - "hash": { + "scope": { "type": "object", - "title": "Hash", "required": [ - "alg", - "content" + "name" ], "additionalProperties": false, "properties": { - "alg": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "content": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashValue" + "name": { + "type": "string", + "description": "Name of the scope" + }, + "description": { + "type": "string", + "description": "Description of what is included and excluded from the model" + }, + "boundaries": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Explicit boundaries of the model" + }, + "includedComponents": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to components explicitly included" + }, + "excludedComponents": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to components explicitly excluded" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "hashAlgorithm": { - "type": "string", - "title": "Hash Algorithm", - "description": "The algorithm that generated the hash value.", - "enum": [ - "MD5", - "SHA-1", - "SHA-256", - "SHA-384", - "SHA-512", - "SHA3-256", - "SHA3-384", - "SHA3-512", - "BLAKE2b-256", - "BLAKE2b-384", - "BLAKE2b-512", - "BLAKE3", - "Streebog-256", - "Streebog-512" - ] - }, - "hashValue": { - "type": "string", - "title": "Hash Value", - "description": "The value of the hash.", - "examples": [ - "3942447fac867ae5cdb3229b658f4d48" - ], - "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" - }, - "mediaType": { - "type": "string", - "title": "Media Type", - "description": "The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.", - "examples": [ - "text/plain", - "application/json", - "image/png" - ], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" - }, - "attachment": { + "asset": { "type": "object", - "title": "Attachment", - "description": "Specifies the metadata and content for an attachment.", "required": [ - "content" + "bom-ref", + "type", + "name" ], "additionalProperties": false, "properties": { - "mediaType": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/mediaType" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for the asset" }, - "encoding": { + "componentRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the component this asset represents" + }, + "serviceRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the service this asset represents" + }, + "type": { "type": "string", - "title": "Encoding", - "description": "Specifies the optional encoding the text is represented in.", "enum": [ - "base64" + "component", + "service", + "dataStore", + "data", + "actor", + "process", + "infrastructure", + "device", + "network", + "container", + "function", + "api", + "queue", + "stream", + "system", + "subsystem", + "module", + "interface", + "endpoint", + "resource" ], "meta:enum": { - "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + "component": "Software component or application", + "service": "Service or microservice", + "dataStore": "Database, file system, or data repository", + "data": "Data asset or dataset", + "actor": "User, system, or external entity", + "process": "Business or system process", + "infrastructure": "Infrastructure component", + "device": "Physical or IoT device", + "network": "Network segment or resource", + "container": "Container or orchestration unit", + "function": "Serverless function or lambda", + "api": "API endpoint or interface", + "queue": "Message queue or event bus", + "stream": "Data stream or event stream", + "system": "Complete system or application", + "subsystem": "Part of a larger system", + "module": "Software module or package", + "interface": "System interface or contract", + "endpoint": "Service endpoint or URL", + "resource": "Generic resource or artifact" } }, - "content": { + "name": { "type": "string", - "title": "Attachment Text", - "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + "description": "Name of the asset" + }, + "description": { + "type": "string", + "description": "Description of the asset's role and purpose" + }, + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the zone containing this asset" + }, + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to parent asset if this is a sub-component" + }, + "classification": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification" + }, + "attributes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Generic attributes or tags for the asset" + }, + "responsibilities": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Responsibilities or functions of this asset" + }, + "interfaces": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/interface" + }, + "description": "Interfaces exposed by this asset" + }, + "dependencies": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to assets this asset depends on" + }, + "useCases": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to use cases that involve this asset" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication methods supported/required" + }, + "authorization": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType", + "description": "Authorization model used" + }, + "encryption": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType" + }, + "ownership": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/ownership" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } } } }, - "base64": { - "type": "string", - "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", - "description": "A Base64-encoded string." - }, - "externalReferences": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - }, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - }, - "externalReference": { + "interface": { "type": "object", - "title": "External Reference", - "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", "required": [ - "url", + "name", "type" ], "additionalProperties": false, "properties": { - "url": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLink" - } - ], - "title": "URL", - "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." - }, - "comment": { + "name": { "type": "string", - "title": "Comment", - "description": "A comment describing the external reference" + "description": "Name of the interface" }, "type": { "type": "string", - "title": "Type", - "description": "Specifies the type of external reference.", "enum": [ - "vcs", - "issue-tracker", - "website", - "advisories", - "bom", - "mailing-list", - "social", - "chat", - "documentation", - "support", - "source-distribution", - "distribution", - "distribution-intake", - "license", - "build-meta", - "build-system", - "release-notes", - "security-contact", - "model-card", - "log", - "configuration", - "evidence", - "formulation", - "attestation", - "threat-model", - "adversary-model", - "risk-assessment", - "vulnerability-assertion", - "exploitability-statement", - "pentest-report", - "static-analysis-report", - "dynamic-analysis-report", - "runtime-analysis-report", - "component-analysis-report", - "maturity-report", - "certification-report", - "codified-infrastructure", - "quality-metrics", - "poam", - "electronic-signature", - "digital-signature", - "rfc-9116", - "patent", - "patent-family", - "patent-assertion", - "citation", - "other" + "rest", + "graphql", + "grpc", + "soap", + "messaging", + "file", + "database", + "cli", + "gui", + "api", + "event", + "stream" ], - "meta:enum": { - "vcs": "Version Control System", - "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", - "website": "Website", - "advisories": "Security advisories", - "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", - "mailing-list": "Mailing list or discussion group", - "social": "Social media account", - "chat": "Real-time chat platform", - "documentation": "Documentation, guides, or how-to instructions", - "support": "Community or commercial support", - "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", - "distribution": "Direct or repository download location", - "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", - "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", - "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", - "build-system": "Reference to an automated build system", - "release-notes": "Reference to release notes", - "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", - "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", - "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", - "configuration": "Parameters or settings that may be used by other components or services.", - "evidence": "Information used to substantiate a claim.", - "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.", - "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", - "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", - "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", - "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", - "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", - "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", - "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", - "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", - "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", - "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", - "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", - "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", - "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", - "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", - "quality-metrics": "Report or system in which quality metrics can be obtained.", - "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", - "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", - "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", - "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", - "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", - "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", - "patent-assertion": "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", - "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", - "other": "Use this if no other types accurately describe the purpose of the external reference." + "description": "Type of interface" + }, + "description": { + "type": "string", + "description": "Description of the interface" + }, + "specification": { + "type": "string", + "description": "Link or reference to interface specification" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Data format (e.g., JSON, XML, Protocol Buffers)" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" } }, - "hashes": { + "operations": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash" + "type": "string" }, - "title": "Hashes", - "description": "The hashes of the external reference (if applicable)." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "description": "Operations or methods exposed" } } }, - "postalAddress": { + "zone": { "type": "object", - "title": "Postal address", - "description": "An address used to identify a contactable location.", + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "country": { + "name": { "type": "string", - "title": "Country", - "description": "The country name or the two-letter ISO 3166-1 country code." + "description": "Name of the zone" }, - "region": { + "description": { "type": "string", - "title": "Region", - "description": "The region or state in the country.", - "examples": [ - "Texas" - ] + "description": "Description of the zone's characteristics" }, - "locality": { + "type": { "type": "string", - "title": "Locality", - "description": "The locality or city within the country.", - "examples": [ - "Austin" - ] + "enum": [ + "trust", + "network", + "physical", + "logical", + "deployment", + "organizational", + "functional", + "security" + ], + "meta:enum": { + "trust": "Security trust zone", + "network": "Network segmentation zone", + "physical": "Physical location or boundary", + "logical": "Logical grouping or boundary", + "deployment": "Deployment environment (e.g., dev, staging, prod)", + "organizational": "Organizational or administrative boundary", + "functional": "Functional grouping", + "security": "Security zone or perimeter" + } }, - "postOfficeBoxNumber": { - "type": "string", - "title": "Post Office Box Number", - "description": "The post office box number.", - "examples": [ - "901" - ] + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to parent zone if this is a sub-zone" }, - "postalCode": { - "type": "string", - "title": "Postal Code", - "description": "The postal code.", - "examples": [ - "78758" - ] + "characteristics": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Key characteristics of this zone" }, - "streetAddress": { - "type": "string", - "title": "Street Address", - "description": "The street address.", - "examples": [ - "100 Main Street" - ] + "constraints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Constraints or limitations of this zone" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "organizationalEntity": { + "boundary": { "type": "object", - "title": "Organizational Entity", + "required": [ + "bom-ref", + "zones" + ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", - "title": "Organization Name", - "description": "The name of the organization", - "examples": [ - "Example Inc." - ] + "description": "Name of the boundary" }, - "address": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/postalAddress", - "title": "Organization Address", - "description": "The physical address (location) of the organization" + "type": { + "type": "string", + "enum": [ + "trust", + "network", + "process", + "data", + "physical", + "organizational", + "functional" + ], + "meta:enum": { + "trust": "Trust boundary between different security zones", + "network": "Network boundary or firewall", + "process": "Process or execution boundary", + "data": "Data classification boundary", + "physical": "Physical security boundary", + "organizational": "Organizational boundary", + "functional": "Functional boundary" + } }, - "url": { + "zones": { "type": "array", + "minItems": 2, "items": { - "type": "string", - "format": "iri-reference" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "title": "Organization URL(s)", - "description": "The URL of the organization. Multiple URLs are allowed.", - "examples": [ - "https://example.com" - ] + "description": "The zones this boundary connects or separates" }, - "contact": { - "type": "array", - "title": "Organizational Contact", - "description": "A contact at the organization. Multiple contacts are allowed.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } + "crossingRequirements": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "organizationalContact": { + "crossingRequirements": { "type": "object", - "title": "Organizational Contact", "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication required to cross this boundary" }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of a contact", - "examples": [ - "Contact name" - ] + "authorization": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType", + "description": "Authorization model at this boundary" }, - "email": { - "type": "string", - "format": "idn-email", - "title": "Email Address", - "description": "The email address of the contact.", - "examples": [ - "firstname.lastname@example.com" - ] + "dataValidation": { + "type": "boolean", + "description": "Whether data is validated when crossing this boundary" }, - "phone": { + "dataTransformation": { + "type": "boolean", + "description": "Whether data is transformed when crossing this boundary" + }, + "encryption": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType", + "description": "Encryption requirements for crossing this boundary" + }, + "logging": { + "type": "boolean", + "description": "Whether crossings are logged" + }, + "monitoring": { + "type": "boolean", + "description": "Whether crossings are monitored" + }, + "rateLimit": { "type": "string", - "title": "Phone", - "description": "The phone number of the contact.", - "examples": [ - "800-555-1212" - ] + "description": "Rate limiting policy" + }, + "protocols": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Allowed protocols for crossing" } } }, - "organizationalEntityOrContact": {}, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } - }, - "property": { + "flow": { "type": "object", - "title": "Lightweight name-value pair", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "required": [ - "name" + "bom-ref", + "name", + "source", + "destination", + "type" ], + "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, "name": { "type": "string", - "title": "Name", - "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + "description": "Name or description of the flow" }, - "value": { + "description": { "type": "string", - "title": "Value", - "description": "The value of the property." - } - }, - "additionalProperties": false - }, - "extensibleProperties": { - "type": "object", - "title": "Extensible Properties", - "patternProperties": { - "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { - "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", - "examples": [ - "ext::", - "ext:example.org:myExtension" + "description": "Detailed description of what flows and why" + }, + "type": { + "type": "string", + "enum": [ + "data", + "control", + "process", + "message", + "event", + "dependency", + "interaction" ], - "if": { - "type": [ - "object", - "array" - ] - }, - "then": { - "type": "object", - "required": [ - "$schema" - ], - "properties": { - "$schema": { - "type": "string", - "format": "uri" - } - } - }, - "else": { - "type": [ - "string", - "number", - "boolean", - "null" - ] + "meta:enum": { + "data": "Data or information flow", + "control": "Control or command flow", + "process": "Business process flow", + "message": "Message or communication flow", + "event": "Event or notification flow", + "dependency": "Dependency relationship", + "interaction": "User or system interaction" } - } - } - }, - "baseObject": { - "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.", - "allOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties" - } - ], - "properties": { - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - } - } - }, - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", - "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." - }, - "lifecycle": { - "type": "object", - "title": "Lifecycle", - "description": "The product lifecycle(s) that this BOM represents.", - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase" + "source": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the source asset" }, - { - "title": "Custom Lifecycle Phase", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the lifecycle phase" - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the lifecycle phase" - } + "destination": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the destination asset" + }, + "bidirectional": { + "type": "boolean", + "default": false, + "description": "Whether flow occurs in both directions" + }, + "synchronous": { + "type": "boolean", + "description": "Whether the flow is synchronous or asynchronous" + }, + "volume": { + "type": "string", + "description": "Expected volume or frequency of flow" + }, + "timing": { + "type": "string", + "description": "Timing characteristics (real-time, batch, scheduled)" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Format of data in the flow" + }, + "classification": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" } + }, + "encryption": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } - ] - }, - "lifecycles": { - "type": "array", - "title": "Lifecycles", - "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycle" } }, - "preDefinedLifecyclePhase": { - "title": "Pre-Defined Phase", + "assumption": { + "type": "object", "required": [ - "phase" + "description" ], "additionalProperties": false, "properties": { - "phase": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": { + "type": "string", + "description": "The assumption being made" + }, + "category": { "type": "string", - "title": "Phase", - "description": "A pre-defined phase in the product lifecycle.", "enum": [ - "design", - "pre-build", - "build", - "post-build", - "operations", - "discovery", - "decommission" + "technical", + "business", + "operational", + "security", + "compliance", + "performance", + "availability" ], - "meta:enum": { - "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", - "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", - "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", - "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", - "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", - "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", - "decommission": "BOM containing inventory that will be, or has been retired from operations." - } - } - } - }, - "tags": { - "type": "array", - "items": { - "type": "string" - }, - "title": "Tags", - "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", - "examples": [ - "json-parser", - "object-persistence", - "text-to-image", - "translation", - "object-detection" - ] - }, - "commit": { - "type": "object", - "title": "Commit", - "description": "Specifies an individual commit", - "additionalProperties": false, - "properties": { - "uid": { + "description": "Category of the assumption" + }, + "relatedAssets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Assets this assumption relates to" + }, + "validity": { "type": "string", - "title": "UID", - "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + "enum": [ + "unknown", + "verified", + "unverified", + "invalid" + ], + "default": "unknown", + "description": "Whether the assumption has been validated" }, - "url": { + "impact": { "type": "string", - "title": "URL", - "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", - "format": "iri-reference" + "description": "Impact if this assumption proves false" }, - "author": { - "title": "Author", - "description": "The author who created the changes in the commit", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + "owner": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Who owns or is responsible for this assumption" }, - "committer": { - "title": "Committer", - "description": "The person who committed or pushed the commit", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + "validationMethod": { + "type": "string", + "description": "How this assumption can be validated" }, - "message": { + "validationDate": { "type": "string", - "title": "Message", - "description": "The text description of the contents of the commit" + "format": "date-time", + "description": "When the assumption was last validated" } } }, - "patch": { + "visualization": { "type": "object", - "title": "Patch", - "description": "Specifies an individual patch", "required": [ + "name", "type" ], "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or title of the visualization" + }, + "description": { + "type": "string", + "description": "Description of what the visualization shows" + }, "type": { "type": "string", "enum": [ - "unofficial", - "monkey", - "backport", - "cherry-pick" + "architecture", + "dataFlow", + "sequence", + "state", + "deployment", + "network", + "process", + "useCase", + "component", + "class", + "entity", + "activity", + "collaboration", + "context", + "container", + "code" ], "meta:enum": { - "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", - "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", - "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", - "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + "architecture": "System architecture diagram", + "dataFlow": "Data flow diagram (DFD)", + "sequence": "Sequence or interaction diagram", + "state": "State machine diagram", + "deployment": "Deployment or infrastructure diagram", + "network": "Network topology diagram", + "process": "Business process diagram", + "useCase": "Use case diagram", + "component": "Component diagram", + "class": "Class or object diagram", + "entity": "Entity relationship diagram", + "activity": "Activity or workflow diagram", + "collaboration": "Collaboration diagram", + "context": "Context diagram", + "container": "Container diagram (C4)", + "code": "Code structure diagram" + } + }, + "format": { + "type": "string", + "enum": [ + "mermaid", + "graphviz", + "plantuml", + "drawio", + "svg", + "png", + "jpeg", + "d3", + "cytoscape", + "visio", + "archimate" + ], + "meta:enum": { + "mermaid": "Mermaid diagram language", + "graphviz": "GraphViz DOT language", + "plantuml": "PlantUML diagram language", + "drawio": "Draw.io/diagrams.net format", + "svg": "Scalable Vector Graphics", + "png": "Portable Network Graphics", + "jpeg": "JPEG image format", + "d3": "D3.js visualization", + "cytoscape": "Cytoscape graph format", + "visio": "Microsoft Visio format", + "archimate": "ArchiMate model format" + } + }, + "content": { + "type": "string", + "description": "The diagram content (source code or base64 encoded image)" + }, + "url": { + "type": "string", + "format": "iri-reference", + "description": "URL to the diagram if stored externally" + }, + "level": { + "type": "string", + "enum": [ + "overview", + "high", + "medium", + "detailed" + ], + "description": "Level of detail in the visualization" + }, + "perspective": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the perspective this visualization represents" + }, + "elements": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "title": "Patch Type", - "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + "description": "References to elements shown in this visualization" }, - "diff": { - "title": "Diff", - "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/diff" + "interactive": { + "type": "boolean", + "description": "Whether the visualization is interactive" }, - "resolves": { + "layers": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + "type": "string" }, - "title": "Resolves", - "description": "A collection of issues the patch resolves" + "description": "Layers or views available in the visualization" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "diff": { + "assetClassification": { "type": "object", - "title": "Diff", - "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", "additionalProperties": false, "properties": { - "text": { - "title": "Diff text", - "description": "Specifies the optional text of the diff", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "criticality": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/criticality" }, - "url": { + "sensitivity": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity" + }, + "dataClassification": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification" + }, + "tier": { "type": "string", - "title": "URL", - "description": "Specifies the URL to the diff", - "format": "iri-reference" + "enum": [ + "tier0", + "tier1", + "tier2", + "tier3", + "tier4" + ], + "meta:enum": { + "tier0": "Mission critical - highest priority", + "tier1": "Business critical - high priority", + "tier2": "Business important - medium priority", + "tier3": "Business supporting - low priority", + "tier4": "Non-critical - minimal priority" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Business or technical categories" + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tags for classification and search" } } }, - "issue": { + "dataClassification": { "type": "object", - "title": "Issue", - "description": "An individual issue that has been resolved.", - "required": [ - "type" - ], "additionalProperties": false, "properties": { - "type": { - "type": "string", - "enum": [ - "defect", - "enhancement", - "security" - ], - "meta:enum": { - "defect": "A fault, flaw, or bug in software.", - "enhancement": "A new feature or behavior in software.", - "security": "A special type of defect which impacts security." + "sensitivity": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity" + }, + "dataTypes": { + "type": "array", + "items": { + "type": "string" }, - "title": "Issue Type", - "description": "Specifies the type of issue" + "description": "Specific types of data" }, - "id": { + "handling": { "type": "string", - "title": "Issue ID", - "description": "The identifier of the issue assigned by the source of the issue" + "description": "Data handling requirements" }, - "name": { + "retention": { "type": "string", - "title": "Issue Name", - "description": "The name of the issue" + "description": "Data retention requirements" }, - "description": { + "disposal": { "type": "string", - "title": "Issue Description", - "description": "A description of the issue" - }, - "source": { - "type": "object", - "title": "Source", - "description": "The source of the issue where it is documented", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the source.", - "examples": [ - "National Vulnerability Database", - "NVD", - "Apache" - ] - }, - "url": { - "type": "string", - "title": "URL", - "description": "The url of the issue documentation as provided by the source", - "format": "iri-reference" - } - } + "description": "Data disposal requirements" }, - "references": { + "regulations": { "type": "array", "items": { - "type": "string", - "format": "iri-reference" + "type": "string" }, - "title": "References", - "description": "A collection of URL's for reference. Multiple URLs are allowed.", - "examples": [ - "https://example.com" - ] + "description": "Applicable regulations" } } }, - "identifiableAction": { + "ownership": { "type": "object", - "title": "Identifiable Action", - "description": "Specifies an individual commit", "additionalProperties": false, "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The timestamp in which the action occurred" + "owner": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Primary owner of the asset" }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the individual who performed the action" + "steward": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Steward responsible for the asset" }, - "email": { - "type": "string", - "format": "idn-email", - "title": "E-mail", - "description": "The email address of the individual who performed the action" + "custodian": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Custodian responsible for protecting the asset" + }, + "users": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Primary users of the asset" } } }, - "locale": { + "authenticationType": { "type": "string", - "pattern": "^([a-z]{2})(-[A-Z]{2})?$", - "title": "Locale", - "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + "enum": [ + "none", + "basic", + "bearer", + "digest", + "certificate", + "apiKey", + "oauth1", + "oauth2", + "openIdConnect", + "saml", + "kerberos", + "ntlm", + "jwt", + "custom" + ], + "description": "Authentication method", + "meta:enum": { + "none": "No authentication required", + "basic": "Basic authentication (username/password)", + "bearer": "Bearer token authentication", + "digest": "Digest authentication", + "certificate": "Certificate-based authentication", + "apiKey": "API key authentication", + "oauth1": "OAuth 1.0 authentication", + "oauth2": "OAuth 2.0 authentication", + "openIdConnect": "OpenID Connect authentication", + "saml": "SAML authentication", + "kerberos": "Kerberos authentication", + "ntlm": "NTLM authentication", + "jwt": "JSON Web Token authentication", + "custom": "Custom authentication method" + } }, - "signature": { - "$ref": "../jsf-0.82.schema.json#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "authorizationType": { + "type": "string", + "enum": [ + "none", + "acl", + "rbac", + "abac", + "mac", + "dac", + "pbac", + "cbac", + "custom" + ], + "description": "Authorization model", + "meta:enum": { + "none": "No authorization controls", + "acl": "Access Control Lists", + "rbac": "Role-Based Access Control", + "abac": "Attribute-Based Access Control", + "mac": "Mandatory Access Control", + "dac": "Discretionary Access Control", + "pbac": "Policy-Based Access Control", + "cbac": "Claims-Based Access Control", + "custom": "Custom authorization model" + } + }, + "encryptionType": { + "type": "object", + "additionalProperties": false, + "properties": { + "inTransit": { + "type": "boolean", + "description": "Whether data is encrypted in transit" + }, + "atRest": { + "type": "boolean", + "description": "Whether data is encrypted at rest" + }, + "inProcessing": { + "type": "boolean", + "description": "Whether data is encrypted during processing" + } + } } } }, - "cyclonedx-component-2.0": { + "cyclonedx-citation-2.0": { "type": "null", - "title": "CycloneDX Component Model", + "title": "CycloneDX Citation Model", "$defs": { - "components": { + "citations": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation" }, "uniqueItems": true, - "title": "Components" + "title": "Citations", + "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." }, - "component": { + "citation": { "type": "object", - "title": "Component", - "required": [ - "type", - "name" - ], + "title": "Citation", + "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", "additionalProperties": false, "properties": { - "type": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference" + }, + "pointers": { + "type": "array", + "items": { + "type": "string", + "title": "Field Reference", + "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies." + }, + "minItems": 1, + "title": "Field References", + "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "expressions": { + "type": "array", + "items": { + "type": "string", + "title": "Path Expression", + "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM." + }, + "minItems": 1, + "title": "Path Expressions", + "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "timestamp": { "type": "string", - "enum": [ - "application", - "framework", - "library", - "container", - "platform", - "operating-system", - "device", - "device-driver", - "firmware", - "file", - "machine-learning-model", - "data", - "cryptographic-asset" - ], - "meta:enum": { - "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", - "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", - "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", - "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", - "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", - "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", - "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", - "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", - "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", - "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", - "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", - "data": "A collection of discrete values that convey information.", - "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." - }, - "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", - "examples": [ - "library" - ] - }, - "mime-type": { - "type": "string", - "title": "Mime-Type", - "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", - "examples": [ - "image/jpeg" - ], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "supplier": { - "title": "Component Supplier", - "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "format": "date-time", + "title": "Timestamp", + "description": "The date and time when the attribution was made or the information was supplied." }, - "manufacturer": { - "title": "Component Manufacturer", - "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "attributedTo": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Attributed To", + "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." }, - "authors": { - "type": "array", - "title": "Component Authors", - "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } + "process": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Process Reference", + "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." }, - "publisher": { + "note": { "type": "string", - "title": "Component Publisher", - "description": "The person(s) or organization(s) that published the component", - "examples": [ - "Acme Inc" - ] + "title": "Note", + "description": "A description or comment about the context or quality of the data attribution." }, - "group": { - "type": "string", - "title": "Component Group", - "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", - "examples": [ - "com.acme" + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "A digital signature verifying the authenticity or integrity of the attribution." + } + }, + "required": [ + "timestamp" + ], + "anyOf": [ + { + "required": [ + "attributedTo" ] }, - "name": { - "type": "string", - "title": "Component Name", - "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", - "examples": [ - "tomcat-catalina" + { + "required": [ + "process" + ] + } + ], + "oneOf": [ + { + "required": [ + "pointers" ] }, - "version": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", - "title": "Component Version", - "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." - }, - "versionRange": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/versionRange", - "title": "Component Version Range", - "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/patch" - } - }, - "notes": { - "type": "string", - "title": "Notes", - "description": "Notes, observations, and other non-structured commentary describing the components pedigree." - } - } - }, - "components": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "uniqueItems": true, - "title": "Components", - "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." - }, - "evidence": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentEvidence", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + "streetAddress": { + "type": "string", + "title": "Street Address", + "description": "The street address.", + "examples": [ + "100 Main Street" + ] + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "releaseNotes": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", - "title": "Release notes", - "description": "Specifies release notes." + "name": { + "type": "string", + "title": "Organization Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] }, - "modelCard": { - "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard", - "title": "AI/ML Model Card" + "address": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/postalAddress", + "title": "Organization Address", + "description": "The physical address (location) of the organization" }, - "data": { + "url": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentData" + "type": "string", + "format": "iri-reference" }, - "title": "Data", - "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." - }, - "cryptoProperties": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties", - "title": "Cryptographic Properties" - }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "title": "Organization URL(s)", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": [ + "https://example.com" + ] }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - }, - "allOf": [ - { - "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", - "not": { - "required": [ - "version", - "versionRange" - ] + "contact": { + "type": "array", + "title": "Organizational Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" } - }, - { - "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", - "if": { - "properties": { - "isExternal": { - "const": false - } - } - }, - "then": { - "not": { - "required": [ - "versionRange" - ] - } - }, - "else": true - } - ] - }, - "version": { - "description": "A single disjunctive version identifier, for a component or service.", - "type": "string", - "maxLength": 1024, - "examples": [ - "9.0.14", - "v1.33.7", - "7.0.0-M1", - "2.0pre1", - "1.0.0-beta1", - "0.8.15" - ] - }, - "versionRange": { - "description": "A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", - "type": "string", - "minLength": 1, - "maxLength": 4096, - "examples": [ - "vers:cargo/9.0.14", - "vers:npm/1.2.3|>=2.0.0|<5.0.0", - "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", - "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", - "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" - ] - }, - "copyrightText": { - "type": "string", - "title": "Component Copyright", - "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "examples": [ - "Acme Inc" - ] - }, - "copyright": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyrightObject" - }, - "title": "Copyright", - "description": "Captures intellectual property assertions, providing evidence of possible ownership and legal protection." - }, - "copyrightObject": { - "type": "object", - "title": "Copyright", - "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "required": [ - "text" - ], - "additionalProperties": false, - "properties": { - "text": { - "type": "string", - "title": "Copyright Text", - "description": "The textual content of the copyright." } } }, - "swid": { + "organizationalContact": { "type": "object", - "title": "SWID Tag", - "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", - "required": [ - "tagId", - "name" - ], + "title": "Organizational Contact", "additionalProperties": false, "properties": { - "tagId": { - "type": "string", - "title": "Tag ID", - "description": "Maps to the tagId of a SoftwareIdentity." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "name": { "type": "string", "title": "Name", - "description": "Maps to the name of a SoftwareIdentity." + "description": "The name of a contact", + "examples": [ + "Contact name" + ] }, - "version": { + "email": { "type": "string", - "title": "Version", - "default": "0.0", - "description": "Maps to the version of a SoftwareIdentity." - }, - "tagVersion": { - "type": "integer", - "title": "Tag Version", - "default": 0, - "description": "Maps to the tagVersion of a SoftwareIdentity." + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": [ + "firstname.lastname@example.com" + ] }, - "patch": { - "type": "boolean", - "title": "Patch", - "default": false, - "description": "Maps to the patch of a SoftwareIdentity." - }, - "text": { - "title": "Attachment text", - "description": "Specifies the metadata and content of the SWID tag.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { + "phone": { "type": "string", - "title": "URL", - "description": "The URL to the SWID file.", - "format": "iri-reference" + "title": "Phone", + "description": "The phone number of the contact.", + "examples": [ + "800-555-1212" + ] } } }, - "componentEvidence": { + "organizationalEntityOrContact": {}, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + }, + "property": { "type": "object", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", - "additionalProperties": false, + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "required": [ + "name" + ], "properties": { - "identity": { - "type": "array", - "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence" - } + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." }, - "occurrences": { - "type": "array", - "title": "Occurrences", - "description": "Evidence of individual instances of a component spread across multiple locations.", - "items": { + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + }, + "additionalProperties": false + }, + "extensibleProperties": { + "type": "object", + "title": "Extensible Properties", + "patternProperties": { + "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { + "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", + "examples": [ + "ext::", + "ext:example.org:myExtension" + ], + "if": { + "type": [ + "object", + "array" + ] + }, + "then": { "type": "object", "required": [ - "location" + "$schema" ], - "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "location": { - "type": "string", - "title": "Location", - "description": "The location or path to where the component was found." - }, - "line": { - "type": "integer", - "minimum": 0, - "title": "Line Number", - "description": "The line number where the component was found." - }, - "offset": { - "type": "integer", - "minimum": 0, - "title": "Offset", - "description": "The offset where the component was found." - }, - "symbol": { - "type": "string", - "title": "Symbol", - "description": "The symbol name that was found associated with the component." - }, - "additionalContext": { + "$schema": { "type": "string", - "title": "Additional Context", - "description": "Any additional context of the detected component (e.g. a code snippet)." + "format": "uri" } } + }, + "else": { + "type": [ + "string", + "number", + "boolean", + "null" + ] } + } + } + }, + "baseObject": { + "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties" + } + ], + "properties": { + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" }, - "callstack": { - "type": "object", - "title": "Call Stack", - "description": "Evidence of the components use through the callstack.", + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", + "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." + }, + "ordinalVersion": { + "title": "Ordinal Version", + "description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.", + "type": "string", + "pattern": "^\\d+(\\.\\d+)*$", + "examples": [ + "1", + "1.2", + "1.2.3", + "2025.09.02", + "10.4.7.3" + ] + }, + "lifecycle": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase" + }, + { + "title": "Custom Lifecycle Phase", + "required": [ + "name" + ], "additionalProperties": false, "properties": { - "frames": { - "type": "array", - "title": "Frames", - "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", - "items": { - "type": "object", - "required": [ - "module" - ], - "additionalProperties": false, - "properties": { - "package": { - "title": "Package", - "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", - "type": "string" - }, - "module": { - "title": "Module", - "description": "A module or class that encloses functions/methods and other code.", - "type": "string" - }, - "function": { - "title": "Function", - "description": "A block of code designed to perform a particular task.", - "type": "string" - }, - "parameters": { - "title": "Parameters", - "description": "Arguments that are passed to the module or function.", - "type": "array", - "items": { - "type": "string" - } - }, - "line": { - "title": "Line", - "description": "The line number the code that is called resides on.", - "type": "integer" - }, - "column": { - "title": "Column", - "description": "The column the code that is called resides.", - "type": "integer" - }, - "fullFilename": { - "title": "Full Filename", - "description": "The full path and filename of the module.", - "type": "string" - } - } - } + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" } } - }, - "licenses": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", - "title": "License Evidence" - }, - "copyright": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyright" } + ] + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycle" } }, - "componentIdentityEvidence": { - "type": "object", - "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component.", + "preDefinedLifecyclePhase": { + "title": "Pre-Defined Phase", "required": [ - "field" + "phase" ], "additionalProperties": false, "properties": { - "field": { + "phase": { "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.", "enum": [ - "group", - "name", - "version", - "purl", - "cpe", - "omniborId", - "swhid", - "swid", - "hash" + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" ], - "title": "Field", - "description": "The identity field of the component which the evidence describes." + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } + } + } + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", + "examples": [ + "json-parser", + "object-persistence", + "text-to-image", + "translation", + "object-detection" + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" }, - "concludedValue": { + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + }, + "message": { "type": "string", - "title": "Concluded Value", - "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, + "title": "Patch Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." }, - "methods": { - "type": "array", - "title": "Methods", - "description": "The methods used to extract and/or analyze the evidence.", - "items": { - "type": "object", - "required": [ - "technique", - "confidence" - ], - "additionalProperties": false, - "properties": { - "technique": { - "title": "Technique", - "description": "The technique used in this method of analysis.", - "type": "string", - "enum": [ - "source-code-analysis", - "binary-analysis", - "manifest-analysis", - "ast-fingerprint", - "hash-comparison", - "instrumentation", - "dynamic-analysis", - "filename", - "attestation", - "other" - ] - }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The value or contents of the evidence." - } - } - } + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/diff" }, - "tools": { + "resolves": { "type": "array", - "uniqueItems": true, "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" }, - "title": "BOM References", - "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + "title": "Resolves", + "description": "A collection of issues the patch resolves" } } }, - "componentData": { + "diff": { "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Issue", + "description": "An individual issue that has been resolved.", "required": [ "type" ], + "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, "type": { "type": "string", - "title": "Type of Data", - "description": "The general theme or subject matter of the data being specified.", "enum": [ - "source-code", - "configuration", - "dataset", - "definition", - "other" + "defect", + "enhancement", + "security" ], "meta:enum": { - "source-code": "Any type of code, code snippet, or data-as-code.", - "configuration": "Parameters or settings that may be used by other components.", - "dataset": "A collection of data.", - "definition": "Data that can be used to create new instances of what the definition defines.", - "other": "Any other type of data that does not fit into existing definitions." - } + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, + "title": "Issue Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "Issue ID", + "description": "The identifier of the issue assigned by the source of the issue" }, "name": { - "title": "Dataset Name", - "description": "The name of the dataset.", - "type": "string" + "type": "string", + "title": "Issue Name", + "description": "The name of the issue" }, - "contents": { + "description": { + "type": "string", + "title": "Issue Description", + "description": "A description of the issue" + }, + "source": { "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", + "title": "Source", + "description": "The source of the issue where it is documented", "additionalProperties": false, "properties": { - "attachment": { - "title": "Data Attachment", - "description": "A way to include textual or encoded data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { + "name": { "type": "string", - "title": "Data URL", - "description": "The URL to where the data can be retrieved.", - "format": "iri-reference" + "title": "Name", + "description": "The name of the source.", + "examples": [ + "National Vulnerability Database", + "NVD", + "Apache" + ] }, - "properties": { - "type": "array", - "title": "Configuration Properties", - "description": "Provides the ability to document name-value parameters used for configuration.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" } } }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" - }, - "sensitiveData": { + "references": { "type": "array", - "title": "Sensitive Data", - "description": "A description of any sensitive data in a dataset.", "items": { - "type": "string" - } - }, - "graphics": { - "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection" + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": [ + "https://example.com" + ] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" }, - "description": { - "title": "Dataset Description", - "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", - "type": "string" + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" } } + }, + "locale": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "signature": { + "$ref": "../jsf-0.82.schema.json#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, - "cyclonedx-composition-2.0": { + "cyclonedx-component-2.0": { "type": "null", - "title": "CycloneDX Composition Model", + "title": "CycloneDX Component Model", "$defs": { - "compositions": { + "components": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/composition" + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" }, "uniqueItems": true, - "title": "Compositions", - "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + "title": "Components" }, - "composition": { + "component": { "type": "object", - "title": "Compositions", + "title": "Component", "required": [ - "aggregate" + "type", + "name" ], "additionalProperties": false, "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "platform", + "operating-system", + "device", + "device-driver", + "firmware", + "file", + "machine-learning-model", + "data", + "cryptographic-asset" + ], + "meta:enum": { + "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", + "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", + "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", + "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", + "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", + "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", + "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", + "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", + "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", + "data": "A collection of discrete values that convey information.", + "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + }, + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "examples": [ + "library" + ] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": [ + "image/jpeg" + ], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "aggregate": { - "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/aggregateType", - "title": "Aggregate", - "description": "Specifies an aggregate type that describes how complete a relationship is." + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "assemblies": { - "type": "array", - "uniqueItems": true, - "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] - }, - "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + "manufacturer": { + "title": "Component Manufacturer", + "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "dependencies": { + "authors": { "type": "array", - "uniqueItems": true, + "title": "Component Authors", + "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": [ + "Acme Inc" + ] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": [ + "com.acme" + ] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": [ + "tomcat-catalina" + ] + }, + "version": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + }, + "versionRange": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/versionRange", + "title": "Component Version Range", + "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", "items": { - "type": "string", - "enum": [ - "none", - "fips140-1-l1", - "fips140-1-l2", - "fips140-1-l3", - "fips140-1-l4", - "fips140-2-l1", - "fips140-2-l2", - "fips140-2-l3", - "fips140-2-l4", - "fips140-3-l1", - "fips140-3-l2", - "fips140-3-l3", - "fips140-3-l4", - "cc-eal1", - "cc-eal1+", - "cc-eal2", - "cc-eal2+", - "cc-eal3", - "cc-eal3+", - "cc-eal4", - "cc-eal4+", - "cc-eal5", - "cc-eal5+", - "cc-eal6", - "cc-eal6+", - "cc-eal7", - "cc-eal7+", - "other", - "unknown" - ], - "meta:enum": { - "none": "No certification obtained", - "fips140-1-l1": "FIPS 140-1 Level 1", - "fips140-1-l2": "FIPS 140-1 Level 2", - "fips140-1-l3": "FIPS 140-1 Level 3", - "fips140-1-l4": "FIPS 140-1 Level 4", - "fips140-2-l1": "FIPS 140-2 Level 1", - "fips140-2-l2": "FIPS 140-2 Level 2", - "fips140-2-l3": "FIPS 140-2 Level 3", - "fips140-2-l4": "FIPS 140-2 Level 4", - "fips140-3-l1": "FIPS 140-3 Level 1", - "fips140-3-l2": "FIPS 140-3 Level 2", - "fips140-3-l3": "FIPS 140-3 Level 3", - "fips140-3-l4": "FIPS 140-3 Level 4", - "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", - "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", - "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", - "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", - "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", - "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", - "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", - "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", - "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", - "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", - "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", - "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", - "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", - "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", - "other": "Another certification", - "unknown": "The certification level is not known" - } - } - }, - "mode": { - "type": "string", - "title": "Mode", - "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", - "enum": [ - "cbc", - "ecb", - "ccm", - "gcm", - "cfb", - "ofb", - "ctr", - "other", - "unknown" - ], - "meta:enum": { - "cbc": "Cipher block chaining", - "ecb": "Electronic codebook", - "ccm": "Counter with cipher block chaining message authentication code", - "gcm": "Galois/counter", - "cfb": "Cipher feedback", - "ofb": "Output feedback", - "ctr": "Counter", - "other": "Another mode of operation", - "unknown": "The mode of operation is not known" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/patch" } }, - "padding": { + "notes": { "type": "string", - "title": "Padding", - "description": "The padding scheme that is used for the cryptographic algorithm.", - "enum": [ - "pkcs5", - "pkcs7", - "pkcs1v15", - "oaep", - "raw", - "other", - "unknown" - ], - "meta:enum": { - "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", - "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", - "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", - "oaep": "Optimal asymmetric encryption padding", - "raw": "Raw", - "other": "Another padding scheme", - "unknown": "The padding scheme is not known" - } - }, - "cryptoFunctions": { - "type": "array", - "title": "Cryptographic functions", - "description": "The cryptographic functions implemented by the cryptographic algorithm.", - "items": { - "type": "string", - "enum": [ - "generate", - "keygen", - "encrypt", - "decrypt", - "digest", - "tag", - "keyderive", - "sign", - "verify", - "encapsulate", - "decapsulate", - "other", - "unknown" - ] - } - }, - "classicalSecurityLevel": { - "type": "integer", - "title": "classical security level", - "description": "The classical security level that a cryptographic algorithm provides (in bits).", - "minimum": 0 - }, - "nistQuantumSecurityLevel": { - "type": "integer", - "title": "NIST security strength category", - "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", - "minimum": 0, - "maximum": 6 + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." } } }, - "certificateProperties": { - "type": "object", - "title": "Certificate Properties", - "description": "Properties for cryptographic assets of asset type 'certificate'.", - "additionalProperties": false, - "properties": { - "serialNumber": { - "type": "string", - "title": "Serial Number", - "description": "The serial number is a unique identifier for the certificate issued by a CA." - }, - "subjectName": { - "type": "string", - "title": "Subject Name", - "description": "The subject name for the certificate." - }, - "issuerName": { - "type": "string", - "title": "Issuer Name", - "description": "The issuer name for the certificate." - }, - "notValidBefore": { - "type": "string", - "format": "date-time", - "title": "Not Valid Before", - "description": "The date and time according to ISO-8601 standard from which the certificate is valid." - }, - "notValidAfter": { - "type": "string", - "format": "date-time", - "title": "Not Valid After", - "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." - }, - "certificateFormat": { - "type": "string", - "title": "Certificate Format", - "description": "The format of the certificate.", - "examples": [ - "X.509", - "PEM", - "DER", - "CVC" - ] - }, - "certificateFileExtension": { - "type": "string", - "title": "Certificate File Extension", - "description": "The file extension of the certificate.", - "examples": [ - "crt", - "pem", - "cer", - "der", - "p12" - ] - }, - "fingerprint": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", - "title": "Certificate Fingerprint", - "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." - }, - "certificateState": { - "type": "array", - "title": "Certificate Lifecycle State", - "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.", - "items": { - "type": "object", - "title": "State", - "description": "The state of the certificate.", - "oneOf": [ - { - "title": "Pre-Defined State", - "required": [ - "state" - ], - "additionalProperties": false, - "properties": { - "state": { - "type": "string", - "title": "State", - "description": "A pre-defined state in the certificate lifecycle.", - "enum": [ - "pre-activation", - "active", - "suspended", - "deactivated", - "revoked", - "destroyed" - ], - "meta:enum": { - "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", - "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", - "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", - "suspended": "The use of a certificate may be suspended for several possible reasons.", - "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", - "destroyed": "The certificate has been destroyed." - } - }, - "reason": { - "type": "string", - "title": "Reason", - "description": "A reason for the certificate being in this state." - } - } - }, + "components": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." + }, + "modelCard": { + "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard", + "title": "AI/ML Model Card" + }, + "data": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentData" + }, + "title": "Data", + "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." + }, + "cryptoProperties": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties", + "title": "Cryptographic Properties" + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "allOf": [ + { + "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", + "not": { + "required": [ + "version", + "versionRange" + ] + } + }, + { + "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", + "if": { + "properties": { + "isExternal": { + "const": false + } + } + }, + "then": { + "not": { + "required": [ + "versionRange" + ] + } + }, + "else": true + } + ] + }, + "version": { + "description": "A single disjunctive version identifier, for a component or service.", + "type": "string", + "maxLength": 1024, + "examples": [ + "9.0.14", + "v1.33.7", + "7.0.0-M1", + "2.0pre1", + "1.0.0-beta1", + "0.8.15" + ] + }, + "versionRange": { + "description": "A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "type": "string", + "minLength": 1, + "maxLength": 4096, + "examples": [ + "vers:cargo/9.0.14", + "vers:npm/1.2.3|>=2.0.0|<5.0.0", + "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", + "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ] + }, + "copyrightText": { + "type": "string", + "title": "Component Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": [ + "Acme Inc" + ] + }, + "copyright": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyrightObject" + }, + "title": "Copyright", + "description": "Captures intellectual property assertions, providing evidence of possible ownership and legal protection." + }, + "copyrightObject": { + "type": "object", + "title": "Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text", + "description": "The textual content of the copyright." + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "identity": { + "type": "array", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence" + } + }, + "occurrences": { + "type": "array", + "title": "Occurrences", + "description": "Evidence of individual instances of a component spread across multiple locations.", + "items": { + "type": "object", + "required": [ + "location" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "location": { + "type": "string", + "title": "Location", + "description": "The location or path to where the component was found." + }, + "line": { + "type": "integer", + "minimum": 0, + "title": "Line Number", + "description": "The line number where the component was found." + }, + "offset": { + "type": "integer", + "minimum": 0, + "title": "Offset", + "description": "The offset where the component was found." + }, + "symbol": { + "type": "string", + "title": "Symbol", + "description": "The symbol name that was found associated with the component." + }, + "additionalContext": { + "type": "string", + "title": "Additional Context", + "description": "Any additional context of the detected component (e.g. a code snippet)." + } + } + } + }, + "callstack": { + "type": "object", + "title": "Call Stack", + "description": "Evidence of the components use through the callstack.", + "additionalProperties": false, + "properties": { + "frames": { + "type": "array", + "title": "Frames", + "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", + "items": { + "type": "object", + "required": [ + "module" + ], + "additionalProperties": false, + "properties": { + "package": { + "title": "Package", + "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", + "type": "string" + }, + "module": { + "title": "Module", + "description": "A module or class that encloses functions/methods and other code.", + "type": "string" + }, + "function": { + "title": "Function", + "description": "A block of code designed to perform a particular task.", + "type": "string" + }, + "parameters": { + "title": "Parameters", + "description": "Arguments that are passed to the module or function.", + "type": "array", + "items": { + "type": "string" + } + }, + "line": { + "title": "Line", + "description": "The line number the code that is called resides on.", + "type": "integer" + }, + "column": { + "title": "Column", + "description": "The column the code that is called resides.", + "type": "integer" + }, + "fullFilename": { + "title": "Full Filename", + "description": "The full path and filename of the module.", + "type": "string" + } + } + } + } + } + }, + "licenses": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", + "title": "License Evidence" + }, + "copyright": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyright" + } + } + }, + "componentIdentityEvidence": { + "type": "object", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component.", + "required": [ + "field" + ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", + "name", + "version", + "purl", + "cpe", + "omniborId", + "swhid", + "swid", + "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "concludedValue": { + "type": "string", + "title": "Concluded Value", + "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique", + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, + "componentData": { + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "type": { + "type": "string", + "title": "Type of Data", + "description": "The general theme or subject matter of the data being specified.", + "enum": [ + "source-code", + "configuration", + "dataset", + "definition", + "other" + ], + "meta:enum": { + "source-code": "Any type of code, code snippet, or data-as-code.", + "configuration": "Parameters or settings that may be used by other components.", + "dataset": "A collection of data.", + "definition": "Data that can be used to create new instances of what the definition defines.", + "other": "Any other type of data that does not fit into existing definitions." + } + }, + "name": { + "title": "Dataset Name", + "description": "The name of the dataset.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + }, + "properties": { + "type": "array", + "title": "Configuration Properties", + "description": "Provides the ability to document name-value parameters used for configuration.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + } + } + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data in a dataset.", + "items": { + "type": "string" + } + }, + "graphics": { + "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection" + }, + "description": { + "title": "Dataset Description", + "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", + "type": "string" + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + } + } + } + } + }, + "cyclonedx-composition-2.0": { + "type": "null", + "title": "CycloneDX Composition Model", + "$defs": { + "compositions": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/composition" + }, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + }, + "composition": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "aggregate": { + "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describes how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", + "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", + "unknown", + "not_specified" + ], + "meta:enum": { + "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", + "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", + "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", + "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", + "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", + "not_specified": "The relationship completeness is not specified." + } + } + } + }, + "cyclonedx-cryptography-2.0": { + "type": "null", + "title": "CycloneDX Cryptography Model", + "$defs": { + "cryptoProperties": { + "type": "object", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", + "additionalProperties": false, + "required": [ + "assetType" + ], + "properties": { + "assetType": { + "type": "string", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", + "enum": [ + "algorithm", + "certificate", + "protocol", + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + } + }, + "algorithmProperties": { + "type": "object", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", + "enum": [ + "drbg", + "mac", + "block-cipher", + "stream-cipher", + "signature", + "hash", + "pke", + "xof", + "kdf", + "key-agree", + "kem", + "ae", + "combiner", + "key-wrap", + "other", + "unknown" + ], + "meta:enum": { + "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", + "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", + "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", + "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", + "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", + "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", + "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", + "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", + "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", + "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", + "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", + "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", + "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", + "other": "Another primitive type.", + "unknown": "The primitive is not known." + } + }, + "algorithmFamily": { + "$ref": "../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum", + "title": "Algorithm Family", + "description": "A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.", + "examples": [ + "3DES", + "Blowfish", + "ECDH" + ] + }, + "parameterSetIdentifier": { + "type": "string", + "title": "Parameter Set Identifier", + "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." + }, + "ellipticCurve": { + "$ref": "../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema." + }, + "executionEnvironment": { + "type": "string", + "title": "Execution Environment", + "description": "The target and execution environment in which the algorithm is implemented in.", + "enum": [ + "software-plain-ram", + "software-encrypted-ram", + "software-tee", + "hardware", + "other", + "unknown" + ], + "meta:enum": { + "software-plain-ram": "A software implementation running in plain unencrypted RAM.", + "software-encrypted-ram": "A software implementation running in encrypted RAM.", + "software-tee": "A software implementation running in a trusted execution environment.", + "hardware": "A hardware implementation.", + "other": "Another implementation environment.", + "unknown": "The execution environment is not known." + } + }, + "implementationPlatform": { + "type": "string", + "title": "Implementation platform", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", + "enum": [ + "generic", + "x86_32", + "x86_64", + "armv7-a", + "armv7-m", + "armv8-a", + "armv8-m", + "armv9-a", + "armv9-m", + "s390x", + "ppc64", + "ppc64le", + "other", + "unknown" + ] + }, + "certificationLevel": { + "type": "array", + "title": "Certification Level", + "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", + "items": { + "type": "string", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } + } + }, + "mode": { + "type": "string", + "title": "Mode", + "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", + "enum": [ + "cbc", + "ecb", + "ccm", + "gcm", + "cfb", + "ofb", + "ctr", + "other", + "unknown" + ], + "meta:enum": { + "cbc": "Cipher block chaining", + "ecb": "Electronic codebook", + "ccm": "Counter with cipher block chaining message authentication code", + "gcm": "Galois/counter", + "cfb": "Cipher feedback", + "ofb": "Output feedback", + "ctr": "Counter", + "other": "Another mode of operation", + "unknown": "The mode of operation is not known" + } + }, + "padding": { + "type": "string", + "title": "Padding", + "description": "The padding scheme that is used for the cryptographic algorithm.", + "enum": [ + "pkcs5", + "pkcs7", + "pkcs1v15", + "oaep", + "raw", + "other", + "unknown" + ], + "meta:enum": { + "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", + "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", + "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", + "oaep": "Optimal asymmetric encryption padding", + "raw": "Raw", + "other": "Another padding scheme", + "unknown": "The padding scheme is not known" + } + }, + "cryptoFunctions": { + "type": "array", + "title": "Cryptographic functions", + "description": "The cryptographic functions implemented by the cryptographic algorithm.", + "items": { + "type": "string", + "enum": [ + "generate", + "keygen", + "encrypt", + "decrypt", + "digest", + "tag", + "keyderive", + "sign", + "verify", + "encapsulate", + "decapsulate", + "other", + "unknown" + ] + } + }, + "classicalSecurityLevel": { + "type": "integer", + "title": "classical security level", + "description": "The classical security level that a cryptographic algorithm provides (in bits).", + "minimum": 0 + }, + "nistQuantumSecurityLevel": { + "type": "integer", + "title": "NIST security strength category", + "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", + "minimum": 0, + "maximum": 6 + } + } + }, + "certificateProperties": { + "type": "object", + "title": "Certificate Properties", + "description": "Properties for cryptographic assets of asset type 'certificate'.", + "additionalProperties": false, + "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." + }, + "subjectName": { + "type": "string", + "title": "Subject Name", + "description": "The subject name for the certificate." + }, + "issuerName": { + "type": "string", + "title": "Issuer Name", + "description": "The issuer name for the certificate." + }, + "notValidBefore": { + "type": "string", + "format": "date-time", + "title": "Not Valid Before", + "description": "The date and time according to ISO-8601 standard from which the certificate is valid." + }, + "notValidAfter": { + "type": "string", + "format": "date-time", + "title": "Not Valid After", + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." + }, + "certificateFormat": { + "type": "string", + "title": "Certificate Format", + "description": "The format of the certificate.", + "examples": [ + "X.509", + "PEM", + "DER", + "CVC" + ] + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "revoked", + "destroyed" + ], + "meta:enum": { + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certificate may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + } + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, { "title": "Custom State", "required": [ @@ -3002,3397 +4373,5590 @@ } } } - ] + ] + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactivated." + }, + "revocationDate": { + "type": "string", + "format": "date-time", + "title": "Revocation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "commonExtensionName", + "commonExtensionValue" + ], + "additionalProperties": false, + "properties": { + "commonExtensionName": { + "type": "string", + "title": "name", + "description": "The name of the extension.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." + } + }, + "commonExtensionValue": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", + "required": [ + "customExtensionName" + ], + "additionalProperties": false, + "properties": { + "customExtensionName": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "customExtensionValue": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ] + } + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "relatedCryptoMaterialProperties": { + "type": "object", + "title": "Related Cryptographic Material Properties", + "description": "Properties for cryptographic assets of asset type: `related-crypto-material`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related cryptographic material.", + "enum": [ + "private-key", + "public-key", + "secret-key", + "key", + "ciphertext", + "signature", + "digest", + "initialization-vector", + "nonce", + "seed", + "salt", + "shared-secret", + "tag", + "additional-data", + "password", + "credential", + "token", + "other", + "unknown" + ], + "meta:enum": { + "private-key": "The confidential key of a key pair used in asymmetric cryptography.", + "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", + "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", + "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", + "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", + "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", + "digest": "The output of the hash function.", + "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", + "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", + "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", + "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", + "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", + "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", + "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", + "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", + "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", + "token": "An object encapsulating a security identity.", + "other": "Another type of cryptographic asset.", + "unknown": "The type of cryptographic asset is not known." + } + }, + "id": { + "type": "string", + "title": "ID", + "description": "The unique identifier for the related cryptographic material." + }, + "state": { + "type": "string", + "title": "State", + "description": "The key state as defined by NIST SP 800-57.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The associated value of the cryptographic material." + }, + "size": { + "type": "integer", + "title": "Size", + "description": "The size of the cryptographic asset (in bits)." + }, + "format": { + "type": "string", + "title": "Format", + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." + }, + "securedBy": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy", + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." + }, + "fingerprint": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset." + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "protocolProperties": { + "type": "object", + "title": "Protocol Properties", + "description": "Properties specific to cryptographic assets of type: `protocol`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "The concrete protocol type.", + "enum": [ + "tls", + "ssh", + "ipsec", + "ike", + "sstp", + "wpa", + "dtls", + "quic", + "eap-aka", + "eap-aka-prime", + "prins", + "5g-aka", + "other", + "unknown" + ], + "meta:enum": { + "tls": "Transport Layer Security", + "ssh": "Secure Shell", + "ipsec": "Internet Protocol Security", + "ike": "Internet Key Exchange", + "sstp": "Secure Socket Tunneling Protocol", + "wpa": "Wi-Fi Protected Access", + "dtls": "Datagram Transport Layer Security", + "quic": "Quick UDP Internet Connections", + "eap-aka": "Extensible Authentication Protocol variant", + "eap-aka-prime": "Enhanced version of EAP-AKA", + "prins": "Protection of Inter-Network Signaling", + "5g-aka": "Authentication and Key Agreement for 5G", + "other": "Another protocol type", + "unknown": "The protocol type is not known" + } + }, + "version": { + "type": "string", + "title": "Protocol Version", + "description": "The version of the protocol.", + "examples": [ + "1.0", + "1.2", + "1.99" + ] + }, + "cipherSuites": { + "type": "array", + "title": "Cipher Suites", + "description": "A list of cipher suites related to the protocol.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite", + "title": "Cipher Suite" + } + }, + "ikev2TransformTypes": { + "type": "object", + "title": "IKEv2 Transform Types", + "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", + "additionalProperties": false, + "properties": { + "encr": { + "type": "array", + "title": "Encryption Algorithms (ENCR)", + "description": "Transform Type 1: encryption algorithms.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, + "prf": { + "type": "array", + "title": "Pseudorandom Functions (PRF)", + "description": "Transform Type 2: pseudorandom functions.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } + }, + "integ": { + "type": "array", + "title": "Integrity Algorithms (INTEG)", + "description": "Transform Type 3: integrity algorithms.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } + }, + "ke": { + "type": "array", + "title": "Key Exchange Methods (KE)", + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke" + } + }, + "esn": { + "type": "boolean", + "title": "Extended Sequence Number (ESN)", + "description": "Specifies if an Extended Sequence Number (ESN) is used." + }, + "auth": { + "type": "array", + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } + } + } + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "oid": { + "type": "string", + "title": "OID", + "description": "The object identifier (OID) of the cryptographic asset." + } + } + }, + "cipherSuite": { + "type": "object", + "title": "Cipher Suite", + "description": "Object representing a cipher suite.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Common Name", + "description": "A common name for the cipher suite.", + "examples": [ + "TLS_DHE_RSA_WITH_AES_128_CCM" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the cipher suite.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + }, + "identifiers": { + "type": "array", + "title": "Cipher Suite Identifiers", + "description": "A list of common identifiers for the cipher suite.", + "items": { + "type": "string", + "title": "identifier", + "description": "Cipher suite identifier.", + "examples": [ + "0xC0", + "0x9E" + ] + } + }, + "tlsGroups": { + "type": "array", + "title": "TLS Groups", + "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "items": { + "type": "string", + "title": "Group Name", + "description": "The name of the TLS group.", + "examples": [ + "x25519", + "ffdhe2048" + ] + } + }, + "tlsSignatureSchemes": { + "type": "array", + "title": "TLS Signature Schemes", + "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "items": { + "type": "string", + "title": "Signature Scheme", + "description": "The name of the TLS signature scheme.", + "examples": [ + "ecdsa_secp256r1_sha256", + "rsa_pss_rsae_sha256", + "ed25519" + ] + } + } + } + }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the integrity algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE).", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the key exchange algorithm." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the authentication method." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, + "securedBy": { + "type": "object", + "title": "Secured By", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "additionalProperties": false, + "properties": { + "mechanism": { + "type": "string", + "title": "Mechanism", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "HSM", + "TPM", + "SGX", + "Software", + "None" + ] + }, + "algorithmRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to the algorithm." + } + } + } + } + }, + "cyclonedx-data-2.0": { + "type": "null", + "title": "CycloneDX Data Model", + "$defs": { + "dataClassification": { + "type": "string", + "title": "Data Classification", + "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "dataSensitivity": { + "type": "string", + "enum": [ + "public", + "internal", + "confidential", + "restricted", + "secret" + ], + "description": "Data sensitivity classification", + "meta:enum": { + "public": "Public information that can be freely shared", + "internal": "Internal use only within the organization", + "confidential": "Confidential information requiring protection", + "restricted": "Highly restricted information with limited access", + "secret": "Secret information requiring special handling" + } + }, + "dataGovernance": { + "type": "object", + "title": "Data Governance", + "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "additionalProperties": false, + "properties": { + "custodians": { + "type": "array", + "title": "Data Custodians", + "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + } + }, + "stewards": { + "type": "array", + "title": "Data Stewards", + "description": "Data stewards are responsible for data content, context, and associated business rules.", + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + } + }, + "owners": { + "type": "array", + "title": "Data Owners", + "description": "Data owners are concerned with risk and appropriate access to data.", + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + } + } + } + }, + "dataGovernanceResponsibleParty": { + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Organization", + "description": "The organization that is responsible for specific data governance role(s).", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "contact": { + "title": "Individual", + "description": "The individual that is responsible for specific data governance role(s).", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "contact" + ] + } + ] + }, + "dataFlowDirection": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "meta:enum": { + "inbound": "Data that enters a service.", + "outbound": "Data that exits a service.", + "bi-directional": "Data flows in and out of the service.", + "unknown": "The directional flow of data is not known." + }, + "title": "Data flow direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service." + } + } + }, + "cyclonedx-declaration-2.0": { + "type": "null", + "title": "CycloneDX Declaration Model", + "$defs": { + "declarations": { + "type": "object", + "title": "Declarations", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", + "additionalProperties": false, + "properties": { + "assessors": { + "type": "array", + "title": "Assessors", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", + "items": { + "type": "object", + "title": "Assessor", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." + }, + "organization": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organization", + "description": "The entity issuing the assessment." + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", + "items": { + "type": "object", + "title": "Attestation", + "additionalProperties": false, + "properties": { + "summary": { + "type": "string", + "title": "Summary", + "description": "The short description explaining the main points of the attestation." + }, + "assessor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Assessor", + "description": "The `bom-ref` to the assessor asserting the attestation." + }, + "map": { + "type": "array", + "title": "Map", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", + "items": { + "type": "object", + "title": "Map", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Requirement", + "description": "The `bom-ref` to the requirement being attested to." + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of `bom-ref` to the claims being attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "counterClaims": { + "type": "array", + "title": "Counter Claims", + "description": "The list of `bom-ref` to the counter claims being attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "conformance": { + "type": "object", + "title": "Conformance", + "description": "The conformance of the claim meeting a requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the conformance score." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + } + } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "The confidence of the claim meeting the requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the confidence score." + } + } + } + } + } + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of claims.", + "items": { + "type": "object", + "title": "Claim", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "target": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Target", + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "The specific statement or assertion about the target." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "The written explanation of why the evidence provided substantiates the claim." + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of `bom-ref` to evidence that supports this claim.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of evidence", + "items": { + "type": "object", + "title": "Evidence", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "propertyName": { + "type": "string", + "title": "Property Name", + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The written description of what this evidence is and how it was created." + }, + "data": { + "type": "array", + "title": "Data", + "description": "The output or analysis that supports claims.", + "items": { + "type": "object", + "title": "Data", + "additionalProperties": false, + "properties": { + "name": { + "title": "Data Name", + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the evidence was created." + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "The date and time (timestamp) when the evidence is no longer valid." + }, + "author": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Author", + "description": "The author of the evidence." + }, + "reviewer": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Reviewer", + "description": "The reviewer of the evidence." + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "The list of targets which claims are made against.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The list of organizations which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" } }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "Creation Date", - "description": "The date and time (timestamp) when the certificate was created or pre-activated." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "Activation Date", - "description": "The date and time (timestamp) when the certificate was activated." - }, - "deactivationDate": { - "type": "string", - "format": "date-time", - "title": "Deactivation Date", - "description": "The date and time (timestamp) when the related certificate was deactivated." - }, - "revocationDate": { - "type": "string", - "format": "date-time", - "title": "Revocation Date", - "description": "The date and time (timestamp) when the certificate was revoked." + "components": { + "type": "array", + "title": "Components", + "description": "The list of components which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + } }, - "destructionDate": { + "services": { + "type": "array", + "title": "Services", + "description": "The list of services which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + } + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", + "additionalProperties": false, + "properties": { + "statement": { "type": "string", - "format": "date-time", - "title": "Destruction Date", - "description": "The date and time (timestamp) when the certificate was destroyed." + "title": "Statement", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ + "I certify, to the best of my knowledge, that all information is correct." + ] }, - "certificateExtensions": { + "signatories": { "type": "array", - "title": "Certificate Extensions", - "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", "items": { "type": "object", - "title": "Extension", - "description": "", + "title": "Signatory", + "additionalProperties": false, "oneOf": [ { - "title": "Common Extensions", "required": [ - "commonExtensionName", - "commonExtensionValue" - ], - "additionalProperties": false, - "properties": { - "commonExtensionName": { - "type": "string", - "title": "name", - "description": "The name of the extension.", - "enum": [ - "basicConstraints", - "keyUsage", - "extendedKeyUsage", - "subjectAlternativeName", - "authorityKeyIdentifier", - "subjectKeyIdentifier", - "authorityInformationAccess", - "certificatePolicies", - "crlDistributionPoints", - "signedCertificateTimestamp" - ], - "meta:enum": { - "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", - "keyUsage": "Specifies the allowed uses of the public key in the certificate.", - "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", - "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", - "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", - "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", - "authorityInformationAccess": "Contains CA issuers and OCSP information.", - "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", - "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", - "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." - } - }, - "commonExtensionValue": { - "type": "string", - "title": "Value", - "description": "The value of the certificate extension." - } - } + "signature" + ] }, { - "title": "Custom Extensions", - "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", "required": [ - "customExtensionName" - ], - "additionalProperties": false, - "properties": { - "customExtensionName": { - "type": "string", - "title": "Name", - "description": "The name for the custom certificate extension." - }, - "customExtensionValue": { - "type": "string", - "title": "Value", - "description": "The description of the custom certificate extension." - } - } + "externalReference", + "organization" + ] } - ] + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "organization": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } } }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, - "relatedCryptoMaterialProperties": { - "type": "object", - "title": "Related Cryptographic Material Properties", - "description": "Properties for cryptographic assets of asset type: `related-crypto-material`.", - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related cryptographic material.", - "enum": [ - "private-key", - "public-key", - "secret-key", - "key", - "ciphertext", - "signature", - "digest", - "initialization-vector", - "nonce", - "seed", - "salt", - "shared-secret", - "tag", - "additional-data", - "password", - "credential", - "token", - "other", - "unknown" - ], - "meta:enum": { - "private-key": "The confidential key of a key pair used in asymmetric cryptography.", - "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", - "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", - "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", - "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", - "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", - "digest": "The output of the hash function.", - "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", - "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", - "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", - "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", - "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", - "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", - "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", - "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", - "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", - "token": "An object encapsulating a security identity.", - "other": "Another type of cryptographic asset.", - "unknown": "The type of cryptographic asset is not known." - } - }, - "id": { - "type": "string", - "title": "ID", - "description": "The unique identifier for the related cryptographic material." - }, - "state": { - "type": "string", - "title": "State", - "description": "The key state as defined by NIST SP 800-57.", - "enum": [ - "pre-activation", - "active", - "suspended", - "deactivated", - "compromised", - "destroyed" - ] - }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "Creation Date", - "description": "The date and time (timestamp) when the related cryptographic material was created." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "Activation Date", - "description": "The date and time (timestamp) when the related cryptographic material was activated." - }, - "updateDate": { - "type": "string", - "format": "date-time", - "title": "Update Date", - "description": "The date and time (timestamp) when the related cryptographic material was updated." - }, - "expirationDate": { - "type": "string", - "format": "date-time", - "title": "Expiration Date", - "description": "The date and time (timestamp) when the related cryptographic material expires." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The associated value of the cryptographic material." - }, - "size": { - "type": "integer", - "title": "Size", - "description": "The size of the cryptographic asset (in bits)." - }, - "format": { - "type": "string", - "title": "Format", - "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." - }, - "securedBy": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy", - "title": "Secured By", - "description": "The mechanism by which the cryptographic asset is secured by." - }, - "fingerprint": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", - "title": "Fingerprint", - "description": "The fingerprint is a cryptographic hash of the asset." - }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" - } + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + } + }, + "cyclonedx-definition-2.0": { + "type": "null", + "title": "CycloneDX Definition Model", + "$defs": { + "definitions": { + "type": "object", + "title": "Definitions", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "additionalProperties": false, + "properties": { + "standards": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standards" + }, + "patents": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patents" + } + } + } + } + }, + "cyclonedx-dependency-2.0": { + "type": "null", + "title": "CycloneDX Dependency Model", + "$defs": { + "dependencies": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + }, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships including provided & implemented components." + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "References a component or service by its bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + }, + "provides": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "title": "Provides", + "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + } + } + } + } + }, + "cyclonedx-formulation-2.0": { + "type": "null", + "title": "CycloneDX Formulation Model", + "$defs": { + "formulation": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/formula" + }, + "uniqueItems": true, + "title": "Formulation", + "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + }, + "formula": { + "title": "Formula", + "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "components": { + "title": "Components", + "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "uniqueItems": true + }, + "services": { + "title": "Services", + "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true + }, + "workflows": { + "title": "Workflows", + "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", + "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workflow" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "workflow": { + "title": "Workflow", + "description": "A specialized orchestration task.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "tasks": { + "title": "Tasks", + "description": "The tasks that comprise the workflow.", + "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/task" + } + }, + "taskDependencies": { + "title": "Task dependency graph", + "description": "The graph of dependencies between tasks within the workflow.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" } }, - "protocolProperties": { - "type": "object", - "title": "Protocol Properties", - "description": "Properties specific to cryptographic assets of type: `protocol`.", - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "Type", - "description": "The concrete protocol type.", - "enum": [ - "tls", - "ssh", - "ipsec", - "ike", - "sstp", - "wpa", - "dtls", - "quic", - "eap-aka", - "eap-aka-prime", - "prins", - "5g-aka", - "other", - "unknown" - ], - "meta:enum": { - "tls": "Transport Layer Security", - "ssh": "Secure Shell", - "ipsec": "Internet Protocol Security", - "ike": "Internet Key Exchange", - "sstp": "Secure Socket Tunneling Protocol", - "wpa": "Wi-Fi Protected Access", - "dtls": "Datagram Transport Layer Security", - "quic": "Quick UDP Internet Connections", - "eap-aka": "Extensible Authentication Protocol variant", - "eap-aka-prime": "Enhanced version of EAP-AKA", - "prins": "Protection of Inter-Network Signaling", - "5g-aka": "Authentication and Key Agreement for 5G", - "other": "Another protocol type", - "unknown": "The protocol type is not known" - } - }, - "version": { - "type": "string", - "title": "Protocol Version", - "description": "The version of the protocol.", - "examples": [ - "1.0", - "1.2", - "1.99" - ] - }, - "cipherSuites": { - "type": "array", - "title": "Cipher Suites", - "description": "A list of cipher suites related to the protocol.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite", - "title": "Cipher Suite" - } - }, - "ikev2TransformTypes": { - "type": "object", - "title": "IKEv2 Transform Types", - "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", - "additionalProperties": false, - "properties": { - "encr": { - "type": "array", - "title": "Encryption Algorithms (ENCR)", - "description": "Transform Type 1: encryption algorithms.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc", - "title": "Encryption Algorithm (ENCR)" - } - }, - "prf": { - "type": "array", - "title": "Pseudorandom Functions (PRF)", - "description": "Transform Type 2: pseudorandom functions.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf", - "title": "Pseudorandom Function (PRF)" - } - }, - "integ": { - "type": "array", - "title": "Integrity Algorithms (INTEG)", - "description": "Transform Type 3: integrity algorithms.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ", - "title": "Integrity Algorithm (INTEG)" - } - }, - "ke": { - "type": "array", - "title": "Key Exchange Methods (KE)", - "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke" - } - }, - "esn": { - "type": "boolean", - "title": "Extended Sequence Number (ESN)", - "description": "Specifies if an Extended Sequence Number (ESN) is used." - }, - "auth": { - "type": "array", - "title": "IKEv2 Authentication methods", - "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth", - "title": "IKEv2 Authentication Method" - } - } - } - }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" - } + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for workflow's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" } }, - "oid": { - "type": "string", - "title": "OID", - "description": "The object identifier (OID) of the cryptographic asset." + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "cipherSuite": { + "task": { + "title": "Task", + "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", + "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", "type": "object", - "title": "Cipher Suite", - "description": "Object representing a cipher suite.", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], "additionalProperties": false, "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, "name": { - "type": "string", - "title": "Common Name", - "description": "A common name for the cipher suite.", - "examples": [ - "TLS_DHE_RSA_WITH_AES_128_CCM" - ] + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" }, - "algorithms": { + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the cipher suite.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" } }, - "identifiers": { + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", "type": "array", - "title": "Cipher Suite Identifiers", - "description": "A list of common identifiers for the cipher suite.", "items": { - "type": "string", - "title": "identifier", - "description": "Cipher suite identifier.", - "examples": [ - "0xC0", - "0x9E" - ] + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" } }, - "tlsGroups": { + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", "type": "array", - "title": "TLS Groups", - "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", "items": { - "type": "string", - "title": "Group Name", - "description": "The name of the TLS group.", - "examples": [ - "x25519", - "ffdhe2048" - ] - } + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + }, + "uniqueItems": true }, - "tlsSignatureSchemes": { + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], "type": "array", - "title": "TLS Signature Schemes", - "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", "items": { - "type": "string", - "title": "Signature Scheme", - "description": "The name of the TLS signature scheme.", - "examples": [ - "ecdsa_secp256r1_sha256", - "rsa_pss_rsae_sha256", - "ed25519" - ] + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + }, + "uniqueItems": true + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for task's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "step": { + "type": "object", + "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "A name for the step.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the step.", + "type": "string" + }, + "commands": { + "title": "Commands", + "description": "Ordered list of commands or directives for the step", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/command" } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Enc": { + "command": { "type": "object", - "title": "Encryption Algorithm (ENCR)", - "description": "Object representing an encryption algorithm (ENCR).", "additionalProperties": false, "properties": { + "executed": { + "title": "Executed", + "description": "A text representation of the executed command.", + "type": "string" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "workspace": { + "title": "Workspace", + "description": "A named filesystem or data resource shareable by workflow tasks.", + "type": "object", + "required": [ + "bom-ref", + "uid" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, "name": { - "type": "string", "title": "Name", - "description": "A name for the encryption method.", - "examples": [ - "ENCR_AES_GCM_16" + "description": "The name of the resource instance.", + "type": "string" + }, + "aliases": { + "title": "Aliases", + "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "type": "array", + "items": { + "type": "string" + } + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "accessMode": { + "title": "Access mode", + "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "type": "string", + "enum": [ + "read-only", + "read-write", + "read-write-once", + "write-once", + "write-only" ] }, - "keyLength": { - "type": "integer", - "title": "Encryption algorithm key length", - "description": "The key length of the encryption algorithm." + "mountPath": { + "title": "Mount path", + "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", + "type": "string" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - }, - "ikeV2Prf": { - "type": "object", - "title": "Pseudorandom Function (PRF)", - "description": "Object representing a pseudorandom function (PRF).", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the pseudorandom function.", + "managedDataType": { + "title": "Managed data type", + "description": "The name of a domain-specific data type the workspace represents.", + "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", "examples": [ - "PRF_HMAC_SHA2_256" - ] + "ConfigMap", + "Secret" + ], + "type": "string" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "volumeRequest": { + "title": "Volume request", + "description": "Identifies the reference to the request for a specific volume type and parameters.", + "examples": [ + "a kubernetes Persistent Volume Claim (PVC) name" + ], + "type": "string" + }, + "volume": { + "title": "Volume", + "description": "Information about the actual volume instance allocated to the workspace.", + "$comment": "The actual volume allocated may be different than the request.", + "examples": [ + "see https://kubernetes.io/docs/concepts/storage/persistent-volumes/" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/volume" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Integ": { + "volume": { + "title": "Volume", + "description": "An identifiable, logical unit of data storage tied to a physical device.", "type": "object", - "title": "Integrity Algorithm (INTEG)", - "description": "Object representing an integrity algorithm (INTEG).", "additionalProperties": false, "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the volume instance within its deployment context.", + "type": "string" + }, "name": { - "type": "string", "title": "Name", - "description": "A name for the integrity algorithm.", + "description": "The name of the volume instance", + "type": "string" + }, + "mode": { + "title": "Mode", + "description": "The mode for the volume instance.", + "type": "string", + "enum": [ + "filesystem", + "block" + ], + "default": "filesystem" + }, + "path": { + "title": "Path", + "description": "The underlying path created from the actual volume.", + "type": "string" + }, + "sizeAllocated": { + "title": "Size allocated", + "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", "examples": [ - "AUTH_HMAC_SHA2_256_128" - ] + "10GB", + "2Ti", + "1Pi" + ], + "type": "string" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - }, - "ikeV2Ke": { - "type": "object", - "title": "Key Exchange Method (KE)", - "description": "Object representing a key exchange method (KE).", - "additionalProperties": false, - "properties": { - "group": { - "type": "integer", - "title": "Group Identifier", - "description": "A group identifier for the key exchange algorithm." + "persistent": { + "title": "Persistent", + "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", + "type": "boolean" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "remote": { + "title": "Remote", + "description": "Indicates if the volume is remotely (i.e., network) attached.", + "type": "boolean" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Auth": { + "trigger": { + "title": "Trigger", + "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", "type": "object", - "title": "IKEv2 Authentication method", - "description": "Object representing a IKEv2 Authentication method.", "additionalProperties": false, + "required": [ + "type", + "bom-ref", + "uid" + ], "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, "name": { - "type": "string", "title": "Name", - "description": "A name for the authentication method." + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - }, - "relatedCryptographicAssets": { - "type": "array", - "title": "Related Cryptographic Assets", - "description": "A list of cryptographic assets related to this component.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset" - } - }, - "relatedCryptographicAsset": { - "type": "object", - "title": "Related Cryptographic Asset", - "description": "A cryptographic assets related to this component.", - "additionalProperties": false, - "properties": { "type": { - "type": "string", "title": "Type", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", - "examples": [ - "publicKey", - "privateKey", - "algorithm" + "description": "The source type of event which caused the trigger to fire.", + "type": "string", + "enum": [ + "manual", + "api", + "webhook", + "scheduled" ] }, - "ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Reference to cryptographic asset", - "description": "The bom-ref to cryptographic asset." + "event": { + "title": "Event", + "description": "The event data that caused the associated trigger to activate.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/event" + }, + "conditions": { + "type": "array", + "title": "Conditions", + "description": "A list of conditions used to determine if a trigger should be activated.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/condition" + } + }, + "timeActivated": { + "title": "Time activated", + "description": "The date and time (timestamp) when the trigger was activated.", + "type": "string", + "format": "date-time" + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "securedBy": { + "event": { + "title": "Event", + "description": "Represents something that happened that may trigger a response.", "type": "object", - "title": "Secured By", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", "additionalProperties": false, "properties": { - "mechanism": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier of the event.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the event.", + "type": "string" + }, + "timeReceived": { + "title": "Time Received", + "description": "The date and time (timestamp) when the event was received.", "type": "string", - "title": "Mechanism", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", - "examples": [ - "HSM", - "TPM", - "SGX", - "Software", - "None" - ] + "format": "date-time" }, - "algorithmRef": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm Reference", - "description": "The bom-ref to the algorithm." + "data": { + "title": "Data", + "description": "Encoding of the raw event data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "source": { + "title": "Source", + "description": "References the component or service that was the source of the event", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "References the component or service that was the target of the event", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } - } - } - }, - "cyclonedx-data-2.0": { - "type": "null", - "title": "CycloneDX Data Model", - "$defs": { - "dataClassification": { - "type": "string", - "title": "Data Classification", - "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." }, - "dataGovernance": { + "inputType": { + "title": "Input type", + "description": "Type that represents various input data types and formats.", "type": "object", - "title": "Data Governance", - "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "parameters" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], "additionalProperties": false, "properties": { - "custodians": { - "type": "array", - "title": "Data Custodians", - "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", - "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" - } + "source": { + "title": "Source", + "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", + "examples": [ + "source code repository", + "database" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" }, - "stewards": { + "target": { + "title": "Target", + "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", + "examples": [ + "workspace", + "directory" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", + "examples": [ + "a reference to a configuration file in a repository (i.e., a bom-ref)", + "a reference to a scanning service used in a task (i.e., a bom-ref)" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "parameters": { + "title": "Parameters", + "description": "Inputs that have the form of parameters with names and values.", "type": "array", - "title": "Data Stewards", - "description": "Data stewards are responsible for data content, context, and associated business rules.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/parameter" } }, - "owners": { + "environmentVars": { + "title": "Environment variables", + "description": "Inputs that have the form of parameters with names and values.", "type": "array", - "title": "Data Owners", - "description": "Data owners are concerned with risk and appropriate access to data.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] } + }, + "data": { + "title": "Data", + "description": "Inputs that have the form of data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "dataGovernanceResponsibleParty": { + "outputType": { "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], "additionalProperties": false, "properties": { - "organization": { - "title": "Organization", - "description": "The organization that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "type": { + "title": "Type", + "description": "Describes the type of data output.", + "type": "string", + "enum": [ + "artifact", + "attestation", + "log", + "evidence", + "metrics", + "other" + ] + }, + "source": { + "title": "Source", + "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "examples": [ + "a log file described as an `externalReference` within its target domain." + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource generated as output by the task.", + "examples": [ + "configuration file", + "source code", + "scanning service" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "data": { + "title": "Data", + "description": "Outputs that have the form of data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "environmentVars": { + "title": "Environment variables", + "description": "Outputs that have the form of environment variables.", + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "resourceReferenceChoice": { + "title": "Resource reference choice", + "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", + "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "type": "object", + "additionalProperties": false, + "properties": { + "ref": { + "title": "BOM Reference", + "description": "References an object by its bom-ref attribute", + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] }, - "contact": { - "title": "Individual", - "description": "The individual that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + "externalReference": { + "title": "External reference", + "description": "Reference to an externally accessible resource.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" } }, "oneOf": [ { "required": [ - "organization" + "ref" ] }, { "required": [ - "contact" + "externalReference" ] } ] }, - "dataFlowDirection": { + "condition": { + "title": "Condition", + "description": "A condition that was used to determine a trigger should be activated.", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "Describes the set of conditions which cause the trigger to activate.", + "type": "string" + }, + "expression": { + "title": "Expression", + "description": "The logical expression that was evaluated that determined the trigger should be fired.", + "type": "string" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "taskType": { "type": "string", "enum": [ - "inbound", - "outbound", - "bi-directional", - "unknown" + "copy", + "clone", + "lint", + "scan", + "merge", + "build", + "test", + "deliver", + "deploy", + "release", + "clean", + "other" ], "meta:enum": { - "inbound": "Data that enters a service.", - "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", - "unknown": "The directional flow of data is not known." - }, - "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." - } - } - }, - "cyclonedx-declaration-2.0": { - "type": "null", - "title": "CycloneDX Declaration Model", - "$defs": { - "declarations": { + "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", + "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", + "lint": "A task that checks source code for programmatic and stylistic errors.", + "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", + "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", + "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", + "test": "A task that verifies the functionality of a component or service.", + "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", + "deploy": "A task that deploys a built artifact for execution on one or more target systems.", + "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", + "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", + "other": "A workflow task that does not match current task type definitions." + } + }, + "parameter": { + "title": "Parameter", + "description": "A representation of a functional parameter.", "type": "object", - "title": "Declarations", - "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", "additionalProperties": false, "properties": { - "assessors": { - "type": "array", - "title": "Assessors", - "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", - "items": { - "type": "object", - "title": "Assessor", - "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "thirdParty": { - "type": "boolean", - "title": "Third Party", - "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." - }, - "organization": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organization", - "description": "The entity issuing the assessment." - } - } - } + "name": { + "title": "Name", + "description": "The name of the parameter.", + "type": "string" }, - "attestations": { - "type": "array", - "title": "Attestations", - "description": "The list of attestations asserted by an assessor that maps requirements to claims.", - "items": { - "type": "object", - "title": "Attestation", - "additionalProperties": false, - "properties": { - "summary": { - "type": "string", - "title": "Summary", - "description": "The short description explaining the main points of the attestation." - }, - "assessor": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Assessor", - "description": "The `bom-ref` to the assessor asserting the attestation." - }, - "map": { - "type": "array", - "title": "Map", - "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", - "items": { - "type": "object", - "title": "Map", - "additionalProperties": false, - "properties": { - "requirement": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Requirement", - "description": "The `bom-ref` to the requirement being attested to." - }, - "claims": { - "type": "array", - "title": "Claims", - "description": "The list of `bom-ref` to the claims being attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "counterClaims": { - "type": "array", - "title": "Counter Claims", - "description": "The list of `bom-ref` to the counter claims being attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "conformance": { - "type": "object", - "title": "Conformance", - "description": "The conformance of the claim meeting a requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the conformance score." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - } - } - }, - "confidence": { - "type": "object", - "title": "Confidence", - "description": "The confidence of the claim meeting the requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the confidence score." - } - } - } - } - } - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - } + "value": { + "title": "Value", + "description": "The value of the parameter.", + "type": "string" }, - "claims": { - "type": "array", - "title": "Claims", - "description": "The list of claims.", - "items": { + "dataType": { + "title": "Data type", + "description": "The data type of the parameter.", + "type": "string" + } + } + } + } + }, + "cyclonedx-license-2.0": { + "type": "null", + "title": "CycloneDX License Model", + "$defs": { + "licenseChoice": { + "title": "License Choice", + "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", + "type": "array", + "items": { + "oneOf": [ + { "type": "object", - "title": "Claim", + "title": "License", + "required": [ + "license" + ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "target": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Target", - "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." - }, - "predicate": { - "type": "string", - "title": "Predicate", - "description": "The specific statement or assertion about the target." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "reasoning": { - "type": "string", - "title": "Reasoning", - "description": "The written explanation of why the evidence provided substantiates the claim." - }, - "evidence": { - "type": "array", - "title": "Evidence", - "description": "The list of `bom-ref` to evidence that supports this claim.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "counterEvidence": { - "type": "array", - "title": "Counter Evidence", - "description": "The list of `bom-ref` to counterEvidence that supports this claim.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "license": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/license" } } - } - }, - "evidence": { - "type": "array", - "title": "Evidence", - "description": "The list of evidence", - "items": { + }, + { + "title": "License Expression", + "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", "type": "object", - "title": "Evidence", "additionalProperties": false, + "required": [ + "expression" + ], "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "propertyName": { - "type": "string", - "title": "Property Name", - "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." - }, - "description": { + "expression": { "type": "string", - "title": "Description", - "description": "The written description of what this evidence is and how it was created." + "title": "SPDX License Expression", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] }, - "data": { + "expressionDetails": { + "title": "Expression Details", + "description": "Details for parts of the `expression`.", "type": "array", - "title": "Data", - "description": "The output or analysis that supports claims.", "items": { "type": "object", - "title": "Data", - "additionalProperties": false, + "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", + "required": [ + "licenseIdentifier" + ], "properties": { - "name": { - "title": "Data Name", - "description": "The name of the data.", - "type": "string" - }, - "contents": { - "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", - "additionalProperties": false, - "properties": { - "attachment": { - "title": "Data Attachment", - "description": "A way to include textual or encoded data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { - "type": "string", - "title": "Data URL", - "description": "The URL to where the data can be retrieved.", - "format": "iri-reference" - } - } + "licenseIdentifier": { + "title": "License Identifier", + "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", + "type": "string", + "examples": [ + "Apache-2.0", + "GPL-3.0-only WITH Classpath-exception-2.0", + "LicenseRef-my-custom-license" + ] }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "sensitiveData": { - "type": "array", - "title": "Sensitive Data", - "description": "A description of any sensitive data included.", - "items": { - "type": "string" - } + "text": { + "title": "License texts", + "description": "A way to include the textual content of the license.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" } - } + }, + "additionalProperties": false } }, - "created": { - "type": "string", - "format": "date-time", - "title": "Created", - "description": "The date and time (timestamp) when the evidence was created." - }, - "expires": { - "type": "string", - "format": "date-time", - "title": "Expires", - "description": "The date and time (timestamp) when the evidence is no longer valid." + "acknowledgement": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" }, - "author": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Author", - "description": "The author of the evidence." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "reviewer": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Reviewer", - "description": "The reviewer of the evidence." + "licensing": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } } + ] + } + }, + "license": { + "type": "object", + "title": "License", + "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", + "oneOf": [ + { + "required": [ + "id" + ] + }, + { + "required": [ + "name" + ] + } + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "$ref": "../spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", + "examples": [ + "Apache-2.0" + ] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", + "examples": [ + "Acme Software License" + ] + }, + "acknowledgement": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" + }, + "text": { + "title": "License text", + "description": "A way to include the textual content of a license.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" + }, + "licensing": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "licenseAcknowledgementEnumeration": { + "title": "License Acknowledgement", + "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", + "type": "string", + "enum": [ + "declared", + "concluded" + ], + "meta:enum": { + "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", + "concluded": "Concluded licenses are verified and confirmed." + } + }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } }, - "targets": { + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", "type": "object", - "title": "Targets", - "description": "The list of targets which claims are made against.", "additionalProperties": false, "properties": { - "organizations": { - "type": "array", - "title": "Organizations", - "description": "The list of organizations which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - } + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "components": { - "type": "array", - "title": "Components", - "description": "The list of components which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - } + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] }, - "services": { - "type": "array", - "title": "Services", - "description": "The list of services which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - } + { + "required": [ + "individual" + ] } - } + ] }, - "affirmation": { + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", "type": "object", - "title": "Affirmation", - "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", "additionalProperties": false, "properties": { - "statement": { - "type": "string", - "title": "Statement", - "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", - "examples": [ - "I certify, to the best of my knowledge, that all information is correct." + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" ] }, - "signatories": { - "type": "array", - "title": "Signatories", - "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", - "items": { - "type": "object", - "title": "Signatory", - "additionalProperties": false, - "oneOf": [ - { - "required": [ - "signature" - ] - }, - { - "required": [ - "externalReference", - "organization" - ] - } - ], - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The signatory's name." - }, - "role": { - "type": "string", - "title": "Role", - "description": "The signatory's role within an organization." - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - }, - "organization": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organization", - "description": "The signatory's organization." - }, - "externalReference": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } - } - } + { + "required": [ + "individual" + ] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee.", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." } } }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." } } } } }, - "cyclonedx-definition-2.0": { + "cyclonedx-metadata-2.0": { "type": "null", - "title": "CycloneDX Definition Model", + "title": "CycloneDX Metadata Model", "$defs": { - "definitions": { + "metadata": { "type": "object", - "title": "Definitions", - "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM.", "additionalProperties": false, "properties": { - "standards": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standards" + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." }, - "patents": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patents" + "lifecycles": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + }, + "tools": { + "type": "object", + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "additionalProperties": false, + "properties": { + "components": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + "manufacturer": { + "title": "BOM Manufacturer", + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "authors": { + "type": "array", + "title": "BOM Authors", + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "component": { + "description": "The component that the BOM describes.", + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "licenses": { + "title": "BOM License(s)", + "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice" + }, + "distributionConstraints": { + "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } - } - } - }, - "cyclonedx-dependency-2.0": { - "type": "null", - "title": "CycloneDX Dependency Model", - "$defs": { - "dependencies": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - }, - "uniqueItems": true, - "title": "Dependencies", - "description": "Provides the ability to document dependency relationships including provided & implemented components." }, - "dependency": { + "distributionConstraints": { + "title": "Distribution Constraints", + "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", "type": "object", - "title": "Dependency", - "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", - "required": [ - "ref" - ], - "additionalProperties": false, "properties": { - "ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "References a component or service by its bom-ref attribute" - }, - "dependsOn": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - "title": "Depends On", - "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." - }, - "provides": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - "title": "Provides", - "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + "tlp": { + "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification", + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." } } + }, + "tlpClassification": { + "title": "Traffic Light Protocol (TLP) Classification", + "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", + "type": "string", + "default": "CLEAR", + "enum": [ + "CLEAR", + "GREEN", + "AMBER", + "AMBER_AND_STRICT", + "RED" + ], + "meta:enum": { + "CLEAR": "The information is not subject to any restrictions as regards the sharing.", + "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", + "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", + "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", + "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." + } } } }, - "cyclonedx-formulation-2.0": { + "cyclonedx-patent-2.0": { "type": "null", - "title": "CycloneDX Formulation Model", + "title": "CycloneDX Patent Model", "$defs": { - "formulation": { + "patents": { "type": "array", + "title": "Patents", + "description": "The list of either individual patents or patent families.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/formula" - }, - "uniqueItems": true, - "title": "Formulation", - "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + "anyOf": [ + { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patent" + }, + { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFamily" + } + ] + } }, - "formula": { - "title": "Formula", - "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "patent": { "type": "object", + "title": "Patent", + "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", + "required": [ + "patentNumber", + "jurisdiction", + "patentLegalStatus" + ], "additionalProperties": false, "properties": { "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "components": { - "title": "Components", - "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "uniqueItems": true + "patentNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Number", + "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", + "examples": [ + "US987654321", + "EP1234567B1" + ] }, - "services": { - "title": "Services", - "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - }, - "uniqueItems": true + "applicationNumber": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + }, + "jurisdiction": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + }, + "priorityApplication": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + }, + "publicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Publication Number", + "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + }, + "title": { + "type": "string", + "title": "Patent Title", + "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + }, + "abstract": { + "type": "string", + "title": "Patent Abstract", + "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + }, + "filingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "grantDate": { + "type": "string", + "format": "date", + "title": "Grant Date", + "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + }, + "patentExpirationDate": { + "type": "string", + "format": "date", + "title": "Expiration Date", + "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." }, - "workflows": { - "title": "Workflows", - "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", - "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "patentLegalStatus": { + "type": "string", + "title": "Legal Status", + "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", + "enum": [ + "pending", + "granted", + "revoked", + "expired", + "lapsed", + "withdrawn", + "abandoned", + "suspended", + "reinstated", + "opposed", + "terminated", + "invalidated", + "in-force" + ], + "meta:enum": { + "pending": "The patent application has been filed but not yet examined or granted.", + "granted": "The patent application has been examined and a patent has been issued.", + "revoked": "The patent has been declared invalid through a legal or administrative process.", + "expired": "The patent has reached the end of its enforceable term.", + "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", + "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", + "abandoned": "The patent application was abandoned, often due to lack of action or response.", + "suspended": "Processing of the patent application has been temporarily halted.", + "reinstated": "A previously abandoned or lapsed patent has been reinstated.", + "opposed": "The patent application or granted patent is under formal opposition proceedings.", + "terminated": "The patent or application has been officially terminated.", + "invalidated": "The patent has been invalidated, either in part or in full.", + "in-force": "The granted patent is active and enforceable." + } + }, + "patentAssignee": { "type": "array", + "title": "Patent Assignees", + "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workflow" - }, - "uniqueItems": true + "oneOf": [ + { + "title": "Person", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + }, + { + "title": "Organizational Entity", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + } + ] + } }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } } }, - "workflow": { - "title": "Workflow", - "description": "A specialized orchestration task.", - "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "patentFamily": { "type": "object", + "title": "Patent Family", + "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", "required": [ - "bom-ref", - "uid", - "taskTypes" + "familyId" ], "additionalProperties": false, "properties": { "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" - }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" - }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" - }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." }, - "tasks": { - "title": "Tasks", - "description": "The tasks that comprise the workflow.", - "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/task" - } + "familyId": { + "type": "string", + "title": "Patent Family ID", + "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." }, - "taskDependencies": { - "title": "Task dependency graph", - "description": "The graph of dependencies between tasks within the workflow.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - } + "priorityApplication": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" }, - "taskTypes": { - "title": "Task types", - "description": "Indicates the types of activities performed by the set of workflow tasks.", - "$comment": "Currently, these types reflect common CI/CD actions.", + "members": { "type": "array", + "title": "Family Members", + "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "BOM Reference", + "description": "A `bom-ref` linking to a patent or application object within the BOM." } }, - "trigger": { - "title": "Trigger", - "description": "The trigger that initiated the task.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" - }, - "steps": { - "title": "Steps", - "description": "The sequence of steps for the task.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "patentAssertions": { + "type": "array", + "title": "Patent Assertions", + "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "items": { + "type": "object", + "title": "Patent Assertion", + "description": "An assertion linking a patent or patent family to this component or service.", + "required": [ + "assertionType", + "asserter" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." }, - "uniqueItems": true - }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", + "enum": [ + "ownership", + "license", + "third-party-claim", + "standards-inclusion", + "prior-art", + "exclusive-rights", + "non-assertion", + "research-or-evaluation" + ], + "meta:enum": { + "ownership": "The manufacturer asserts ownership of the patent or patent family.", + "license": "The manufacturer asserts they have a license to use the patent or patent family.", + "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", + "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", + "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", + "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", + "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", + "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." + } }, - "uniqueItems": true - }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "patentRefs": { + "type": "array", + "title": "Patent References", + "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } }, - "uniqueItems": true - }, - "timeStart": { - "title": "Time start", - "description": "The date and time (timestamp) when the task started.", - "type": "string", - "format": "date-time" - }, - "timeEnd": { - "title": "Time end", - "description": "The date and time (timestamp) when the task ended.", - "type": "string", - "format": "date-time" - }, - "workspaces": { - "title": "Workspaces", - "description": "A set of named filesystem or data resource shareable by workflow tasks.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" - } - }, - "runtimeTopology": { - "title": "Runtime topology", - "description": "A graph of the component runtime topology for workflow's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + "asserter": { + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organizational Entity" + }, + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Person" + }, + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." + } + ] + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." } - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "task": { - "title": "Task", - "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", - "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "patentApplicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Application Number", + "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", + "examples": [ + "US20240000123", + "EP23123456" + ] + }, + "patentJurisdiction": { + "type": "string", + "title": "Jurisdiction", + "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", + "pattern": "^[A-Z]{2}$", + "examples": [ + "US", + "EP", + "JP" + ] + }, + "patentFilingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "priorityApplication": { "type": "object", + "title": "Priority Application", + "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", "required": [ - "bom-ref", - "uid", - "taskTypes" + "applicationNumber", + "jurisdiction", + "filingDate" ], "additionalProperties": false, "properties": { - "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" + "applicationNumber": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "jurisdiction": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" + "filingDate": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate" + } + } + } + } + }, + "cyclonedx-release-notes-2.0": { + "type": "null", + "title": "CycloneDX Release Notes Model", + "$defs": { + "releaseNotes": { + "type": "object", + "title": "Release notes", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." }, - "taskTypes": { - "title": "Task types", - "description": "Indicates the types of activities performed by the set of workflow tasks.", - "$comment": "Currently, these types reflect common CI/CD actions.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" - } + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." }, - "trigger": { - "title": "Trigger", - "description": "The trigger that initiated the task.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." }, - "steps": { - "title": "Steps", - "description": "The sequence of steps for the task.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" - }, - "uniqueItems": true + "description": { + "type": "string", + "title": "Description", + "description": "A short description of the release." }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" - }, - "uniqueItems": true + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], + "aliases": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "type": "string" }, - "uniqueItems": true - }, - "timeStart": { - "title": "Time start", - "description": "The date and time (timestamp) when the task started.", - "type": "string", - "format": "date-time" + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." }, - "timeEnd": { - "title": "Time end", - "description": "The date and time (timestamp) when the task ended.", - "type": "string", - "format": "date-time" + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" }, - "workspaces": { - "title": "Workspaces", - "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "resolves": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" }, - "uniqueItems": true + "title": "Resolves", + "description": "A collection of issues that have been resolved." }, - "runtimeTopology": { - "title": "Runtime topology", - "description": "A graph of the component runtime topology for task's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "notes": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/note" }, - "uniqueItems": true + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." }, "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "step": { - "type": "object", - "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", - "additionalProperties": false, - "properties": { - "name": { - "title": "Name", - "description": "A name for the step.", - "type": "string" - }, - "description": { - "title": "Description", - "description": "A description of the step.", - "type": "string" - }, - "commands": { - "title": "Commands", - "description": "Ordered list of commands or directives for the step", "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/command" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" } - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "command": { + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], "additionalProperties": false, "properties": { - "executed": { - "title": "Executed", - "description": "A text representation of the executed command.", - "type": "string" + "locale": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/locale", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" } } - }, - "workspace": { - "title": "Workspace", - "description": "A named filesystem or data resource shareable by workflow tasks.", + } + } + }, + "cyclonedx-requirement-2.0": { + "type": "null", + "title": "CycloneDX Engineering Requirement Model", + "$defs": { + "requirement": { "type": "object", - "required": [ - "bom-ref", - "uid" - ], + "title": "Requirement", + "description": "A requirement represents a specific need, constraint, or capability that must be met.", "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)." }, "name": { + "type": "string", "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "description": "A short name or title for the requirement." }, - "aliases": { - "title": "Aliases", - "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the requirement." + }, + "type": { + "type": "array", + "title": "Requirement Types", + "description": "The categories or classifications applicable to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirementType" + }, + "uniqueItems": true + }, + "priority": { + "type": "string", + "title": "Priority", + "description": "The priority level of the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "status": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the requirement." + }, + "stakeholders": { "type": "array", + "title": "Stakeholders", + "description": "The individuals or groups who have an interest in the requirement.", "items": { "type": "string" } }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" + "acceptanceCriteria": { + "type": "array", + "title": "Acceptance Criteria", + "description": "Criteria that must be met for the requirement to be considered satisfied.", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion" + } }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", + "dependencies": { "type": "array", - "uniqueItems": true, + "title": "Dependencies", + "description": "Other requirements that this requirement depends on.", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/dependency" } }, - "accessMode": { - "title": "Access mode", - "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "parent": { "type": "string", - "enum": [ - "read-only", - "read-write", - "read-write-once", - "write-once", - "write-only" - ] + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." }, - "mountPath": { - "title": "Mount path", - "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", - "type": "string" + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The reasoning or justification for the requirement." }, - "managedDataType": { - "title": "Managed data type", - "description": "The name of a domain-specific data type the workspace represents.", - "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", - "examples": [ - "ConfigMap", - "Secret" - ], - "type": "string" + "fitCriterion": { + "type": "string", + "title": "Fit Criterion", + "description": "A measurable test that the solution must pass to be acceptable to the stakeholders." }, - "volumeRequest": { - "title": "Volume request", - "description": "Identifies the reference to the request for a specific volume type and parameters.", - "examples": [ - "a kubernetes Persistent Volume Claim (PVC) name" - ], - "type": "string" + "effort": { + "type": "string", + "title": "Effort Estimation", + "description": "An estimation of the effort required to implement the requirement." }, - "volume": { - "title": "Volume", - "description": "Information about the actual volume instance allocated to the workspace.", - "$comment": "The actual volume allocated may be different than the request.", - "examples": [ - "see https://kubernetes.io/docs/concepts/storage/persistent-volumes/" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/volume" + "risk": { + "type": "string", + "title": "Risk", + "description": "The risk level associated with implementing or not implementing the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "attachments": { + "type": "array", + "title": "Attachments", + "description": "Files or documents attached to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + } }, "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } } } }, - "volume": { - "title": "Volume", - "description": "An identifiable, logical unit of data storage tied to a physical device.", + "requirementType": { + "type": "string", + "title": "Requirement Type", + "description": "The category or classification applicable to the requirement.", + "enum": [ + "accessibility", + "auditability", + "availability", + "business", + "compatibility", + "compliance", + "deployment", + "functional", + "interoperability", + "localization", + "maintainability", + "non-functional", + "other", + "performance", + "portability", + "privacy", + "regulatory", + "reliability", + "scalability", + "security", + "system", + "testability", + "usability", + "user" + ], + "meta:enum": { + "accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.", + "auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.", + "availability": "Requirements describing the uptime and operational availability of systems or services.", + "business": "Requirements derived from organizational goals, strategies, or business processes.", + "compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.", + "compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.", + "deployment": "Requirements related to deploying, configuring, and operating the system in production environments.", + "functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.", + "interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.", + "localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.", + "maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.", + "non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.", + "other": "Requirements that do not clearly fit into other specified categories.", + "performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.", + "portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.", + "privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.", + "regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.", + "reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.", + "scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.", + "security": "Requirements intended to protect systems, data, and users from malicious actions or threats.", + "system": "Technical requirements defining infrastructure, architecture, or underlying technologies.", + "testability": "Requirements ensuring the system can be effectively validated and tested.", + "usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.", + "user": "Requirements captured directly from user needs, tasks, and expectations." + } + }, + "requirementStatus": { + "type": "string", + "title": "Status", + "description": "The current status of the requirement in the development lifecycle.", + "enum": [ + "draft", + "proposed", + "approved", + "implemented", + "verified", + "deferred", + "rejected", + "replaced", + "obsolete" + ] + }, + "acceptanceCriterion": { "type": "object", + "title": "Acceptance Criterion", + "description": "A specific condition that must be met for the requirement to be considered satisfied.", "additionalProperties": false, "properties": { - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the volume instance within its deployment context.", - "type": "string" + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the acceptance criterion." }, - "name": { - "title": "Name", - "description": "The name of the volume instance", - "type": "string" + "description": { + "type": "string", + "title": "Description", + "description": "A description of the acceptance criterion." }, - "mode": { - "title": "Mode", - "description": "The mode for the volume instance.", + "status": { "type": "string", + "title": "Status", + "description": "The current status of the acceptance criterion.", "enum": [ - "filesystem", - "block" - ], - "default": "filesystem" + "pending", + "passed", + "failed" + ] + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "A dependency on another requirement.", + "additionalProperties": false, + "properties": { + "ref": { + "oneOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] }, - "path": { - "title": "Path", - "description": "The underlying path created from the actual volume.", - "type": "string" + "type": { + "type": "string", + "title": "Dependency Type", + "description": "The type of dependency relationship.", + "enum": [ + "requires", + "conflicts-with", + "enhances", + "implements", + "other" + ] }, - "sizeAllocated": { - "title": "Size allocated", - "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", - "examples": [ - "10GB", - "2Ti", - "1Pi" + "description": { + "type": "string", + "title": "Description", + "description": "A description of the dependency relationship." + } + } + } + } + }, + "cyclonedx-risk-2.0": { + "type": "null", + "title": "CycloneDX Risk Model", + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An optional identifier which can be used to reference the risk assessment elsewhere in the BOM" + }, + "domains": { + "type": "array", + "description": "Risk domains covered by this assessment", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" + } + }, + "scenarios": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/scenario" + }, + "description": "Risk scenarios identified" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigation" + }, + "description": "Controls, countermeasures, or mitigations to address identified risks" + }, + "assessments": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/assessment" + }, + "description": "Risk assessments and evaluations" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + }, + "$defs": { + "riskDomain": { + "type": "object", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply_chain", + "technical", + "project" ], - "type": "string" - }, - "persistent": { - "title": "Persistent", - "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", - "type": "boolean" + "meta:enum": { + "security": "Information security and cybersecurity risks", + "privacy": "Data protection and privacy risks", + "operational": "Business operations and continuity risks", + "financial": "Financial loss and economic impact risks", + "compliance": "Regulatory and legal compliance risks", + "strategic": "Strategic business and market risks", + "reputational": "Brand and reputation damage risks", + "safety": "Human safety and physical security risks", + "environmental": "Environmental impact and sustainability risks", + "supply_chain": "Supply chain and third-party risks", + "technical": "Technical and technology risks", + "project": "Project delivery and execution risks" + } }, - "remote": { - "title": "Remote", - "description": "Indicates if the volume is remotely (i.e., network) attached.", - "type": "boolean" + "priority": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "description": { + "type": "string", + "description": "Additional context for this risk domain" } } }, - "trigger": { - "title": "Trigger", - "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "riskAttribute": { + "type": "string", + "description": "A classification of security and privacy attributes that represent potential impact areas when a risk is realized", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data_subject_rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose_limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities", + "authentication": "Verifying the identity of users, devices, or systems before granting access", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified", + "availability": "Ensuring systems, data, and services are accessible and operational when needed", + "compliance": "Adherence to applicable laws, regulations, policies, and standards", + "confidentiality": "Preventing unauthorised access to or disclosure of information", + "connectivity": "Maintaining secure and reliable communication between systems or components", + "control": "Enabling individuals to manage how their personal data is used and shared", + "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", + "possession": "Ensuring control or custody over data or assets, regardless of ownership", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", + "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose" + } + }, + "scenario": { "type": "object", - "additionalProperties": false, "required": [ - "type", "bom-ref", - "uid" + "name", + "type" ], + "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" - }, "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "type": "string", + "description": "Name of the risk scenario" }, "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" - }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } + "type": "string", + "description": "Detailed description of the scenario" }, "type": { - "title": "Type", - "description": "The source type of event which caused the trigger to fire.", "type": "string", "enum": [ - "manual", - "api", - "webhook", - "scheduled" - ] + "threat", + "vulnerability", + "weakness", + "risk", + "incident", + "opportunity", + "hazard" + ], + "meta:enum": { + "threat": "Security threat scenario", + "vulnerability": "Exploitable vulnerability", + "weakness": "System or design weakness", + "risk": "General risk scenario", + "incident": "Potential incident scenario", + "opportunity": "Positive risk (opportunity)", + "hazard": "Safety hazard scenario" + } }, - "event": { - "title": "Event", - "description": "The event data that caused the associated trigger to activate.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/event" + "domain": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" }, - "conditions": { + "category": { + "type": "string", + "description": "Category or classification of the scenario" + }, + "likelihood": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "riskAttributes": { "type": "array", - "title": "Conditions", - "description": "A list of conditions used to determine if a trigger should be activated.", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/condition" - } - }, - "timeActivated": { - "title": "Time activated", - "description": "The date and time (timestamp) when the trigger was activated.", - "type": "string", - "format": "date-time" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + }, + "description": "Risk attributes affected by this scenario" }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], + "affectedAssets": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uniqueItems": true + "description": "References to affected assets" }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], + "mitigations": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uniqueItems": true + "description": "References to mitigations that address this scenario" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "event": { - "title": "Event", - "description": "Represents something that happened that may trigger a response.", + "likelihood": { "type": "object", + "required": [ + "level" + ], "additionalProperties": false, "properties": { - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier of the event.", - "type": "string" + "level": { + "type": "string", + "enum": [ + "veryLow", + "low", + "medium", + "high", + "veryHigh", + "certain" + ], + "description": "Likelihood level", + "meta:enum": { + "veryLow": "Very unlikely to occur (< 10%)", + "low": "Unlikely to occur (10-30%)", + "medium": "Possible to occur (30-60%)", + "high": "Likely to occur (60-90%)", + "veryHigh": "Very likely to occur (> 90%)", + "certain": "Will certainly occur (100%)" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric likelihood score" + }, + "probability": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Probability as a decimal (0-1)" + }, + "rationale": { + "type": "string", + "description": "Justification for the likelihood rating" + } + } + }, + "impact": { + "type": "object", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "negligible", + "low", + "moderate", + "high", + "severe", + "catastrophic" + ], + "description": "Impact severity level", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences", + "low": "Minor impact with limited consequences", + "moderate": "Moderate impact affecting some operations", + "high": "Significant impact with serious consequences", + "severe": "Severe impact with critical consequences", + "catastrophic": "Catastrophic impact with existential consequences" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric impact score" + }, + "categories": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality", + "integrity": "Impact on data or system integrity", + "availability": "Impact on service availability", + "financial": "Financial loss or impact", + "reputation": "Reputational damage", + "regulatory": "Regulatory compliance impact", + "safety": "Human safety impact", + "privacy": "Privacy violation impact", + "operational": "Operational disruption", + "strategic": "Strategic business impact" + } + }, + "description": "Categories of impact" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + }, + "description": "Risk attributes affected" + }, + "quantification": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification" }, "description": { - "title": "Description", - "description": "A description of the event.", - "type": "string" + "type": "string", + "description": "Description of the potential impact" + } + } + }, + "impactQuantification": { + "type": "object", + "additionalProperties": false, + "properties": { + "financialLoss": { + "type": "number", + "description": "Estimated financial loss in currency units" }, - "timeReceived": { - "title": "Time Received", - "description": "The date and time (timestamp) when the event was received.", + "currency": { "type": "string", - "format": "date-time" + "pattern": "^[A-Z]{3}$", + "description": "ISO 4217 currency code" }, - "data": { - "title": "Data", - "description": "Encoding of the raw event data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "affectedUsers": { + "type": "integer", + "description": "Number of affected users" }, - "source": { - "title": "Source", - "description": "References the component or service that was the source of the event", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "downtime": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Expected downtime as ISO 8601 duration" }, - "target": { - "title": "Target", - "description": "References the component or service that was the target of the event", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "dataRecords": { + "type": "integer", + "description": "Number of data records affected" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "recovery": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Recovery time as ISO 8601 duration" } } }, - "inputType": { - "title": "Input type", - "description": "Type that represents various input data types and formats.", + "riskScore": { "type": "object", - "oneOf": [ - { - "required": [ - "resource" - ] + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "info", + "low", + "medium", + "high", + "critical" + ], + "description": "Overall risk level", + "meta:enum": { + "info": "Informational - no immediate action required", + "low": "Low risk - monitor and address in normal cycle", + "medium": "Medium risk - plan mitigation activities", + "high": "High risk - prioritize mitigation efforts", + "critical": "Critical risk - immediate action required" + } }, - { - "required": [ - "parameters" - ] + "score": { + "type": "number", + "minimum": 0, + "description": "Numeric risk score" }, - { - "required": [ - "environmentVars" - ] + "vector": { + "type": "string", + "description": "Risk scoring vector (e.g., L:H/I:M)" }, - { - "required": [ - "data" - ] + "methodology": { + "type": "string", + "description": "Risk scoring methodology used" } + } + }, + "mitigation": { + "type": "object", + "required": [ + "bom-ref", + "name", + "type" ], "additionalProperties": false, "properties": { - "source": { - "title": "Source", - "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", - "examples": [ - "source code repository", - "database" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the mitigation" + }, + "description": { + "type": "string", + "description": "Description of what the mitigation does" + }, + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Protective measure", + "practice": "Risk management practice", + "procedure": "Documented procedure" + } + }, + "strategy": { + "type": "string", + "enum": [ + "prevent", + "detect", + "respond", + "recover" ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "meta:enum": { + "prevent": "Prevents the risk from occurring", + "detect": "Detects when the risk occurs", + "respond": "Responds to the risk when detected", + "recover": "Recovers from the impact" + } }, - "target": { - "title": "Target", - "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", - "examples": [ - "workspace", - "directory" + "status": { + "type": "string", + "enum": [ + "proposed", + "approved", + "planned", + "inProgress", + "implemented", + "verified" ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } }, - "resource": { - "title": "Resource", - "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", - "examples": [ - "a reference to a configuration file in a repository (i.e., a bom-ref)", - "a reference to a scanning service used in a task (i.e., a bom-ref)" + "priority": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" + }, + "effectiveness": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/effectiveness" + }, + "cost": { + "type": "string", + "enum": [ + "trivial", + "low", + "medium", + "high", + "extreme" ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "meta:enum": { + "trivial": "Minimal cost and effort", + "low": "Low cost and effort", + "medium": "Moderate cost and effort", + "high": "High cost and significant effort", + "extreme": "Extreme cost and major effort" + } }, - "parameters": { - "title": "Parameters", - "description": "Inputs that have the form of parameters with names and values.", + "addresses": { "type": "array", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/parameter" - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to scenarios this mitigation addresses" }, - "environmentVars": { - "title": "Environment variables", - "description": "Inputs that have the form of parameters with names and values.", + "implementedBy": { "type": "array", - "uniqueItems": true, "items": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - }, - { - "type": "string", - "title": "String-Based Environment Variables", - "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." - } - ] - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to assets that implement this mitigation" }, - "data": { - "title": "Data", - "description": "Inputs that have the form of data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "outputType": { + "effectiveness": { "type": "object", - "oneOf": [ - { - "required": [ - "resource" - ] - }, - { - "required": [ - "environmentVars" - ] + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 100, + "description": "Effectiveness as percentage" }, - { - "required": [ - "data" - ] + "rating": { + "type": "string", + "enum": [ + "ineffective", + "marginal", + "adequate", + "good", + "excellent" + ], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk", + "marginal": "Slightly reduces risk", + "adequate": "Adequately reduces risk", + "good": "Significantly reduces risk", + "excellent": "Nearly eliminates risk" + } } + } + }, + "assessment": { + "type": "object", + "required": [ + "bom-ref", + "type", + "timestamp" ], "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, "type": { - "title": "Type", - "description": "Describes the type of data output.", "type": "string", "enum": [ - "artifact", - "attestation", - "log", - "evidence", - "metrics", - "other" - ] + "initial", + "periodic", + "continuous", + "triggered" + ], + "meta:enum": { + "initial": "Initial risk assessment", + "periodic": "Scheduled periodic assessment", + "continuous": "Continuous monitoring assessment", + "triggered": "Event-triggered assessment" + } }, - "source": { - "title": "Source", - "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the assessment was performed" }, - "target": { - "title": "Target", - "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", - "examples": [ - "a log file described as an `externalReference` within its target domain." - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "assessor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Who performed the assessment" }, - "resource": { - "title": "Resource", - "description": "A reference to an independent resource generated as output by the task.", - "examples": [ - "configuration file", - "source code", - "scanning service" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "summary": { + "type": "string", + "description": "Executive summary of the assessment" }, - "data": { - "title": "Data", - "description": "Outputs that have the form of data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "findings": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/finding" + }, + "description": "Specific findings from the assessment" }, - "environmentVars": { - "title": "Environment variables", - "description": "Outputs that have the form of environment variables.", + "overallRisk": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore", + "description": "Overall risk score/level" + }, + "recommendations": { "type": "array", "items": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - }, - { - "type": "string", - "title": "String-Based Environment Variables", - "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." - } - ] + "type": "string" }, - "uniqueItems": true + "description": "Recommendations from the assessment" + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When the next review should occur" }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "resourceReferenceChoice": { - "title": "Resource reference choice", - "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", - "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "finding": { "type": "object", + "required": [ + "title", + "severity" + ], "additionalProperties": false, "properties": { - "ref": { - "title": "BOM Reference", - "description": "References an object by its bom-ref attribute", - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "externalReference": { - "title": "External reference", - "description": "Reference to an externally accessible resource.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } - }, - "oneOf": [ - { - "required": [ - "ref" - ] + "title": { + "type": "string", + "description": "Title of the finding" }, - { - "required": [ - "externalReference" - ] - } - ] - }, - "condition": { - "title": "Condition", - "description": "A condition that was used to determine a trigger should be activated.", - "type": "object", - "additionalProperties": false, - "properties": { "description": { - "title": "Description", - "description": "Describes the set of conditions which cause the trigger to activate.", - "type": "string" + "type": "string", + "description": "Detailed description of the finding" }, - "expression": { - "title": "Expression", - "description": "The logical expression that was evaluated that determined the trigger should be fired.", - "type": "string" + "severity": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/severity" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "relatedScenarios": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Scenarios related to this finding" + }, + "relatedAssets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Assets affected by this finding" + }, + "remediation": { + "type": "string", + "description": "Recommended remediation" + }, + "status": { + "type": "string", + "enum": [ + "open", + "inProgress", + "resolved", + "accepted" + ], + "meta:enum": { + "open": "Finding is open and unaddressed", + "inProgress": "Remediation is in progress", + "resolved": "Finding has been resolved", + "accepted": "Risk has been accepted" + } } } }, - "taskType": { + "priority": { "type": "string", "enum": [ - "copy", - "clone", - "lint", - "scan", - "merge", - "build", - "test", - "deliver", - "deploy", - "release", - "clean", - "other" + "none", + "low", + "medium", + "high", + "critical" + ], + "description": "Priority level", + "meta:enum": { + "none": "No priority assigned", + "low": "Low priority - address when convenient", + "medium": "Medium priority - address in normal cycle", + "high": "High priority - address soon", + "critical": "Critical priority - address immediately" + } + }, + "severity": { + "type": "string", + "enum": [ + "info", + "low", + "medium", + "high", + "critical" ], + "description": "Severity level", "meta:enum": { - "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", - "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", - "lint": "A task that checks source code for programmatic and stylistic errors.", - "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", - "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", - "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", - "test": "A task that verifies the functionality of a component or service.", - "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", - "deploy": "A task that deploys a built artifact for execution on one or more target systems.", - "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", - "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", - "other": "A workflow task that does not match current task type definitions." + "info": "Informational finding", + "low": "Low severity issue", + "medium": "Medium severity issue", + "high": "High severity issue", + "critical": "Critical severity issue" } }, - "parameter": { - "title": "Parameter", - "description": "A representation of a functional parameter.", - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "title": "Name", - "description": "The name of the parameter.", - "type": "string" - }, - "value": { - "title": "Value", - "description": "The value of the parameter.", - "type": "string" - }, - "dataType": { - "title": "Data type", - "description": "The data type of the parameter.", - "type": "string" - } + "criticality": { + "type": "string", + "enum": [ + "minimal", + "low", + "moderate", + "high", + "critical" + ], + "description": "Business criticality level", + "meta:enum": { + "minimal": "Minimal impact on business operations", + "low": "Low impact with minor inconvenience", + "moderate": "Moderate impact affecting some operations", + "high": "High impact affecting critical operations", + "critical": "Critical impact with severe business consequences" } } } }, - "cyclonedx-license-2.0": { + "cyclonedx-service-2.0": { "type": "null", - "title": "CycloneDX License Model", + "title": "CycloneDX Service Model", "$defs": { - "licenseChoice": { - "title": "License Choice", - "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", + "services": { "type": "array", "items": { - "oneOf": [ - { - "type": "object", - "title": "License", - "required": [ - "license" - ], - "additionalProperties": false, - "properties": { - "license": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/license" - } - } - }, - { - "title": "License Expression", - "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", - "type": "object", - "additionalProperties": false, - "required": [ - "expression" - ], - "properties": { - "expression": { - "type": "string", - "title": "SPDX License Expression", - "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", - "examples": [ - "Apache-2.0 AND (MIT OR GPL-2.0-only)", - "GPL-3.0-only WITH Classpath-exception-2.0" - ] - }, - "expressionDetails": { - "title": "Expression Details", - "description": "Details for parts of the `expression`.", - "type": "array", - "items": { - "type": "object", - "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", - "required": [ - "licenseIdentifier" - ], - "properties": { - "licenseIdentifier": { - "title": "License Identifier", - "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", - "type": "string", - "examples": [ - "Apache-2.0", - "GPL-3.0-only WITH Classpath-exception-2.0", - "LicenseRef-my-custom-license" - ] - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "text": { - "title": "License texts", - "description": "A way to include the textual content of the license.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { - "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", - "examples": [ - "https://www.apache.org/licenses/LICENSE-2.0.txt" - ], - "format": "iri-reference" - } - }, - "additionalProperties": false - } - }, - "acknowledgement": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "licensing": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - } - ] - } + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true, + "title": "Services" }, - "license": { + "service": { "type": "object", - "title": "License", - "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", - "oneOf": [ - { - "required": [ - "id" - ] - }, - { - "required": [ - "name" - ] - } + "title": "Service", + "required": [ + "name" ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "id": { - "$ref": "../spdx.schema.json", - "title": "License ID (SPDX)", - "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", "examples": [ - "Apache-2.0" + "com.acme" ] }, "name": { "type": "string", - "title": "License Name", - "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", "examples": [ - "Acme Software License" + "ticker-service" ] }, - "acknowledgement": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" - }, - "text": { - "title": "License text", - "description": "A way to include the textual content of a license.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "version": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", + "title": "Service Version", + "description": "The service version." }, - "url": { + "description": { "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", "examples": [ - "https://www.apache.org/licenses/LICENSE-2.0.txt" - ], - "format": "iri-reference" + "https://example.com/api/v1/ticker" + ] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." + }, + "data": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/serviceData" + }, + "title": "Data", + "description": "Specifies information about the data including the directional flow of data and the data classification." + }, + "licenses": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", + "title": "Service License(s)" + }, + "patentAssertions": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions", + "title": "Service Patent(s)" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" }, - "licensing": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + "services": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, - "licenseAcknowledgementEnumeration": { - "title": "License Acknowledgement", - "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", - "type": "string", - "enum": [ - "declared", - "concluded" - ], - "meta:enum": { - "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", - "concluded": "Concluded licenses are verified and confirmed." - } - }, - "licensing": { + "serviceData": { "type": "object", - "title": "Licensing information", - "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], "additionalProperties": false, "properties": { - "altIds": { - "type": "array", - "title": "Alternate License Identifiers", - "description": "License identifiers that may be used to manage licenses and their lifecycle", - "items": { - "type": "string" - } + "flow": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." }, - "licensor": { - "title": "Licensor", - "description": "The individual or organization that grants a license to another individual or organization", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensor (Organization)", - "description": "The organization that granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Licensor (Individual)", - "description": "The individual, not associated with an organization, that granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } - ] + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" }, - "licensee": { - "title": "Licensee", - "description": "The individual or organization for which a license was granted to", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensee (Organization)", - "description": "The organization that was granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Licensee (Individual)", - "description": "The individual, not associated with an organization, that was granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } + "name": { + "type": "string", + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" ] }, - "purchaser": { - "title": "Purchaser", - "description": "The individual or organization that purchased the license", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Purchaser (Organization)", - "description": "The organization that purchased the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Purchaser (Individual)", - "description": "The individual, not associated with an organization, that purchased the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" ] }, - "purchaseOrder": { - "type": "string", - "title": "Purchase Order", - "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" }, - "licenseTypes": { + "source": { "type": "array", - "title": "License Type", - "description": "The type of license(s) that was granted to the licensee.", "items": { - "type": "string", - "enum": [ - "academic", - "appliance", - "client-access", - "concurrent-user", - "core-points", - "custom-metric", - "device", - "evaluation", - "named-user", - "node-locked", - "oem", - "perpetual", - "processor-points", - "subscription", - "user", - "other" - ], - "meta:enum": { - "academic": "A license that grants use of software solely for the purpose of education or research.", - "appliance": "A license covering use of software embedded in a specific piece of hardware.", - "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", - "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", - "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", - "custom-metric": "A license for which consumption is measured by non-standard metrics.", - "device": "A license that covers a defined number of installations on computers and other types of devices.", - "evaluation": "A license that grants permission to install and use software for trial purposes.", - "named-user": "A license that grants access to the software to one or more pre-defined users.", - "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", - "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", - "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", - "processor-points": "A license where each installation consumes points per processor.", - "subscription": "A license where the licensee pays a fee to use the software or service.", - "user": "A license that grants access to the software or service by a specified number of users.", - "other": "Another license type." - } - } + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + } + } + } + } + }, + "cyclonedx-standard-2.0": { + "type": "null", + "title": "CycloneDX Standard Model", + "$defs": { + "standards": { + "type": "array", + "title": "Standards", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standard" + } + }, + "standard": { + "type": "object", + "title": "Standard", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "lastRenewal": { + "name": { "type": "string", - "format": "date-time", - "title": "Last Renewal", - "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + "title": "Name", + "description": "The name of the standard. This will often be a shortened, single name of the standard." }, - "expiration": { + "version": { "type": "string", - "format": "date-time", - "title": "Expiration", - "description": "The timestamp indicating when the current license expires (if applicable)." + "title": "Version", + "description": "The version of the standard." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the standard." + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard, often the entity responsible for its release." + }, + "requirements": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirements" + }, + "levels": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/levels" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } - } - } - }, - "cyclonedx-metadata-2.0": { - "type": "null", - "title": "CycloneDX Metadata Model", - "$defs": { - "metadata": { + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirements comprising the standard.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirement" + } + }, + "requirement": { "type": "object", - "title": "BOM Metadata", - "description": "Provides additional information about a BOM.", + "title": "Requirement", "additionalProperties": false, "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the BOM was created." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "lifecycles": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." }, - "tools": { - "type": "object", - "title": "Tools", - "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", - "additionalProperties": false, - "properties": { - "components": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/components", - "description": "A list of software and hardware components used as tools." - }, - "services": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/services", - "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." - } - } + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement." }, - "manufacturer": { - "title": "BOM Manufacturer", - "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement." }, - "authors": { + "descriptions": { "type": "array", - "title": "BOM Authors", - "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + "type": "string" } }, - "component": { - "description": "The component that the BOM describes.", - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "supplier": { - "title": "Supplier", - "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "licenses": { - "title": "BOM License(s)", - "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice" + "openCre": { + "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "items": { + "type": "string", + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ + "CRE:764-507" + ] + } }, - "distributionConstraints": { - "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints" + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Parent BOM Reference", + "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } } }, - "distributionConstraints": { - "title": "Distribution Constraints", - "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", + "levels": { + "type": "array", + "title": "Levels", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/level" + } + }, + "level": { "type": "object", + "title": "Level", + "additionalProperties": false, "properties": { - "tlp": { - "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification", - "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirement `bom-ref`s that comprise the level.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } } } - }, - "tlpClassification": { - "title": "Traffic Light Protocol (TLP) Classification", - "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", - "type": "string", - "default": "CLEAR", - "enum": [ - "CLEAR", - "GREEN", - "AMBER", - "AMBER_AND_STRICT", - "RED" - ], - "meta:enum": { - "CLEAR": "The information is not subject to any restrictions as regards the sharing.", - "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", - "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", - "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", - "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." - } } } }, - "cyclonedx-patent-2.0": { + "cyclonedx-threat-2.0": { "type": "null", - "title": "CycloneDX Patent Model", + "title": "CycloneDX Threat Model", "$defs": { - "patents": { - "type": "array", - "title": "Patents", - "description": "The list of either individual patents or patent families.", - "items": { - "anyOf": [ - { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patent" - }, - { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFamily" + "threatScenario": { + "type": "object", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/scenario" + }, + { + "properties": { + "threatCategory": { + "type": "string", + "description": "Threat category based on methodology (e.g., STRIDE category)" + }, + "threatActor": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile" + }, + "attackVector": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackVector" + }, + "attackPattern": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference" + }, + "weakness": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference" + }, + "exploitability": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/exploitability" + }, + "indicators": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/indicators" + }, + "killChainPhase": { + "type": "string", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target", + "weaponization": "Creating malicious payloads", + "delivery": "Transmitting weapon to target", + "exploitation": "Exploiting vulnerabilities", + "installation": "Installing malware or backdoors", + "command-and-control": "Establishing C2 channel", + "actions-on-objectives": "Achieving attack goals" + } + }, + "technicalImpact": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "unauthorized-access", + "data-breach", + "data-corruption", + "service-disruption", + "privilege-escalation", + "code-execution", + "information-disclosure", + "denial-of-service" + ] + } + } } - ] - } + } + ] }, - "patent": { + "threatActor": { "type": "object", - "title": "Patent", - "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", "required": [ - "patentNumber", - "jurisdiction", - "patentLegalStatus" + "bom-ref", + "name", + "type" ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "patentNumber": { + "name": { "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Number", - "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", - "examples": [ - "US987654321", - "EP1234567B1" - ] + "description": "Name or identifier of the threat actor" }, - "applicationNumber": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + "description": { + "type": "string", + "description": "Description of the threat actor" }, - "jurisdiction": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + "type": { + "type": "string", + "enum": [ + "individual", + "group", + "organization", + "nation-state", + "unknown" + ], + "meta:enum": { + "individual": "Individual threat actor", + "group": "Organized group or collective", + "organization": "Corporate or criminal organization", + "nation-state": "Nation-state sponsored actor", + "unknown": "Unknown threat actor type" + } }, - "priorityApplication": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Known aliases or alternative names" }, - "publicationNumber": { - "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Publication Number", - "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + "profile": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile" }, - "title": { - "type": "string", - "title": "Patent Title", - "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + "observedTTPs": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/ttp" + }, + "description": "Observed tactics, techniques, and procedures" }, - "abstract": { + "attributedAttacks": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Attacks attributed to this actor" + }, + "targeting": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/targeting" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } + } + }, + "threatActorProfile": { + "type": "object", + "additionalProperties": false, + "properties": { + "sophistication": { "type": "string", - "title": "Patent Abstract", - "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + "enum": [ + "none", + "minimal", + "intermediate", + "advanced", + "expert" + ], + "meta:enum": { + "none": "No technical sophistication", + "minimal": "Script kiddie level", + "intermediate": "Intermediate technical skills", + "advanced": "Advanced persistent threat", + "expert": "Nation-state level capabilities" + } }, - "filingDate": { + "motivation": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ] + }, + "description": "Primary motivations" + }, + "capability": { "type": "string", - "format": "date", - "title": "Filing Date", - "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + "enum": [ + "minimal", + "limited", + "moderate", + "significant", + "advanced" + ], + "description": "Overall capability level" }, - "grantDate": { + "intent": { "type": "string", - "format": "date", - "title": "Grant Date", - "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + "enum": [ + "accidental", + "opportunistic", + "targeted", + "persistent" + ], + "description": "Intent level" }, - "patentExpirationDate": { + "resources": { "type": "string", - "format": "date", - "title": "Expiration Date", - "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." + "enum": [ + "minimal", + "limited", + "moderate", + "substantial", + "unlimited" + ], + "description": "Resource availability" }, - "patentLegalStatus": { + "accessLevel": { "type": "string", - "title": "Legal Status", - "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", "enum": [ - "pending", - "granted", - "revoked", - "expired", - "lapsed", - "withdrawn", - "abandoned", - "suspended", - "reinstated", - "opposed", - "terminated", - "invalidated", - "in-force" + "none", + "external", + "internal", + "privileged", + "physical" ], - "meta:enum": { - "pending": "The patent application has been filed but not yet examined or granted.", - "granted": "The patent application has been examined and a patent has been issued.", - "revoked": "The patent has been declared invalid through a legal or administrative process.", - "expired": "The patent has reached the end of its enforceable term.", - "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", - "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", - "abandoned": "The patent application was abandoned, often due to lack of action or response.", - "suspended": "Processing of the patent application has been temporarily halted.", - "reinstated": "A previously abandoned or lapsed patent has been reinstated.", - "opposed": "The patent application or granted patent is under formal opposition proceedings.", - "terminated": "The patent or application has been officially terminated.", - "invalidated": "The patent has been invalidated, either in part or in full.", - "in-force": "The granted patent is active and enforceable." - } + "description": "Level of access to target systems" }, - "patentAssignee": { + "skillSet": { "type": "array", - "title": "Patent Assignees", - "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", "items": { - "oneOf": [ - { - "title": "Person", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - }, - { - "title": "Organizational Entity", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - } - ] - } - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "type": "string" + }, + "description": "Specific skills possessed" } } }, - "patentFamily": { + "attackVector": { "type": "object", - "title": "Patent Family", - "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", - "required": [ - "familyId" - ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." + "type": { + "type": "string", + "enum": [ + "network", + "adjacent", + "local", + "physical" + ], + "meta:enum": { + "network": "Remotely exploitable via network", + "adjacent": "Exploitable from adjacent network", + "local": "Requires local access", + "physical": "Requires physical access" + } }, - "familyId": { + "complexity": { "type": "string", - "title": "Patent Family ID", - "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." + "enum": [ + "low", + "high" + ], + "description": "Attack complexity" }, - "priorityApplication": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + "privileges": { + "type": "string", + "enum": [ + "none", + "low", + "high" + ], + "description": "Privileges required" }, - "members": { - "type": "array", - "title": "Family Members", - "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "BOM Reference", - "description": "A `bom-ref` linking to a patent or application object within the BOM." - } + "userInteraction": { + "type": "string", + "enum": [ + "none", + "required" + ], + "description": "User interaction requirement" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "scope": { + "type": "string", + "enum": [ + "unchanged", + "changed" + ], + "description": "Scope impact" } } }, - "patentAssertions": { - "type": "array", - "title": "Patent Assertions", - "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", - "items": { - "type": "object", - "title": "Patent Assertion", - "description": "An assertion linking a patent or patent family to this component or service.", - "required": [ - "assertionType", - "asserter" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." - }, - "assertionType": { - "type": "string", - "title": "Assertion Type", - "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", - "enum": [ - "ownership", - "license", - "third-party-claim", - "standards-inclusion", - "prior-art", - "exclusive-rights", - "non-assertion", - "research-or-evaluation" - ], - "meta:enum": { - "ownership": "The manufacturer asserts ownership of the patent or patent family.", - "license": "The manufacturer asserts they have a license to use the patent or patent family.", - "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", - "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", - "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", - "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", - "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", - "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." - } + "attackPattern": { + "type": "object", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "capecId": { + "type": "integer", + "description": "CAPEC (Common Attack Pattern Enumeration and Classification) ID" + }, + "name": { + "type": "string", + "description": "Name of the attack pattern" + }, + "description": { + "type": "string", + "description": "Description of the attack pattern" + }, + "severity": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/severity" + }, + "likelihood": { + "type": "string", + "enum": [ + "low", + "medium", + "high" + ], + "description": "Likelihood of this pattern being used" + }, + "prerequisites": { + "type": "array", + "items": { + "type": "string" }, - "patentRefs": { - "type": "array", - "title": "Patent References", - "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - } + "description": "Prerequisites for the attack" + }, + "techniques": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique" }, - "asserter": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organizational Entity" - }, - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Person" - }, - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." - } - ] + "description": "Techniques used in the attack" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "notes": { - "type": "string", - "title": "Notes", - "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." - } + "description": "References to mitigations" + }, + "examples": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Real-world examples" } } }, - "patentApplicationNumber": { - "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Application Number", - "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", - "examples": [ - "US20240000123", - "EP23123456" - ] - }, - "patentJurisdiction": { - "type": "string", - "title": "Jurisdiction", - "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", - "pattern": "^[A-Z]{2}$", - "examples": [ - "US", - "EP", - "JP" - ] + "attackPatternReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "patternRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to attack pattern" + }, + "capecId": { + "type": "integer", + "description": "CAPEC ID if not referencing internal pattern" + }, + "customization": { + "type": "string", + "description": "How this pattern is customized for the specific scenario" + } + } }, - "patentFilingDate": { - "type": "string", - "format": "date", - "title": "Filing Date", - "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + "technique": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "description": "Technique ID (e.g., MITRE ATT&CK ID)" + }, + "name": { + "type": "string", + "description": "Name of the technique" + }, + "tactic": { + "type": "string", + "description": "Associated tactic" + }, + "procedure": { + "type": "string", + "description": "Specific procedure" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools used with this technique" + } + } }, - "priorityApplication": { + "weakness": { "type": "object", - "title": "Priority Application", - "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", "required": [ - "applicationNumber", - "jurisdiction", - "filingDate" + "bom-ref" ], "additionalProperties": false, "properties": { - "applicationNumber": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "jurisdiction": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + "cweId": { + "type": "integer", + "description": "CWE (Common Weakness Enumeration) ID" }, - "filingDate": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate" + "name": { + "type": "string", + "description": "Name of the weakness" + }, + "description": { + "type": "string", + "description": "Description of the weakness" + }, + "abstraction": { + "type": "string", + "enum": [ + "pillar", + "class", + "base", + "variant", + "compound" + ], + "meta:enum": { + "pillar": "Most abstract type of weakness", + "class": "Weakness described in generic terms", + "base": "Weakness described in abstract terms", + "variant": "Weakness specific to a resource/technology", + "compound": "Combination of two or more weaknesses" + } + }, + "ordinality": { + "type": "string", + "enum": [ + "primary", + "resultant", + "indirect" + ], + "meta:enum": { + "primary": "Weakness exists independent of other weaknesses", + "resultant": "Weakness is caused by another weakness", + "indirect": "Weakness is indirectly caused by another weakness" + } + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Assets affected by this weakness" + }, + "exploitationDifficulty": { + "type": "string", + "enum": [ + "trivial", + "easy", + "moderate", + "difficult", + "impractical" + ], + "description": "Difficulty of exploiting this weakness" + }, + "detectionMethods": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod" + }, + "description": "Methods for detecting this weakness" } } - } - } - }, - "cyclonedx-release-notes-2.0": { - "type": "null", - "title": "CycloneDX Release Notes Model", - "$defs": { - "releaseNotes": { + }, + "weaknessReference": { "type": "object", - "title": "Release notes", - "required": [ - "type" - ], "additionalProperties": false, "properties": { - "type": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType", - "title": "Type", - "description": "The software versioning type the release note describes." + "weaknessRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to weakness" }, - "title": { + "cweId": { + "type": "integer", + "description": "CWE ID if not referencing internal weakness" + }, + "instance": { "type": "string", - "title": "Title", - "description": "The title of the release." + "description": "Specific instance or manifestation of the weakness" + } + } + }, + "exploitability": { + "type": "object", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "theoretical", + "proof-of-concept", + "functional", + "weaponized" + ], + "meta:enum": { + "theoretical": "Theoretically possible but not demonstrated", + "proof-of-concept": "Proof of concept exists", + "functional": "Functional exploit exists", + "weaponized": "Weaponized exploit in the wild" + } }, - "featuredImage": { + "complexity": { "type": "string", - "format": "iri-reference", - "title": "Featured image", - "description": "The URL to an image that may be prominently displayed with the release note." + "enum": [ + "trivial", + "low", + "medium", + "high", + "very-high" + ], + "description": "Complexity to exploit" }, - "socialImage": { + "skillRequired": { "type": "string", - "format": "iri-reference", - "title": "Social image", - "description": "The URL to an image that may be used in messaging on social media platforms." + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" + ], + "description": "Skill level required" }, - "description": { + "toolsRequired": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools required for exploitation" + }, + "timeRequired": { "type": "string", - "title": "Description", - "description": "A short description of the release." + "description": "Estimated time to develop exploit" }, - "timestamp": { + "reliability": { "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the release note was created." + "enum": [ + "unreliable", + "occasional", + "reliable", + "highly-reliable" + ], + "description": "Reliability of exploitation" }, - "aliases": { + "automatable": { + "type": "boolean", + "description": "Whether exploitation can be automated" + } + } + }, + "indicators": { + "type": "object", + "additionalProperties": false, + "properties": { + "compromise": { "type": "array", "items": { "type": "string" }, - "title": "Aliases", - "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + "description": "Indicators of compromise" }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" + "attack": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of attack" }, - "resolves": { + "behavioral": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + "type": "string" }, - "title": "Resolves", - "description": "A collection of issues that have been resolved." + "description": "Behavioral indicators" }, - "notes": { + "signatures": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/note" + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/signature" }, - "title": "Notes", - "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + "description": "Detection signatures" + } + } + }, + "signature": { + "type": "object", + "required": [ + "type", + "value" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "yara", + "snort", + "regex", + "hash", + "behavior" + ], + "description": "Type of signature" + }, + "value": { + "type": "string", + "description": "Signature value or pattern" + }, + "description": { + "type": "string", + "description": "Description of what the signature detects" }, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } + "confidence": { + "type": "string", + "enum": [ + "low", + "medium", + "high" + ], + "description": "Confidence level of detection" } } }, - "releaseType": { - "type": "string", - "examples": [ - "major", - "minor", - "patch", - "pre-release", - "internal" - ], - "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." - }, - "note": { + "ttp": { "type": "object", - "title": "Note", - "description": "A note containing the locale and content.", - "required": [ - "text" - ], "additionalProperties": false, "properties": { - "locale": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/locale", - "title": "Locale", - "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + "tactic": { + "type": "string", + "description": "High-level tactic" }, - "text": { - "title": "Release note content", - "description": "Specifies the full content of the release note.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "technique": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique" + }, + "procedure": { + "type": "string", + "description": "Specific implementation" + }, + "tools": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/tool" + }, + "description": "Tools used" + }, + "infrastructure": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Infrastructure used" } } - } - } - }, - "cyclonedx-service-2.0": { - "type": "null", - "title": "CycloneDX Service Model", - "$defs": { - "services": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - }, - "uniqueItems": true, - "title": "Services" }, - "service": { + "tool": { "type": "object", - "title": "Service", "required": [ "name" ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "provider": { - "title": "Provider", - "description": "The organization that provides the service.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "group": { + "name": { "type": "string", - "title": "Service Group", - "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", - "examples": [ - "com.acme" - ] + "description": "Tool name" }, - "name": { + "type": { "type": "string", - "title": "Service Name", - "description": "The name of the service. This will often be a shortened, single name of the service.", - "examples": [ - "ticker-service" - ] + "enum": [ + "exploit", + "scanner", + "fuzzer", + "proxy", + "framework", + "custom" + ], + "description": "Type of tool" }, "version": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", - "title": "Service Version", - "description": "The service version." - }, - "description": { "type": "string", - "title": "Service Description", - "description": "Specifies a description for the service" + "description": "Tool version" }, - "endpoints": { + "capabilities": { "type": "array", "items": { - "type": "string", - "format": "iri-reference" + "type": "string" }, - "title": "Endpoints", - "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", - "examples": [ - "https://example.com/api/v1/ticker" - ] - }, - "authenticated": { - "type": "boolean", - "title": "Authentication Required", - "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." - }, - "x-trust-boundary": { - "type": "boolean", - "title": "Crosses Trust Boundary", - "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." - }, - "trustZone": { - "type": "string", - "title": "Trust Zone", - "description": "The name of the trust zone the service resides in." - }, - "data": { + "description": "Tool capabilities" + } + } + }, + "targeting": { + "type": "object", + "additionalProperties": false, + "properties": { + "sectors": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/serviceData" + "type": "string" }, - "title": "Data", - "description": "Specifies information about the data including the directional flow of data and the data classification." - }, - "licenses": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", - "title": "Service License(s)" - }, - "patentAssertions": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions", - "title": "Service Patent(s)" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "description": "Targeted sectors or industries" }, - "services": { + "regions": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + "type": "string" }, - "uniqueItems": true, - "title": "Services", - "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." - }, - "releaseNotes": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", - "title": "Release notes", - "description": "Specifies release notes." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "description": "Targeted geographic regions" }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" + "technologies": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted technologies or platforms" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "dataTypes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Types of data targeted" } } }, - "serviceData": { + "detectionMethod": { "type": "object", - "title": "Hash Objects", "required": [ - "flow", - "classification" + "method" ], "additionalProperties": false, "properties": { - "flow": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection", - "title": "Directional Flow", - "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." - }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" - }, - "name": { + "method": { "type": "string", - "title": "Name", - "description": "Name for the defined data", - "examples": [ - "Credit card reporting" - ] + "enum": [ + "static-analysis", + "dynamic-analysis", + "penetration-test", + "code-review", + "architecture-review", + "automated-scan" + ], + "description": "Detection method type" }, "description": { "type": "string", - "title": "Description", - "description": "Short description of the data content and usage", - "examples": [ - "Credit card information being exchanged in between the web app and the database" - ] - }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "description": "Description of the detection method" }, - "source": { - "type": "array", - "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] - }, - "title": "Source", - "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + "effectiveness": { + "type": "string", + "enum": [ + "low", + "medium", + "high" + ], + "description": "Effectiveness of the method" }, - "destination": { + "tools": { "type": "array", "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "type": "string" }, - "title": "Destination", - "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" - } - } - } - } - }, - "cyclonedx-standard-2.0": { - "type": "null", - "title": "CycloneDX Standard Model", - "$defs": { - "standards": { - "type": "array", - "title": "Standards", - "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standard" + "description": "Tools that implement this method" + } } }, - "standard": { + "securityPolicy": { "type": "object", - "title": "Standard", - "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", - "title": "Name", - "description": "The name of the standard. This will often be a shortened, single name of the standard." + "description": "Policy name" }, - "version": { + "type": { "type": "string", - "title": "Version", - "description": "The version of the standard." + "enum": [ + "access-control", + "data-protection", + "network-security", + "application-security", + "operational-security", + "compliance" + ], + "description": "Type of security policy" }, "description": { "type": "string", - "title": "Description", - "description": "The description of the standard." - }, - "owner": { - "type": "string", - "title": "Owner", - "description": "The owner of the standard, often the entity responsible for its release." + "description": "Policy description" }, "requirements": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirements" + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy requirements" }, - "levels": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/levels" + "enforcement": { + "type": "string", + "enum": [ + "mandatory", + "recommended", + "optional" + ], + "description": "Enforcement level" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "appliesTo": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Assets this policy applies to" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "exceptions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy exceptions" } } }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "The list of requirements comprising the standard.", - "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirement" - } + "trustBoundary": { + "type": "object", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" + }, + { + "properties": { + "trustLevel": { + "type": "string", + "enum": [ + "untrusted", + "semi-trusted", + "trusted", + "highly-trusted" + ], + "description": "Trust level differential" + }, + "securityRequirements": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements" + }, + "threatsAtBoundary": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Threats that could exploit this boundary" + }, + "controlsAtBoundary": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Controls implemented at this boundary" + } + } + } + ] }, - "requirement": { + "boundarySecurityRequirements": { "type": "object", - "title": "Requirement", "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "identifier": { + "authenticationStrength": { "type": "string", - "title": "Identifier", - "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." + "enum": [ + "none", + "weak", + "moderate", + "strong", + "very-strong" + ], + "description": "Required authentication strength" }, - "title": { + "authorizationGranularity": { "type": "string", - "title": "Title", - "description": "The title of the requirement." + "enum": [ + "coarse", + "medium", + "fine", + "very-fine" + ], + "description": "Authorization granularity required" }, - "text": { + "integrityVerification": { + "type": "boolean", + "description": "Whether integrity verification is required" + }, + "confidentialityProtection": { + "type": "boolean", + "description": "Whether confidentiality protection is required" + }, + "auditingLevel": { "type": "string", - "title": "Text", - "description": "The textual content of the requirement." + "enum": [ + "none", + "basic", + "detailed", + "comprehensive" + ], + "description": "Level of auditing required" }, - "descriptions": { + "dataValidationRules": { "type": "array", - "title": "Descriptions", - "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", "items": { "type": "string" - } - }, - "openCre": { - "type": "array", - "title": "OWASP OpenCRE Identifier(s)", - "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", - "items": { - "type": "string", - "pattern": "^CRE:[0-9]+-[0-9]+$", - "examples": [ - "CRE:764-507" - ] - } - }, - "parent": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Parent BOM Reference", - "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "description": "Data validation rules at boundary" } } + } + } + }, + "cyclonedx-usecase-2.0": { + "type": "null", + "title": "CycloneDX Use Case Model", + "properties": { + "bom-ref": { + "type": "string", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM." }, - "levels": { + "name": { + "type": "string", + "title": "Name", + "description": "The name or title of the use case." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the use case." + }, + "actors": { "type": "array", - "title": "Levels", - "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "title": "Actors", + "description": "The stakeholders or users who interact with the system in this use case.", "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/level" + "type": "string" } }, - "level": { + "preconditions": { + "type": "array", + "title": "Preconditions", + "description": "Conditions that must be true before the use case can be executed.", + "items": { + "type": "string" + } + }, + "postconditions": { + "type": "array", + "title": "Postconditions", + "description": "Conditions that will be true after the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "description": "The primary sequence of steps that describe the use case.", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" + } + }, + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "description": "Alternative sequences of steps that may occur in the use case.", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/flow" + } + }, + "exceptions": { + "type": "array", + "title": "Exceptions", + "description": "Error scenarios that may occur during the execution of the use case.", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/exception" + } + }, + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "description": "Criteria that determine whether the use case has been successfully executed.", + "items": { + "type": "string" + } + }, + "notes": { + "type": "array", + "title": "Notes", + "description": "Additional information or comments about the use case.", + "items": { + "type": "string" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/property" + } + } + }, + "$defs": { + "step": { "type": "object", - "title": "Level", + "title": "Step", + "description": "A single step in a use case flow.", "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "number": { + "type": "integer", + "title": "Number", + "description": "The sequence number of the step." }, - "identifier": { + "description": { "type": "string", - "title": "Identifier", - "description": "The identifier used in the standard to identify a specific level." + "title": "Description", + "description": "A description of the step." }, - "title": { + "actor": { "type": "string", - "title": "Title", - "description": "The title of the level." + "title": "Actor", + "description": "The actor who performs this step." + } + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "A sequence of steps in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the flow." }, "description": { "type": "string", "title": "Description", - "description": "The description of the level." + "description": "A description of the flow." }, - "requirements": { + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this alternative flow is executed." + }, + "steps": { "type": "array", - "title": "Requirements", - "description": "The list of requirement `bom-ref`s that comprise the level.", + "title": "Steps", + "description": "The sequence of steps in the flow.", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" } } } + }, + "exception": { + "type": "object", + "title": "Exception", + "description": "An error scenario in a use case.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the exception." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the exception." + }, + "condition": { + "type": "string", + "title": "Condition", + "description": "The condition under which this exception occurs." + }, + "handling": { + "type": "string", + "title": "Handling", + "description": "How the exception is handled." + } + } + }, + "property": { + "type": "object", + "title": "Property", + "description": "A name-value property.", + "additionalProperties": false, + "required": [ + "name", + "value" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } } } }, From e8f7aba603fad40c40d8d067a8957eae05bbd614 Mon Sep 17 00:00:00 2001 From: Petra Date: Sun, 7 Dec 2025 18:36:51 +0000 Subject: [PATCH 09/44] adressed comments and reviewed further the schema --- .../model/cyclonedx-blueprint-2.0.schema.json | 54 ++++++++++++++-- .../2.0/model/cyclonedx-risk-2.0.schema.json | 2 +- .../model/cyclonedx-threat-2.0.schema.json | 63 ++++++++++++++----- 3 files changed, 99 insertions(+), 20 deletions(-) diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index 0659c6599..967262e88 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -81,6 +81,13 @@ }, "description": "Data, control, or process flows between assets" }, + "actors": { + "type": "array", + "items": { + "$ref": "#/$defs/actor" + }, + "description": "Human or system actors involved in the model, distinct from assets" + }, "assumptions": { "type": "array", "items": { @@ -88,6 +95,49 @@ }, "description": "Assumptions made during the modeling process" }, + "actor": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the actor" + }, + "name": { + "type": "string", + "description": "Name or title of the actor" + }, + "description": { + "type": "string", + "description": "Narrative describing the actor's role and context" + }, + "type": { + "type": "string", + "enum": ["user", "engineer", "administrator", "operator", "system", "external"], + "description": "Classification of the actor", + "meta:enum": { + "user": "End user of a client application or service", + "engineer": "Developer or platform/DevOps engineer", + "administrator": "Administrative or privileged operator", + "operator": "Operational staff running the system", + "system": "Automated system actor or service account", + "external": "Third-party or external entity" + } + }, + "permissions": { + "type": "string", + "description": "Key permissions, capabilities, or duties the actor holds" + }, + "trustZone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the trust zone where the actor resides" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, "visualizations": { "type": "array", "items": { @@ -335,8 +385,6 @@ "compliance", "risk", "stakeholder", - "use-case", - "abuse-case", "design-review", "custom" ], @@ -357,8 +405,6 @@ "compliance": "Regulatory compliance perspective", "risk": "Risk management perspective", "stakeholder": "General stakeholder perspective", - "use-case": "A high level persepctive that captures the data-flows of the use case, rather than deep granularity of systems", - "abuse-case": "A high level persepctive that captures the data-flows of a certain abuse case, rather than deep granularity of systems", "custom": "Custom or other perspective" } }, diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index 2aa6783c2..2f46e5b3a 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -159,7 +159,7 @@ "type": "string", "enum": ["threat", "vulnerability", "weakness", "risk", "incident", "opportunity", "hazard"], "meta:enum": { - "threat": "Security threat scenario", + "threat": "Threat scenario", "vulnerability": "Exploitable vulnerability", "weakness": "System or design weakness", "risk": "General risk scenario", diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index 51d3173ef..63c50aeb9 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -26,6 +26,13 @@ "attackPattern": { "$ref": "#/$defs/attackPatternReference" }, + "abuseCases": { + "type": "array", + "items": { + "$ref": "#/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that illustrate how this threat can be exercised" + }, "weakness": { "$ref": "#/$defs/weaknessReference" }, @@ -174,11 +181,6 @@ }, "description": "Primary motivations" }, - "capability": { - "type": "string", - "enum": ["minimal", "limited", "moderate", "significant", "advanced"], - "description": "Overall capability level" - }, "intent": { "type": "string", "enum": ["accidental", "opportunistic", "targeted", "persistent"], @@ -219,7 +221,10 @@ }, "complexity": { "type": "string", - "enum": ["low", "high"], + "enum": [ + "low", + "high" + ], "description": "Attack complexity" }, "privileges": { @@ -239,6 +244,42 @@ } } }, + "abuseCase": { + "type": "object", + "required": ["bom-ref", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the abuse case" + }, + "description": { + "type": "string", + "description": "Narrative describing how the system can be misused or abused" + }, + "abuser": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference (bom-ref) to a threat actor involved in the abuse case" + }, + "targets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References (bom-refs) to assets or flows targeted in this abuse case" + }, + "steps": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered steps the abuser follows" + } + } + }, "attackPattern": { "type": "object", "required": ["bom-ref", "name"], @@ -259,14 +300,6 @@ "type": "string", "description": "Description of the attack pattern" }, - "severity": { - "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/severity" - }, - "likelihood": { - "type": "string", - "enum": ["low", "medium", "high"], - "description": "Likelihood of this pattern being used" - }, "prerequisites": { "type": "array", "items": { @@ -768,4 +801,4 @@ } } } -} \ No newline at end of file +} From 53cfdd1286ecf3908a9a6d79c6642fec929b10d6 Mon Sep 17 00:00:00 2001 From: Petra Date: Sun, 7 Dec 2025 18:46:53 +0000 Subject: [PATCH 10/44] fixed naming inconsistency --- schema/2.0/model/cyclonedx-blueprint-2.0.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index 967262e88..cd64d1a3b 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -130,7 +130,7 @@ "description": "Key permissions, capabilities, or duties the actor holds" }, "trustZone": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "$ref": "#/$defs/trustZoneRef", "description": "Reference to the trust zone where the actor resides" }, "properties": { From c6e1657215aaae4ffc877c13223bbdc071316625 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 9 Dec 2025 21:39:13 -0600 Subject: [PATCH 11/44] Fixed JSON issue Signed-off-by: Steve Springett --- schema/2.0/model/cyclonedx-blueprint-2.0.schema.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index 6543af3bf..30a683106 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -1350,7 +1350,12 @@ "properties": { "level": { "type": "string", - "enum": ["public", "internal", "confidential", "restricted"], + "enum": [ + "public", + "internal", + "confidential", + "restricted" + ], "description": "Data sensitivity classification", "meta:enum": { "public": "Public information that can be freely shared", @@ -1358,6 +1363,7 @@ "confidential": "Confidential information requiring protection", "restricted": "Highly restricted information with limited access and special protection measures" } + }, "sensitivity": { "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" }, From 941fa1fd6adc8e6bcbbc9877ee482416e4358f2f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 14 Dec 2025 21:05:43 -0600 Subject: [PATCH 12/44] Initial checkin of behavior model. Should satisfy goals outlined in #670. Blueprints working group will continue to iterate and validate. Signed-off-by: Steve Springett --- .../model/cyclonedx-behavior-2.0.schema.json | 1688 +++++++++++++++++ 1 file changed, 1688 insertions(+) create mode 100644 schema/2.0/model/cyclonedx-behavior-2.0.schema.json diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json new file mode 100644 index 000000000..58f0914e8 --- /dev/null +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -0,0 +1,1688 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-behavior-2.0.schema.json", + "type": "null", + "title": "CycloneDX Behavior Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "properties": { + "behaviors": { + "$ref": "#/$defs/behaviors" + } + }, + "$defs": { + "trigger": { + "type": "string", + "title": "Trigger", + "description": "The condition or event that initiates a behavior.", + "enum": [ + "startup", + "shutdown", + "scheduled", + "event-driven", + "user-initiated", + "api-call", + "signal", + "condition-based", + "continuous", + "on-demand", + "unknown" + ], + "meta:enum": { + "startup": "Triggered during system or component initialisation.", + "shutdown": "Triggered during system or component termination.", + "scheduled": "Triggered at predetermined times or intervals.", + "event-driven": "Triggered in response to a specific event.", + "user-initiated": "Triggered by explicit user action.", + "api-call": "Triggered by an API invocation.", + "signal": "Triggered by a system or inter-process signal.", + "condition-based": "Triggered when specific conditions are met.", + "continuous": "Runs continuously during normal operation.", + "on-demand": "Triggered on demand as needed.", + "unknown": "The trigger mechanism is not known." + } + }, + "ordering": { + "type": "string", + "title": "Ordering", + "description": "Execution semantics for steps within a flow.", + "default": "sequential", + "enum": [ + "sequential", + "unordered", + "parallel", + "conditional" + ], + "meta:enum": { + "sequential": "Steps execute in ordinal order. Each completes before the next begins.", + "unordered": "All steps execute, but order is not guaranteed.", + "parallel": "Steps may execute concurrently.", + "conditional": "Step execution is determined by runtime conditions." + } + }, + "acknowledgment": { + "type": "array", + "title": "Acknowledgment", + "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", + "uniqueItems": true, + "items": { + "type": "string", + "enum": [ + "declared", + "observed" + ], + "meta:enum": { + "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", + "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." + } + } + }, + "behaviors": { + "type": "object", + "title": "Behaviors", + "description": "Behaviors performed by objects within the BOM.", + "additionalProperties": false, + "properties": { + "instances": { + "type": "array", + "title": "Instances", + "description": "Individual behavior instances.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/behaviorInstance" + } + }, + "flows": { + "type": "array", + "title": "Flows", + "description": "Behavior flows that organise behaviors into operational patterns.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/behaviorFlow" + } + } + } + }, + "behaviorInstance": { + "type": "object", + "title": "Behavior Instance", + "description": "A behavior performed by one or more objects within the BOM.", + "additionalProperties": false, + "required": ["bom-ref", "behavior"], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "behavior": { + "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behavior", + "title": "Behavior", + "description": "The behavior from the taxonomy." + }, + "acknowledgment": { + "$ref": "#/$defs/acknowledgment" + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References to objects that perform this behavior.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References to objects affected by this behavior.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + } + } + }, + "behaviorFlow": { + "type": "object", + "title": "Behavior Flow", + "description": "An organised collection of behaviors forming a coherent process.", + "additionalProperties": false, + "required": ["bom-ref", "steps"], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "acknowledgment": { + "$ref": "#/$defs/acknowledgment" + }, + "ordering": { + "$ref": "#/$defs/ordering" + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "steps": { + "type": "array", + "title": "Steps", + "description": "The steps that comprise this flow.", + "minItems": 1, + "items": { + "$ref": "#/$defs/flowStep" + } + } + }, + "allOf": [ + { + "if": { + "anyOf": [ + { "properties": { "ordering": { "const": "sequential" } }, "required": ["ordering"] }, + { "not": { "required": ["ordering"] } } + ] + }, + "then": { + "properties": { + "steps": { + "items": { + "required": ["ordinal"] + } + } + } + } + } + ] + }, + "flowStep": { + "type": "object", + "title": "Flow Step", + "description": "A single step within a behavior flow.", + "additionalProperties": false, + "properties": { + "ordinal": { + "type": "integer", + "title": "Ordinal", + "description": "Position within the flow. Required when ordering is 'sequential' or omitted.", + "minimum": 1 + }, + "behavior": { + "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behavior", + "title": "Behavior", + "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'." + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Behavior Reference", + "description": "Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'." + }, + "flow": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Flow Reference", + "description": "Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'." + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References to objects that perform this step.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References to objects affected by this step.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + } + }, + "oneOf": [ + { "required": ["behavior"] }, + { "required": ["ref"] }, + { "required": ["flow"] } + ] + }, + "behavior": { + "type": "string", + "title": "Behavior", + "description": "Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.", + "enum": [ + "ai", + "ai:agent", + "ai:agent:actsOnBehalfOfUser", + "ai:agent:coordinatesAgents", + "ai:agent:delegatesTask", + "ai:agent:executesAction", + "ai:agent:invokesTool", + "ai:agent:observesResult", + "ai:agent:plansAction", + "ai:agent:receivesHumanDelegation", + "ai:agent:reflectsOnResult", + "ai:agent:reportsDelegatedAction", + "ai:agent:requestsUserApproval", + "ai:agent:returnsDelegation", + "ai:agent:revisesPlan", + "ai:explainability", + "ai:explainability:attributesFeatures", + "ai:explainability:documentsModel", + "ai:explainability:explainsDecision", + "ai:explainability:tracesPrediction", + "ai:explainability:visualizesModel", + "ai:fairness", + "ai:fairness:auditsModelFairness", + "ai:fairness:calculatesFairnessMetric", + "ai:fairness:detectsBias", + "ai:fairness:handlesProtectedAttribute", + "ai:fairness:mitigatesBias", + "ai:generative", + "ai:generative:citesSource", + "ai:generative:filtersOutput", + "ai:generative:generatesAudio", + "ai:generative:generatesCode", + "ai:generative:generatesEmbedding", + "ai:generative:generatesImage", + "ai:generative:generatesText", + "ai:generative:mitigatesHallucination", + "ai:generative:processesPrompt", + "ai:generative:streamsResponse", + "ai:inference", + "ai:inference:appliesThreshold", + "ai:inference:batchesInference", + "ai:inference:cachesPrediction", + "ai:inference:ensemblesModels", + "ai:inference:generatesPrediction", + "ai:inference:infersInRealTime", + "ai:inference:ranksResults", + "ai:inference:scoresConfidence", + "ai:management", + "ai:management:comparesModels", + "ai:management:deploysModel", + "ai:management:loadsModel", + "ai:management:monitorsModel", + "ai:management:retiresModel", + "ai:management:rollsBackModel", + "ai:management:unloadsModel", + "ai:management:versionsModel", + "ai:quality", + "ai:quality:detectsConceptDrift", + "ai:quality:detectsDataDrift", + "ai:quality:detectsOutlier", + "ai:quality:engineersFeatures", + "ai:quality:selectsFeatures", + "ai:quality:validatesInputData", + "ai:robustness", + "ai:robustness:defendsAgainstAdversarial", + "ai:robustness:detectsAdversarialInput", + "ai:robustness:detectsOutOfDistribution", + "ai:robustness:estimatesUncertainty", + "ai:robustness:validatesRobustness", + "ai:training", + "ai:training:appliesTransferLearning", + "ai:training:checkpointsModel", + "ai:training:fineTunesModel", + "ai:training:ingestsTrainingData", + "ai:training:preprocessesTrainingData", + "ai:training:trainsFederatedly", + "ai:training:trainsModel", + "ai:training:tunesHyperparameters", + "ai:training:validatesModel", + "ai:training:validatesTrainingData", + "application", + "application:codeExecution", + "application:codeExecution:compilesCode", + "application:codeExecution:evaluatesExpression", + "application:codeExecution:executesNativeCommand", + "application:codeExecution:executesScript", + "application:codeExecution:interpretsCode", + "application:codeExecution:invokesViaReflection", + "application:codeExecution:loadsCodeDynamically", + "application:configuration", + "application:configuration:detectsEnvironment", + "application:configuration:evaluatesFeatureFlag", + "application:configuration:loadsConfiguration", + "application:configuration:reloadsConfiguration", + "application:controlFlow", + "application:controlFlow:awaitsAsyncResult", + "application:controlFlow:catchesException", + "application:controlFlow:emitsEvent", + "application:controlFlow:handlesEvent", + "application:controlFlow:invokesCallback", + "application:controlFlow:invokesHandler", + "application:controlFlow:invokesMiddleware", + "application:controlFlow:schedulesAsyncOperation", + "application:controlFlow:throwsException", + "application:dependencyManagement", + "application:dependencyManagement:closesCircuitBreaker", + "application:dependencyManagement:fallsBack", + "application:dependencyManagement:injectsDependency", + "application:dependencyManagement:opensCircuitBreaker", + "application:dependencyManagement:resolvesDependency", + "application:externalIntegration", + "application:externalIntegration:callsExternalService", + "application:externalIntegration:consumesEvent", + "application:externalIntegration:publishesEvent", + "application:externalIntegration:receivesWebhook", + "application:observability", + "application:observability:emitsTelemetry", + "application:observability:logsOperation", + "application:observability:recordsMetric", + "application:observability:reportsHealth", + "application:observability:tracesRequest", + "application:requestHandling", + "application:requestHandling:authenticatesRequest", + "application:requestHandling:authorizesRequest", + "application:requestHandling:bindsParameters", + "application:requestHandling:parsesRequest", + "application:requestHandling:receivesHttpRequest", + "application:requestHandling:rejectsRequest", + "application:requestHandling:routesRequest", + "application:requestHandling:validatesRequest", + "application:responseGeneration", + "application:responseGeneration:generatesResponse", + "application:responseGeneration:readsCookie", + "application:responseGeneration:redirectsRequest", + "application:responseGeneration:returnsError", + "application:responseGeneration:returnsSuccess", + "application:responseGeneration:sendsHttpResponse", + "application:responseGeneration:setsCookie", + "application:responseGeneration:setsHeader", + "application:stateManagement", + "application:stateManagement:acquiresLock", + "application:stateManagement:beginsTransaction", + "application:stateManagement:commitsTransaction", + "application:stateManagement:createsSessionState", + "application:stateManagement:destroysSessionState", + "application:stateManagement:readsSessionState", + "application:stateManagement:releasesLock", + "application:stateManagement:rollsBackTransaction", + "application:stateManagement:synchronizesState", + "application:stateManagement:updatesSessionState", + "data", + "data:encoding", + "data:encoding:appliesXor", + "data:encoding:decodesBaseSixtyFour", + "data:encoding:decodesUrl", + "data:encoding:encodesBaseSixtyFour", + "data:encoding:encodesUrl", + "data:ingestion", + "data:ingestion:pollsSource", + "data:ingestion:readsFile", + "data:ingestion:readsStream", + "data:ingestion:receivesInput", + "data:ingestion:receivesMessage", + "data:ingestion:receivesRequest", + "data:ingestion:subscribesToFeed", + "data:output", + "data:output:formatsResponse", + "data:output:producesOutput", + "data:output:publishesMessage", + "data:output:rendersTemplate", + "data:output:sendsResponse", + "data:output:serializesObject", + "data:output:streamsOutput", + "data:output:writesFile", + "data:parsing", + "data:parsing:decodesData", + "data:parsing:deserializesObject", + "data:parsing:extractsFields", + "data:parsing:parsesData", + "data:parsing:parsesHtml", + "data:parsing:parsesJson", + "data:parsing:parsesXml", + "data:query", + "data:query:executesLdapQuery", + "data:query:executesNoSqlQuery", + "data:query:executesSearch", + "data:query:executesSql", + "data:query:executesXPath", + "data:query:queriesData", + "data:storage", + "data:storage:cachesData", + "data:storage:deletesData", + "data:storage:flushesCache", + "data:storage:invalidatesCache", + "data:storage:retrievesData", + "data:storage:storesData", + "data:storage:updatesData", + "data:transformation", + "data:transformation:aggregatesData", + "data:transformation:compressesData", + "data:transformation:decompressesData", + "data:transformation:encodesData", + "data:transformation:enrichesData", + "data:transformation:filtersData", + "data:transformation:joinsData", + "data:transformation:mapsData", + "data:transformation:normalizesData", + "data:transformation:sortsData", + "data:transformation:transformsData", + "evasion", + "evasion:analysisResistance", + "evasion:analysisResistance:detectsAnalysisTool", + "evasion:analysisResistance:detectsDebugger", + "evasion:analysisResistance:detectsEmulator", + "evasion:analysisResistance:detectsSandbox", + "evasion:analysisResistance:detectsVirtualMachine", + "evasion:analysisResistance:evadesDebugger", + "evasion:analysisResistance:evadesEmulator", + "evasion:analysisResistance:evadesSandbox", + "evasion:analysisResistance:evadesVirtualMachine", + "evasion:analysisResistance:usesTimingEvasion", + "evasion:antiSecurity", + "evasion:antiSecurity:detectsAntivirus", + "evasion:antiSecurity:disablesSecuritySoftware", + "evasion:antiSecurity:evadesAntivirus", + "evasion:antiSecurity:terminatesSecurityProcess", + "evasion:indirection", + "evasion:indirection:resolvesApiDynamically", + "evasion:indirection:usesIndirectCalls", + "evasion:indirection:usesProxyExecution", + "evasion:obfuscation", + "evasion:obfuscation:obfuscatesCode", + "evasion:obfuscation:obfuscatesControlFlow", + "evasion:obfuscation:obfuscatesData", + "evasion:obfuscation:obfuscatesStrings", + "evasion:obfuscation:packsCode", + "evasion:obfuscation:unpacksAtRuntime", + "file", + "file:directory", + "file:directory:changesDirectory", + "file:directory:createsDirectory", + "file:directory:deletesDirectory", + "file:directory:listsDirectory", + "file:directory:traversesDirectory", + "file:disk", + "file:disk:decryptsVolume", + "file:disk:encryptsVolume", + "file:disk:formatsVolume", + "file:disk:mountsVolume", + "file:disk:unmountsVolume", + "file:disk:wipesDisk", + "file:operations", + "file:operations:appendsToFile", + "file:operations:checksFileExistence", + "file:operations:closesFile", + "file:operations:copiesFile", + "file:operations:createsFile", + "file:operations:deletesFile", + "file:operations:getsFileAttributes", + "file:operations:movesFile", + "file:operations:opensFile", + "file:operations:readsFile", + "file:operations:renamesFile", + "file:operations:setsFileAttributes", + "file:operations:setsFilePermissions", + "file:operations:writesFile", + "gui", + "gui:display", + "gui:display:displaysData", + "gui:display:monitorsDisplay", + "gui:display:updatesDisplay", + "gui:session", + "gui:session:displaysLogin", + "gui:session:interactsWithSession", + "gui:session:switchesSession", + "gui:window", + "gui:window:capturesWindow", + "gui:window:createsWindow", + "gui:window:destroysWindow", + "gui:window:enumeratesWindows", + "gui:window:interactsWithTaskbar", + "gui:window:modifiesWindow", + "hardware", + "hardware:actuator", + "hardware:actuator:calibratesActuator", + "hardware:actuator:controlsBattery", + "hardware:actuator:controlsHeating", + "hardware:actuator:controlsLed", + "hardware:actuator:controlsMotor", + "hardware:actuator:controlsPower", + "hardware:actuator:controlsPump", + "hardware:actuator:controlsTemperature", + "hardware:boot", + "hardware:boot:entersRecoveryMode", + "hardware:boot:executesSecureBoot", + "hardware:boot:locksBootConfiguration", + "hardware:boot:modifiesBootConfiguration", + "hardware:boot:readsBootConfiguration", + "hardware:boot:recordsBootMeasurement", + "hardware:boot:verifiesBootLoader", + "hardware:firmware", + "hardware:firmware:monitorsFirmwareIntegrity", + "hardware:firmware:preventsFirmwareRollback", + "hardware:firmware:readsFirmwareVersion", + "hardware:firmware:updatesFirmware", + "hardware:firmware:verifiesFirmwareSignature", + "hardware:memory", + "hardware:memory:encryptsMemory", + "hardware:memory:isolatesMemory", + "hardware:memory:protectsStack", + "hardware:memory:randomizesAddressSpace", + "hardware:memory:readsProtectedMemory", + "hardware:memory:writesProtectedMemory", + "hardware:peripheral", + "hardware:peripheral:accessesCamera", + "hardware:peripheral:accessesDisplay", + "hardware:peripheral:accessesGpio", + "hardware:peripheral:accessesJtag", + "hardware:peripheral:accessesKeyboard", + "hardware:peripheral:accessesStorageDevice", + "hardware:peripheral:accessesUsbDevice", + "hardware:peripheral:configuresDma", + "hardware:peripheral:protectsDma", + "hardware:physicalSecurity", + "hardware:physicalSecurity:detectsPhysicalTamper", + "hardware:physicalSecurity:disablesDebugInterface", + "hardware:physicalSecurity:enablesDebugInterface", + "hardware:physicalSecurity:monitorsEnclosure", + "hardware:physicalSecurity:respondsToTamper", + "hardware:physicalSecurity:zeroizesKeys", + "hardware:security", + "hardware:security:anchorsInHardwareRoot", + "hardware:security:executesInTee", + "hardware:security:generatesPufResponse", + "hardware:security:usesHsm", + "hardware:security:usesSecureElement", + "hardware:sensor", + "hardware:sensor:calibratesSensor", + "hardware:sensor:readsBatteryStatus", + "hardware:sensor:readsBloodOxygen", + "hardware:sensor:readsBloodPressure", + "hardware:sensor:readsCoTwoLevel", + "hardware:sensor:readsEcg", + "hardware:sensor:readsPowerStatus", + "hardware:sensor:readsTemperature", + "hardware:sideChannelDefense", + "hardware:sideChannelDefense:controlsEmEmissions", + "hardware:sideChannelDefense:resistsFaultInjection", + "hardware:sideChannelDefense:resistsPowerAnalysis", + "hardware:sideChannelDefense:resistsTimingAnalysis", + "network", + "network:connection", + "network:connection:acceptsConnection", + "network:connection:detectsConnectionLoss", + "network:connection:establishesConnection", + "network:connection:reconnects", + "network:connection:reusesConnection", + "network:connection:sendsHeartbeat", + "network:connection:terminatesConnection", + "network:discovery", + "network:discovery:advertisesService", + "network:discovery:discoversService", + "network:discovery:enumeratesInterfaces", + "network:discovery:probesPort", + "network:discovery:queriesDns", + "network:discovery:resolvesName", + "network:discovery:scansNetwork", + "network:protocol", + "network:protocol:downgradesProtocol", + "network:protocol:framesMessage", + "network:protocol:negotiatesProtocol", + "network:protocol:parsesMessage", + "network:protocol:retransmitsMessage", + "network:protocol:upgradesProtocol", + "network:protocol:validatesMessage", + "network:remoteInteraction", + "network:remoteInteraction:accessesRemoteDesktop", + "network:remoteInteraction:accessesRemoteShell", + "network:remoteInteraction:executesRemoteCommand", + "network:remoteInteraction:invokesRemoteProcedure", + "network:remoteInteraction:sendsEmail", + "network:remoteInteraction:sendsSms", + "network:remoteInteraction:transfersFile", + "network:routing", + "network:routing:configuresProxy", + "network:routing:forwardsPacket", + "network:routing:redirectsTraffic", + "network:routing:routesTraffic", + "network:routing:tunnelsTraffic", + "network:trafficControl", + "network:trafficControl:balancesLoad", + "network:trafficControl:filtersTraffic", + "network:trafficControl:inspectsTraffic", + "network:trafficControl:interceptsTraffic", + "network:trafficControl:limitsRate", + "network:trafficControl:modifiesTraffic", + "network:trafficControl:shapesTraffic", + "network:transmission", + "network:transmission:broadcastsData", + "network:transmission:multicastsData", + "network:transmission:receivesData", + "network:transmission:sendsData", + "network:transmission:streamsData", + "privacy", + "privacy:collection", + "privacy:collection:capturesAudio", + "privacy:collection:capturesKeystrokes", + "privacy:collection:capturesScreen", + "privacy:collection:capturesVideo", + "privacy:collection:collectsBehavioralData", + "privacy:collection:collectsBiometricData", + "privacy:collection:collectsCommunicationContent", + "privacy:collection:collectsDeviceInformation", + "privacy:collection:collectsFinancialData", + "privacy:collection:collectsHealthData", + "privacy:collection:collectsInBackground", + "privacy:collection:collectsLocationData", + "privacy:collection:collectsPersonalData", + "privacy:collection:collectsSilently", + "privacy:collection:readsBrowserHistory", + "privacy:collection:readsClipboard", + "privacy:deletion", + "privacy:deletion:clearsCache", + "privacy:deletion:deletesPersonalData", + "privacy:deletion:erasesSecurely", + "privacy:deletion:purgesFromBackup", + "privacy:deletion:redactsData", + "privacy:inference", + "privacy:inference:correlatesData", + "privacy:inference:createsProfile", + "privacy:inference:fingerprintsDevice", + "privacy:inference:infersPersonalInformation", + "privacy:inference:linksIdentities", + "privacy:inference:tracksUser", + "privacy:minimization", + "privacy:minimization:aggregatesData", + "privacy:minimization:anonymizesData", + "privacy:minimization:filtersData", + "privacy:minimization:generalizesData", + "privacy:minimization:limitsCollection", + "privacy:minimization:limitsProcessing", + "privacy:minimization:pseudonymizesData", + "privacy:privacyEnhancement", + "privacy:privacyEnhancement:addsDifferentialPrivacy", + "privacy:privacyEnhancement:computesMultiparty", + "privacy:privacyEnhancement:processesHomomorphically", + "privacy:privacyEnhancement:processesLocally", + "privacy:retention", + "privacy:retention:archivesData", + "privacy:retention:backsUpData", + "privacy:retention:enforcesRetentionPeriod", + "privacy:retention:retainsBeyondPurpose", + "privacy:retention:retainsInCache", + "privacy:retention:retainsInLog", + "privacy:retention:storesPersonalData", + "privacy:sharing", + "privacy:sharing:disclosesToThirdParty", + "privacy:sharing:exportsData", + "privacy:sharing:publishesData", + "privacy:sharing:sellsData", + "privacy:sharing:sharesWithAffiliate", + "privacy:sharing:transfersCrossBorder", + "privacy:subjectRights", + "privacy:subjectRights:correctsData", + "privacy:subjectRights:exportsDataPortably", + "privacy:subjectRights:honorsErasureRequest", + "privacy:subjectRights:honorsObjection", + "privacy:subjectRights:providesDataAccess", + "privacy:subjectRights:restrictsProcessing", + "privacy:transparency", + "privacy:transparency:disclosesProcessing", + "privacy:transparency:displaysPrivacyNotice", + "privacy:transparency:explainsAutomatedDecision", + "privacy:transparency:recordsConsent", + "privacy:transparency:requestsConsent", + "privacy:transparency:withdrawsConsent", + "safety", + "safety:autonomousBehavior", + "safety:autonomousBehavior:acceptsOverride", + "safety:autonomousBehavior:enforcesHumanInLoop", + "safety:autonomousBehavior:explainsDecision", + "safety:autonomousBehavior:requestsGuidance", + "safety:autonomousBehavior:respectsDecisionBoundary", + "safety:contentSafety", + "safety:contentSafety:detectsHarmfulContent", + "safety:contentSafety:detectsMisinformation", + "safety:contentSafety:enforcesAgeRestriction", + "safety:contentSafety:filtersContent", + "safety:contentSafety:labelsContent", + "safety:harmPrevention", + "safety:harmPrevention:preventsEnvironmentalHarm", + "safety:harmPrevention:preventsPropertyDamage", + "safety:harmPrevention:preventsUserHarm", + "safety:harmPrevention:protectsBystanders", + "safety:hazardManagement", + "safety:hazardManagement:assessesRisk", + "safety:hazardManagement:identifiesHazard", + "safety:hazardManagement:mitigatesHazard", + "safety:hazardManagement:reportsHazard", + "safety:humanInteraction", + "safety:humanInteraction:adaptsForAccessibility", + "safety:humanInteraction:managesCognitiveLoad", + "safety:humanInteraction:requestsConfirmation", + "safety:humanInteraction:warnsOperator", + "safety:operationalSafety", + "safety:operationalSafety:acceptsManualOverride", + "safety:operationalSafety:enforcesInterlock", + "safety:operationalSafety:enforcesOperatingLimits", + "safety:operationalSafety:executesEmergencyStop", + "safety:operationalSafety:monitorsWatchdog", + "safety:operationalSafety:validatesSafetyCondition", + "security", + "security:auditing", + "security:auditing:logsEvent", + "security:auditing:logsSecurityEvent", + "security:auditing:protectsAuditLog", + "security:auditing:purgesLog", + "security:auditing:rotatesLog", + "security:auditing:signsLogEntry", + "security:auditing:timestampsEvent", + "security:auditing:transmitsLog", + "security:authentication", + "security:authentication:authenticatesDevice", + "security:authentication:authenticatesService", + "security:authentication:authenticatesUser", + "security:authentication:bypassesAuthentication", + "security:authentication:capturesBiometric", + "security:authentication:delegatesAuthentication", + "security:authentication:failsAuthentication", + "security:authentication:locksAccount", + "security:authentication:performsMultiFactorAuthentication", + "security:authentication:promptsForCredentials", + "security:authentication:unlocksAccount", + "security:authentication:validatesBiometric", + "security:authentication:validatesCredentials", + "security:authorization", + "security:authorization:checksPermission", + "security:authorization:delegatesAuthority", + "security:authorization:deniesAccess", + "security:authorization:enforcesRole", + "security:authorization:escalatesPrivilege", + "security:authorization:evaluatesAttributes", + "security:authorization:evaluatesPolicy", + "security:authorization:grantsAccess", + "security:authorization:grantsImpersonation", + "security:authorization:impersonatesUser", + "security:authorization:requestsImpersonation", + "security:authorization:revokesAccess", + "security:authorization:revokesImpersonation", + "security:cryptography", + "security:cryptography:checksRevocation", + "security:cryptography:decryptsData", + "security:cryptography:destroysKey", + "security:cryptography:encryptsData", + "security:cryptography:exchangesKey", + "security:cryptography:generatesKey", + "security:cryptography:generatesRandomValue", + "security:cryptography:hashesData", + "security:cryptography:issuesCertificate", + "security:cryptography:retrievesKey", + "security:cryptography:revokesCertificate", + "security:cryptography:rotatesKey", + "security:cryptography:signsData", + "security:cryptography:storesKey", + "security:cryptography:validatesCertificate", + "security:cryptography:verifiesHash", + "security:cryptography:verifiesSignature", + "security:errorHandling", + "security:errorHandling:catchesException", + "security:errorHandling:disclosesErrorDetails", + "security:errorHandling:failsClosed", + "security:errorHandling:failsOpen", + "security:errorHandling:generatesError", + "security:errorHandling:logsError", + "security:errorHandling:propagatesError", + "security:errorHandling:returnsGenericError", + "security:errorHandling:suppressesError", + "security:inputHandling", + "security:inputHandling:escapesInput", + "security:inputHandling:normalizesInput", + "security:inputHandling:rejectsInvalidInput", + "security:inputHandling:sanitizesInput", + "security:inputHandling:truncatesInput", + "security:inputHandling:validatesFormat", + "security:inputHandling:validatesRange", + "security:inputHandling:validatesSchema", + "security:integrity", + "security:integrity:attestsIntegrity", + "security:integrity:detectsTampering", + "security:integrity:respondsToTampering", + "security:integrity:validatesComponent", + "security:integrity:verifiesIntegrity", + "security:integrity:verifiesProvenance", + "security:outputHandling", + "security:outputHandling:encodesOutput", + "security:outputHandling:enforcesContentPolicy", + "security:outputHandling:escapesOutput", + "security:outputHandling:filtersOutput", + "security:outputHandling:masksOutput", + "security:outputHandling:setsSecurityHeader", + "security:session", + "security:session:createsSession", + "security:session:detectsSessionHijacking", + "security:session:invalidatesSession", + "security:session:refreshesSession", + "security:session:regeneratesSessionId", + "security:session:terminatesSession", + "security:session:validatesSession", + "security:threatResponse", + "security:threatResponse:blocksRequest", + "security:threatResponse:blocksSource", + "security:threatResponse:collectsForensicData", + "security:threatResponse:detectsAnomaly", + "security:threatResponse:detectsIntrusion", + "security:threatResponse:initiatesIncidentResponse", + "security:threatResponse:quarantinesElement", + "security:threatResponse:raisesAlert", + "system", + "system:configuration", + "system:configuration:deletesRegistryKey", + "system:configuration:modifiesGroupPolicy", + "system:configuration:readsConfigurationFile", + "system:configuration:readsEnvironmentVariable", + "system:configuration:readsGroupPolicy", + "system:configuration:readsRegistry", + "system:configuration:setsEnvironmentVariable", + "system:configuration:writesConfigurationFile", + "system:configuration:writesRegistry", + "system:informationGathering", + "system:informationGathering:detectsOsVersion", + "system:informationGathering:gathersSystemInformation", + "system:informationGathering:queriesHardwareInformation", + "system:informationGathering:retrievesHostname", + "system:kernelInteraction", + "system:kernelInteraction:hooksKernelFunction", + "system:kernelInteraction:installsDriver", + "system:kernelInteraction:readsKernelMemory", + "system:kernelInteraction:writesKernelMemory", + "system:lifecycle", + "system:lifecycle:appliesUpdate", + "system:lifecycle:decommissions", + "system:lifecycle:initializes", + "system:lifecycle:performsSelfTest", + "system:lifecycle:provisions", + "system:lifecycle:rollsBack", + "system:lifecycle:shutsDown", + "system:operationalState", + "system:operationalState:entersFailSafeState", + "system:operationalState:entersFailSecureState", + "system:operationalState:operatesInDegradedMode", + "system:operationalState:operatesNormally", + "system:operationalState:performsEmergencyShutdown", + "system:persistence", + "system:persistence:createsScheduledTask", + "system:persistence:installsAsService", + "system:persistence:loadsAsKernelModule", + "system:persistence:registersForStartup", + "system:persistence:removesPersistence", + "system:processControl", + "system:processControl:createsProcess", + "system:processControl:dumpsProcessMemory", + "system:processControl:enumeratesProcesses", + "system:processControl:hooksFunction", + "system:processControl:injectsCodeIntoProcess", + "system:processControl:modifiesProcess", + "system:processControl:resumesProcess", + "system:processControl:suspendsProcess", + "system:processControl:terminatesProcess", + "system:resilience", + "system:resilience:activatesRedundancy", + "system:resilience:degradesGracefully", + "system:resilience:detectsFault", + "system:resilience:recoversFromFailure", + "system:resilience:toleratesFault", + "system:resourceManagement", + "system:resourceManagement:allocatesMemory", + "system:resourceManagement:deallocatesMemory", + "system:resourceManagement:handlesResourceExhaustion", + "system:resourceManagement:managesPowerState", + "system:resourceManagement:readsFromStorage", + "system:resourceManagement:resumesThread", + "system:resourceManagement:spawnsThread", + "system:resourceManagement:suspendsThread", + "system:resourceManagement:terminatesThread", + "system:resourceManagement:writesToStorage", + "system:serviceControl", + "system:serviceControl:createsService", + "system:serviceControl:deletesService", + "system:serviceControl:enumeratesServices", + "system:serviceControl:modifiesService", + "system:serviceControl:startsService", + "system:serviceControl:stopsService", + "system:synchronization", + "system:synchronization:acquiresMutex", + "system:synchronization:releasesMutex", + "system:synchronization:signalsEvent", + "system:synchronization:signalsSemaphore", + "system:synchronization:waitsOnEvent", + "system:synchronization:waitsOnSemaphore", + "system:timing", + "system:timing:delaysExecution", + "system:timing:enforcesDeadline", + "system:timing:executesScheduledTask", + "system:timing:resetsWatchdog", + "system:timing:synchronizesClock", + "system:timing:triggersTimeout", + "system:timing:waits", + "system:userManagement", + "system:userManagement:createsUserAccount", + "system:userManagement:deletesUserAccount", + "system:userManagement:elevatesPrivileges", + "system:userManagement:enumeratesUsers", + "system:userManagement:impersonatesUser", + "system:userManagement:modifiesUserAccount" + ], + "meta:enum": { + "ai": "Behaviours relating to artificial intelligence and machine learning operations.", + "ai:agent": "Behaviours that enable autonomous agents to plan and execute tasks.", + "ai:agent:actsOnBehalfOfUser": "The entity performs actions within a delegated user context.", + "ai:agent:coordinatesAgents": "The entity orchestrates multiple agents.", + "ai:agent:delegatesTask": "The entity assigns work to another agent.", + "ai:agent:executesAction": "The entity performs planned step.", + "ai:agent:invokesTool": "The entity calls external capability.", + "ai:agent:observesResult": "The entity captures action outcome.", + "ai:agent:plansAction": "The entity determines steps to achieve goal.", + "ai:agent:receivesHumanDelegation": "The entity accepts authority delegated by a human user.", + "ai:agent:reflectsOnResult": "The entity evaluates action effectiveness.", + "ai:agent:reportsDelegatedAction": "The entity notifies the delegating user of actions taken.", + "ai:agent:requestsUserApproval": "The entity seeks explicit user authorisation before acting.", + "ai:agent:returnsDelegation": "The entity relinquishes delegated authority.", + "ai:agent:revisesPlan": "The entity modifies approach based on results.", + "ai:explainability": "Behaviours that provide interpretable explanations for model decisions.", + "ai:explainability:attributesFeatures": "The entity identifies influential inputs.", + "ai:explainability:documentsModel": "The entity records model design and behaviour.", + "ai:explainability:explainsDecision": "The entity provides human-readable rationale.", + "ai:explainability:tracesPrediction": "The entity records basis for output.", + "ai:explainability:visualizesModel": "The entity renders model behaviour graphically.", + "ai:fairness": "Behaviours that detect and mitigate bias in machine learning models.", + "ai:fairness:auditsModelFairness": "The entity evaluates model for bias.", + "ai:fairness:calculatesFairnessMetric": "The entity measures outcome equality.", + "ai:fairness:detectsBias": "The entity identifies unfair model behaviour.", + "ai:fairness:handlesProtectedAttribute": "The entity manages sensitive attributes.", + "ai:fairness:mitigatesBias": "The entity reduces unfair treatment.", + "ai:generative": "Behaviours that produce content using generative models.", + "ai:generative:citesSource": "The entity attributes generated content.", + "ai:generative:filtersOutput": "The entity screens generated content.", + "ai:generative:generatesAudio": "The entity produces sound content.", + "ai:generative:generatesCode": "The entity produces executable code.", + "ai:generative:generatesEmbedding": "The entity produces vector representation.", + "ai:generative:generatesImage": "The entity produces visual content.", + "ai:generative:generatesText": "The entity produces natural language.", + "ai:generative:mitigatesHallucination": "The entity reduces false content generation.", + "ai:generative:processesPrompt": "The entity interprets user instruction.", + "ai:generative:streamsResponse": "The entity delivers output incrementally.", + "ai:inference": "Behaviours that generate predictions using trained models.", + "ai:inference:appliesThreshold": "The entity uses decision boundary.", + "ai:inference:batchesInference": "The entity processes multiple inputs together.", + "ai:inference:cachesPrediction": "The entity stores prediction for reuse.", + "ai:inference:ensemblesModels": "The entity combines multiple model outputs.", + "ai:inference:generatesPrediction": "The entity produces model output.", + "ai:inference:infersInRealTime": "The entity generates prediction with low latency.", + "ai:inference:ranksResults": "The entity orders predictions by relevance.", + "ai:inference:scoresConfidence": "The entity assigns certainty to prediction.", + "ai:management": "Behaviours that deploy and manage machine learning models throughout their lifecycle.", + "ai:management:comparesModels": "The entity evaluates relative model performance.", + "ai:management:deploysModel": "The entity places model into service.", + "ai:management:loadsModel": "The entity retrieves model for use.", + "ai:management:monitorsModel": "The entity observes model performance.", + "ai:management:retiresModel": "The entity removes model from service.", + "ai:management:rollsBackModel": "The entity reverts to previous version.", + "ai:management:unloadsModel": "The entity removes model from memory.", + "ai:management:versionsModel": "The entity tracks model versions.", + "ai:quality": "Behaviours that monitor and maintain model and data quality.", + "ai:quality:detectsConceptDrift": "The entity identifies input-output relationship change.", + "ai:quality:detectsDataDrift": "The entity identifies input distribution change.", + "ai:quality:detectsOutlier": "The entity identifies anomalous input.", + "ai:quality:engineersFeatures": "The entity transforms raw data for model.", + "ai:quality:selectsFeatures": "The entity chooses relevant input features.", + "ai:quality:validatesInputData": "The entity checks inference input quality.", + "ai:robustness": "Behaviours that defend against adversarial attacks and handle uncertain inputs.", + "ai:robustness:defendsAgainstAdversarial": "The entity resists adversarial manipulation.", + "ai:robustness:detectsAdversarialInput": "The entity identifies crafted malicious input.", + "ai:robustness:detectsOutOfDistribution": "The entity identifies unfamiliar input.", + "ai:robustness:estimatesUncertainty": "The entity quantifies prediction confidence.", + "ai:robustness:validatesRobustness": "The entity tests model resilience.", + "ai:training": "Behaviours that prepare data and train machine learning models.", + "ai:training:appliesTransferLearning": "The entity adapts pre-trained model.", + "ai:training:checkpointsModel": "The entity saves model state during training.", + "ai:training:fineTunesModel": "The entity refines model for specific task.", + "ai:training:ingestsTrainingData": "The entity acquires data for training.", + "ai:training:preprocessesTrainingData": "The entity prepares data for training.", + "ai:training:trainsFederatedly": "The entity trains on distributed data.", + "ai:training:trainsModel": "The entity adjusts model parameters.", + "ai:training:tunesHyperparameters": "The entity optimises configuration parameters.", + "ai:training:validatesModel": "The entity evaluates model during training.", + "ai:training:validatesTrainingData": "The entity checks training data quality.", + "application": "Behaviours relating to application-level request processing and business logic.", + "application:codeExecution": "Behaviours that dynamically load and execute code at runtime.", + "application:codeExecution:compilesCode": "The entity transforms source to executable form.", + "application:codeExecution:evaluatesExpression": "The entity interprets and executes an expression.", + "application:codeExecution:executesNativeCommand": "The entity runs an operating system command.", + "application:codeExecution:executesScript": "The entity runs script code.", + "application:codeExecution:interpretsCode": "The entity executes code without compilation.", + "application:codeExecution:invokesViaReflection": "The entity calls method through reflection.", + "application:codeExecution:loadsCodeDynamically": "The entity loads executable code at runtime.", + "application:configuration": "Behaviours that load and manage application configuration settings.", + "application:configuration:detectsEnvironment": "The entity determines deployment context.", + "application:configuration:evaluatesFeatureFlag": "The entity checks feature toggle state.", + "application:configuration:loadsConfiguration": "The entity reads configuration settings.", + "application:configuration:reloadsConfiguration": "The entity refreshes configuration dynamically.", + "application:controlFlow": "Behaviours that manage the execution sequence and event handling within an application.", + "application:controlFlow:awaitsAsyncResult": "The entity waits for asynchronous completion.", + "application:controlFlow:catchesException": "The entity handles an error condition.", + "application:controlFlow:emitsEvent": "The entity triggers an event.", + "application:controlFlow:handlesEvent": "The entity responds to an event.", + "application:controlFlow:invokesCallback": "The entity executes a callback function.", + "application:controlFlow:invokesHandler": "The entity calls a request handler.", + "application:controlFlow:invokesMiddleware": "The entity executes middleware component.", + "application:controlFlow:schedulesAsyncOperation": "The entity queues work for later execution.", + "application:controlFlow:throwsException": "The entity raises an error condition.", + "application:dependencyManagement": "Behaviours that resolve and manage dependencies on other components.", + "application:dependencyManagement:closesCircuitBreaker": "The entity resumes calls to recovered dependency.", + "application:dependencyManagement:fallsBack": "The entity uses alternative when primary fails.", + "application:dependencyManagement:injectsDependency": "The entity provides component to dependent.", + "application:dependencyManagement:opensCircuitBreaker": "The entity stops calls to failing dependency.", + "application:dependencyManagement:resolvesDependency": "The entity locates required component.", + "application:externalIntegration": "Behaviours that communicate with external services and systems.", + "application:externalIntegration:callsExternalService": "The entity invokes an external API.", + "application:externalIntegration:consumesEvent": "The entity receives event from external system.", + "application:externalIntegration:publishesEvent": "The entity sends event to external system.", + "application:externalIntegration:receivesWebhook": "The entity accepts callback from external service.", + "application:observability": "Behaviours that emit telemetry for monitoring and debugging purposes.", + "application:observability:emitsTelemetry": "The entity transmits operational data.", + "application:observability:logsOperation": "The entity records an operational event.", + "application:observability:recordsMetric": "The entity captures a quantitative measurement.", + "application:observability:reportsHealth": "The entity communicates operational status.", + "application:observability:tracesRequest": "The entity tracks request across services.", + "application:requestHandling": "Behaviours that receive and process incoming requests.", + "application:requestHandling:authenticatesRequest": "The entity verifies requestor identity.", + "application:requestHandling:authorizesRequest": "The entity verifies requestor permissions.", + "application:requestHandling:bindsParameters": "The entity maps request data to parameters.", + "application:requestHandling:parsesRequest": "The entity interprets incoming request.", + "application:requestHandling:receivesHttpRequest": "The entity accepts an HTTP request.", + "application:requestHandling:rejectsRequest": "The entity refuses to process request.", + "application:requestHandling:routesRequest": "The entity directs request to appropriate handler.", + "application:requestHandling:validatesRequest": "The entity verifies request validity.", + "application:responseGeneration": "Behaviours that construct and transmit responses to requests.", + "application:responseGeneration:generatesResponse": "The entity creates a response.", + "application:responseGeneration:readsCookie": "The entity retrieves cookie value.", + "application:responseGeneration:redirectsRequest": "The entity sends client to different location.", + "application:responseGeneration:returnsError": "The entity indicates failure.", + "application:responseGeneration:returnsSuccess": "The entity indicates successful completion.", + "application:responseGeneration:sendsHttpResponse": "The entity transmits an HTTP response.", + "application:responseGeneration:setsCookie": "The entity creates or modifies a cookie.", + "application:responseGeneration:setsHeader": "The entity adds HTTP header to response.", + "application:stateManagement": "Behaviours that maintain and synchronise application state across requests.", + "application:stateManagement:acquiresLock": "The entity obtains exclusive access to resource.", + "application:stateManagement:beginsTransaction": "The entity starts an atomic operation group.", + "application:stateManagement:commitsTransaction": "The entity finalises transaction changes.", + "application:stateManagement:createsSessionState": "The entity initialises session data.", + "application:stateManagement:destroysSessionState": "The entity removes session data.", + "application:stateManagement:readsSessionState": "The entity retrieves session data.", + "application:stateManagement:releasesLock": "The entity relinquishes exclusive access.", + "application:stateManagement:rollsBackTransaction": "The entity undoes transaction changes.", + "application:stateManagement:synchronizesState": "The entity maintains consistency across replicas.", + "application:stateManagement:updatesSessionState": "The entity modifies session data.", + "data": "Behaviours relating to the ingestion and transformation of structured and unstructured data.", + "data:encoding": "Behaviours that apply specific encoding schemes to data.", + "data:encoding:appliesXor": "The entity transforms data using XOR operation.", + "data:encoding:decodesBaseSixtyFour": "The entity converts Base64 to original form.", + "data:encoding:decodesUrl": "The entity converts URL-encoded data.", + "data:encoding:encodesBaseSixtyFour": "The entity converts data to Base64.", + "data:encoding:encodesUrl": "The entity converts data for URL inclusion.", + "data:ingestion": "Behaviours that acquire data from external sources.", + "data:ingestion:pollsSource": "The entity periodically checks for new data.", + "data:ingestion:readsFile": "The entity retrieves data from a file.", + "data:ingestion:readsStream": "The entity consumes data from a continuous source.", + "data:ingestion:receivesInput": "The entity accepts data from an external source.", + "data:ingestion:receivesMessage": "The entity accepts a message from a queue.", + "data:ingestion:receivesRequest": "The entity accepts an incoming request.", + "data:ingestion:subscribesToFeed": "The entity registers to receive updates.", + "data:output": "Behaviours that produce and transmit data to external consumers.", + "data:output:formatsResponse": "The entity structures data for delivery.", + "data:output:producesOutput": "The entity generates data for consumption.", + "data:output:publishesMessage": "The entity sends a message to a queue.", + "data:output:rendersTemplate": "The entity generates output from a template.", + "data:output:sendsResponse": "The entity transmits a reply.", + "data:output:serializesObject": "The entity converts object to transmittable form.", + "data:output:streamsOutput": "The entity continuously produces data.", + "data:output:writesFile": "The entity saves data to a file.", + "data:parsing": "Behaviours that interpret and extract information from structured data formats.", + "data:parsing:decodesData": "The entity converts encoded data to original form.", + "data:parsing:deserializesObject": "The entity reconstructs object from serialised form.", + "data:parsing:extractsFields": "The entity isolates specific data elements.", + "data:parsing:parsesData": "The entity interprets structured data.", + "data:parsing:parsesHtml": "The entity interprets HTML content.", + "data:parsing:parsesJson": "The entity interprets JSON-formatted data.", + "data:parsing:parsesXml": "The entity interprets XML-formatted data.", + "data:query": "Behaviours that retrieve data based on specified criteria.", + "data:query:executesLdapQuery": "The entity queries an LDAP directory.", + "data:query:executesNoSqlQuery": "The entity queries a NoSQL database.", + "data:query:executesSearch": "The entity performs full-text or indexed search.", + "data:query:executesSql": "The entity runs a SQL statement.", + "data:query:executesXPath": "The entity evaluates an XPath expression.", + "data:query:queriesData": "The entity retrieves data matching criteria.", + "data:storage": "Behaviours that persist and retrieve data from storage systems.", + "data:storage:cachesData": "The entity stores data for quick retrieval.", + "data:storage:deletesData": "The entity removes stored data.", + "data:storage:flushesCache": "The entity writes cached data to persistent storage.", + "data:storage:invalidatesCache": "The entity marks cached data as stale.", + "data:storage:retrievesData": "The entity fetches stored data.", + "data:storage:storesData": "The entity saves data persistently.", + "data:storage:updatesData": "The entity modifies stored data.", + "data:transformation": "Behaviours that convert data from one form or structure to another.", + "data:transformation:aggregatesData": "The entity combines multiple values.", + "data:transformation:compressesData": "The entity reduces data size.", + "data:transformation:decompressesData": "The entity restores compressed data.", + "data:transformation:encodesData": "The entity converts data to encoded form.", + "data:transformation:enrichesData": "The entity adds information from external sources.", + "data:transformation:filtersData": "The entity removes unwanted elements.", + "data:transformation:joinsData": "The entity combines data from multiple sources.", + "data:transformation:mapsData": "The entity converts between data structures.", + "data:transformation:normalizesData": "The entity converts to standard form.", + "data:transformation:sortsData": "The entity orders data elements.", + "data:transformation:transformsData": "The entity converts data from one form to another.", + "evasion": "Behaviours relating to techniques that avoid detection and analysis.", + "evasion:analysisResistance": "Behaviours that detect and evade analysis environments.", + "evasion:analysisResistance:detectsAnalysisTool": "The entity identifies analysis software.", + "evasion:analysisResistance:detectsDebugger": "The entity identifies debugger presence.", + "evasion:analysisResistance:detectsEmulator": "The entity identifies emulation environment.", + "evasion:analysisResistance:detectsSandbox": "The entity identifies sandbox environment.", + "evasion:analysisResistance:detectsVirtualMachine": "The entity identifies VM environment.", + "evasion:analysisResistance:evadesDebugger": "The entity modifies behaviour under debugging.", + "evasion:analysisResistance:evadesEmulator": "The entity modifies behaviour under emulation.", + "evasion:analysisResistance:evadesSandbox": "The entity modifies behaviour in sandbox.", + "evasion:analysisResistance:evadesVirtualMachine": "The entity modifies behaviour in VM.", + "evasion:analysisResistance:usesTimingEvasion": "The entity uses delays to evade analysis.", + "evasion:antiSecurity": "Behaviours that detect and disable security software.", + "evasion:antiSecurity:detectsAntivirus": "The entity identifies AV software.", + "evasion:antiSecurity:disablesSecuritySoftware": "The entity deactivates security tools.", + "evasion:antiSecurity:evadesAntivirus": "The entity avoids AV detection.", + "evasion:antiSecurity:terminatesSecurityProcess": "The entity kills security software processes.", + "evasion:indirection": "Behaviours that use indirect methods to execute code.", + "evasion:indirection:resolvesApiDynamically": "The entity finds API addresses at runtime.", + "evasion:indirection:usesIndirectCalls": "The entity invokes functions indirectly.", + "evasion:indirection:usesProxyExecution": "The entity executes through intermediary.", + "evasion:obfuscation": "Behaviours that obscure code and data to hinder analysis.", + "evasion:obfuscation:obfuscatesCode": "The entity makes code difficult to analyse.", + "evasion:obfuscation:obfuscatesControlFlow": "The entity obscures execution paths.", + "evasion:obfuscation:obfuscatesData": "The entity hides data structures.", + "evasion:obfuscation:obfuscatesStrings": "The entity hides string contents.", + "evasion:obfuscation:packsCode": "The entity compresses or encrypts executable.", + "evasion:obfuscation:unpacksAtRuntime": "The entity decompresses code during execution.", + "file": "Behaviours relating to file system operations and disk management.", + "file:directory": "Behaviours that create and navigate directory structures.", + "file:directory:changesDirectory": "The entity sets current working directory.", + "file:directory:createsDirectory": "The entity creates a new directory.", + "file:directory:deletesDirectory": "The entity removes a directory.", + "file:directory:listsDirectory": "The entity enumerates directory contents.", + "file:directory:traversesDirectory": "The entity recursively explores directories.", + "file:disk": "Behaviours that manage storage volumes and disk-level operations.", + "file:disk:decryptsVolume": "The entity decrypts a storage volume.", + "file:disk:encryptsVolume": "The entity encrypts a storage volume.", + "file:disk:formatsVolume": "The entity prepares storage for use.", + "file:disk:mountsVolume": "The entity attaches a storage volume.", + "file:disk:unmountsVolume": "The entity detaches a storage volume.", + "file:disk:wipesDisk": "The entity securely erases disk contents.", + "file:operations": "Behaviours that create and manipulate files.", + "file:operations:appendsToFile": "The entity adds data to end of file.", + "file:operations:checksFileExistence": "The entity verifies whether a file exists.", + "file:operations:closesFile": "The entity releases file access.", + "file:operations:copiesFile": "The entity duplicates a file.", + "file:operations:createsFile": "The entity creates a new file.", + "file:operations:deletesFile": "The entity removes a file.", + "file:operations:getsFileAttributes": "The entity retrieves file metadata.", + "file:operations:movesFile": "The entity relocates a file.", + "file:operations:opensFile": "The entity prepares a file for access.", + "file:operations:readsFile": "The entity retrieves file contents.", + "file:operations:renamesFile": "The entity changes a file name.", + "file:operations:setsFileAttributes": "The entity modifies file metadata.", + "file:operations:setsFilePermissions": "The entity modifies file access permissions.", + "file:operations:writesFile": "The entity modifies file contents.", + "gui": "Behaviours relating to graphical user interface interactions.", + "gui:display": "Behaviours that render and monitor visual output.", + "gui:display:displaysData": "The entity renders information visually.", + "gui:display:monitorsDisplay": "The entity observes displayed content.", + "gui:display:updatesDisplay": "The entity refreshes visual presentation.", + "gui:session": "Behaviours that interact with user login sessions.", + "gui:session:displaysLogin": "The entity presents login interface.", + "gui:session:interactsWithSession": "The entity operates within user session.", + "gui:session:switchesSession": "The entity changes active user session.", + "gui:window": "Behaviours that create and manipulate graphical windows.", + "gui:window:capturesWindow": "The entity captures window contents.", + "gui:window:createsWindow": "The entity creates a graphical window.", + "gui:window:destroysWindow": "The entity closes a window.", + "gui:window:enumeratesWindows": "The entity lists open windows.", + "gui:window:interactsWithTaskbar": "The entity modifies taskbar elements.", + "gui:window:modifiesWindow": "The entity changes window properties.", + "hardware": "Behaviours relating to hardware components and physical device interactions.", + "hardware:actuator": "Behaviours that control physical actuators and output devices.", + "hardware:actuator:calibratesActuator": "The entity adjusts actuator accuracy.", + "hardware:actuator:controlsBattery": "The entity manages battery charging.", + "hardware:actuator:controlsHeating": "The entity manages heating element.", + "hardware:actuator:controlsLed": "The entity manages LED indicator.", + "hardware:actuator:controlsMotor": "The entity manages motor operation.", + "hardware:actuator:controlsPower": "The entity manages power distribution.", + "hardware:actuator:controlsPump": "The entity manages fluid pump.", + "hardware:actuator:controlsTemperature": "The entity regulates temperature.", + "hardware:boot": "Behaviours that verify and configure system startup processes.", + "hardware:boot:entersRecoveryMode": "The entity boots via alternative path.", + "hardware:boot:executesSecureBoot": "The entity verifies code integrity at startup.", + "hardware:boot:locksBootConfiguration": "The entity prevents boot setting changes.", + "hardware:boot:modifiesBootConfiguration": "The entity changes boot settings.", + "hardware:boot:readsBootConfiguration": "The entity retrieves boot settings.", + "hardware:boot:recordsBootMeasurement": "The entity logs boot component hashes.", + "hardware:boot:verifiesBootLoader": "The entity validates boot loader authenticity.", + "hardware:firmware": "Behaviours that manage and verify firmware integrity.", + "hardware:firmware:monitorsFirmwareIntegrity": "The entity checks for firmware tampering.", + "hardware:firmware:preventsFirmwareRollback": "The entity blocks reversion to old firmware.", + "hardware:firmware:readsFirmwareVersion": "The entity retrieves firmware version.", + "hardware:firmware:updatesFirmware": "The entity applies firmware changes.", + "hardware:firmware:verifiesFirmwareSignature": "The entity validates firmware authenticity.", + "hardware:memory": "Behaviours that protect and isolate memory regions.", + "hardware:memory:encryptsMemory": "The entity protects memory contents.", + "hardware:memory:isolatesMemory": "The entity separates memory regions.", + "hardware:memory:protectsStack": "The entity defends against stack attacks.", + "hardware:memory:randomizesAddressSpace": "The entity applies ASLR.", + "hardware:memory:readsProtectedMemory": "The entity accesses protected memory region.", + "hardware:memory:writesProtectedMemory": "The entity modifies protected memory region.", + "hardware:peripheral": "Behaviours that interact with peripheral devices and interfaces.", + "hardware:peripheral:accessesCamera": "The entity interacts with camera hardware.", + "hardware:peripheral:accessesDisplay": "The entity interacts with display hardware.", + "hardware:peripheral:accessesGpio": "The entity reads or writes GPIO pins.", + "hardware:peripheral:accessesJtag": "The entity uses JTAG debug interface.", + "hardware:peripheral:accessesKeyboard": "The entity interacts with keyboard hardware.", + "hardware:peripheral:accessesStorageDevice": "The entity interacts with storage hardware.", + "hardware:peripheral:accessesUsbDevice": "The entity interacts with USB peripheral.", + "hardware:peripheral:configuresDma": "The entity sets up direct memory access.", + "hardware:peripheral:protectsDma": "The entity prevents unauthorised DMA.", + "hardware:physicalSecurity": "Behaviours that detect and respond to physical tampering.", + "hardware:physicalSecurity:detectsPhysicalTamper": "The entity identifies physical interference.", + "hardware:physicalSecurity:disablesDebugInterface": "The entity prevents debug access.", + "hardware:physicalSecurity:enablesDebugInterface": "The entity permits debug access.", + "hardware:physicalSecurity:monitorsEnclosure": "The entity detects housing penetration.", + "hardware:physicalSecurity:respondsToTamper": "The entity reacts to physical attack.", + "hardware:physicalSecurity:zeroizesKeys": "The entity destroys keys on tamper detection.", + "hardware:security": "Behaviours that utilise hardware security features and trusted execution environments.", + "hardware:security:anchorsInHardwareRoot": "The entity uses tamper-resistant hardware for trust.", + "hardware:security:executesInTee": "The entity runs in trusted execution environment.", + "hardware:security:generatesPufResponse": "The entity uses physical unclonable function.", + "hardware:security:usesHsm": "The entity employs hardware security module.", + "hardware:security:usesSecureElement": "The entity employs dedicated security hardware.", + "hardware:sensor": "Behaviours that read measurements from hardware sensors.", + "hardware:sensor:calibratesSensor": "The entity adjusts sensor accuracy.", + "hardware:sensor:readsBatteryStatus": "The entity obtains battery state.", + "hardware:sensor:readsBloodOxygen": "The entity obtains SpO2 measurement.", + "hardware:sensor:readsBloodPressure": "The entity obtains blood pressure measurement.", + "hardware:sensor:readsCoTwoLevel": "The entity obtains CO2 measurement.", + "hardware:sensor:readsEcg": "The entity obtains electrocardiogram data.", + "hardware:sensor:readsPowerStatus": "The entity obtains power state.", + "hardware:sensor:readsTemperature": "The entity obtains temperature measurement.", + "hardware:sideChannelDefense": "Behaviours that protect against side-channel attacks.", + "hardware:sideChannelDefense:controlsEmEmissions": "The entity limits electromagnetic leakage.", + "hardware:sideChannelDefense:resistsFaultInjection": "The entity protects against induced faults.", + "hardware:sideChannelDefense:resistsPowerAnalysis": "The entity protects against power-based attacks.", + "hardware:sideChannelDefense:resistsTimingAnalysis": "The entity protects against timing-based attacks.", + "network": "Behaviours relating to network communication and data transmission between systems.", + "network:connection": "Behaviours that establish and manage network connections.", + "network:connection:acceptsConnection": "The entity receives an incoming connection.", + "network:connection:detectsConnectionLoss": "The entity identifies a dropped connection.", + "network:connection:establishesConnection": "The entity initiates a network connection.", + "network:connection:reconnects": "The entity re-establishes a dropped connection.", + "network:connection:reusesConnection": "The entity uses a pooled connection.", + "network:connection:sendsHeartbeat": "The entity transmits a keep-alive signal.", + "network:connection:terminatesConnection": "The entity closes a network connection.", + "network:discovery": "Behaviours that locate and advertise network services and resources.", + "network:discovery:advertisesService": "The entity announces its availability.", + "network:discovery:discoversService": "The entity locates an available service.", + "network:discovery:enumeratesInterfaces": "The entity lists network interfaces.", + "network:discovery:probesPort": "The entity checks if a port is open.", + "network:discovery:queriesDns": "The entity requests DNS resolution.", + "network:discovery:resolvesName": "The entity translates a name to an address.", + "network:discovery:scansNetwork": "The entity probes for active hosts or services.", + "network:protocol": "Behaviours that negotiate and implement communication protocols.", + "network:protocol:downgradesProtocol": "The entity falls back to a less secure protocol version.", + "network:protocol:framesMessage": "The entity structures data for transmission.", + "network:protocol:negotiatesProtocol": "The entity agrees on communication protocol with peer.", + "network:protocol:parsesMessage": "The entity interprets received network data.", + "network:protocol:retransmitsMessage": "The entity resends data after transmission failure.", + "network:protocol:upgradesProtocol": "The entity transitions to a more secure protocol version.", + "network:protocol:validatesMessage": "The entity verifies message format and integrity.", + "network:remoteInteraction": "Behaviours that execute operations on remote systems.", + "network:remoteInteraction:accessesRemoteDesktop": "The entity controls a remote graphical interface.", + "network:remoteInteraction:accessesRemoteShell": "The entity interacts with a remote command line.", + "network:remoteInteraction:executesRemoteCommand": "The entity runs a command on a remote system.", + "network:remoteInteraction:invokesRemoteProcedure": "The entity calls a function on a remote system.", + "network:remoteInteraction:sendsEmail": "The entity transmits an email message.", + "network:remoteInteraction:sendsSms": "The entity transmits a text message.", + "network:remoteInteraction:transfersFile": "The entity sends or receives a file remotely.", + "network:routing": "Behaviours that direct network traffic to its destination.", + "network:routing:configuresProxy": "The entity sets up traffic to route through a proxy.", + "network:routing:forwardsPacket": "The entity passes a packet toward its destination.", + "network:routing:redirectsTraffic": "The entity diverts traffic to a different destination.", + "network:routing:routesTraffic": "The entity directs network traffic to destinations.", + "network:routing:tunnelsTraffic": "The entity encapsulates traffic within another protocol.", + "network:trafficControl": "Behaviours that manage and manipulate network traffic flow.", + "network:trafficControl:balancesLoad": "The entity distributes requests across destinations.", + "network:trafficControl:filtersTraffic": "The entity blocks or allows traffic based on rules.", + "network:trafficControl:inspectsTraffic": "The entity examines traffic contents.", + "network:trafficControl:interceptsTraffic": "The entity captures traffic in transit.", + "network:trafficControl:limitsRate": "The entity restricts traffic volume.", + "network:trafficControl:modifiesTraffic": "The entity alters traffic in transit.", + "network:trafficControl:shapesTraffic": "The entity manages traffic timing and priority.", + "network:transmission": "Behaviours that send and receive data over network connections.", + "network:transmission:broadcastsData": "The entity sends data to multiple recipients.", + "network:transmission:multicastsData": "The entity sends data to a group of recipients.", + "network:transmission:receivesData": "The entity accepts data from the network.", + "network:transmission:sendsData": "The entity transmits data over the network.", + "network:transmission:streamsData": "The entity continuously transmits or receives data.", + "privacy": "Behaviours relating to the collection and processing of personal and sensitive data.", + "privacy:collection": "Behaviours that gather personal or sensitive information from individuals or systems.", + "privacy:collection:capturesAudio": "The entity records sound via microphone.", + "privacy:collection:capturesKeystrokes": "The entity records keyboard input.", + "privacy:collection:capturesScreen": "The entity records display contents.", + "privacy:collection:capturesVideo": "The entity records images via camera.", + "privacy:collection:collectsBehavioralData": "The entity records user actions and patterns.", + "privacy:collection:collectsBiometricData": "The entity captures biometric information.", + "privacy:collection:collectsCommunicationContent": "The entity captures message or call contents.", + "privacy:collection:collectsDeviceInformation": "The entity gathers device identifiers or characteristics.", + "privacy:collection:collectsFinancialData": "The entity gathers payment or financial information.", + "privacy:collection:collectsHealthData": "The entity gathers protected health information.", + "privacy:collection:collectsInBackground": "The entity gathers data without active user engagement.", + "privacy:collection:collectsLocationData": "The entity gathers geographical position information.", + "privacy:collection:collectsPersonalData": "The entity gathers personally identifiable information.", + "privacy:collection:collectsSilently": "The entity gathers data without user awareness.", + "privacy:collection:readsBrowserHistory": "The entity accesses web browsing history.", + "privacy:collection:readsClipboard": "The entity accesses clipboard contents.", + "privacy:deletion": "Behaviours that remove or destroy personal data.", + "privacy:deletion:clearsCache": "The entity removes data from temporary storage.", + "privacy:deletion:deletesPersonalData": "The entity removes personal data.", + "privacy:deletion:erasesSecurely": "The entity irreversibly destroys data.", + "privacy:deletion:purgesFromBackup": "The entity removes data from backup systems.", + "privacy:deletion:redactsData": "The entity removes specific content from records.", + "privacy:inference": "Behaviours that derive personal information through analysis and correlation of data.", + "privacy:inference:correlatesData": "The entity combines data from multiple sources.", + "privacy:inference:createsProfile": "The entity builds a profile from collected data.", + "privacy:inference:fingerprintsDevice": "The entity identifies device via characteristics.", + "privacy:inference:infersPersonalInformation": "The entity derives personal data from other data.", + "privacy:inference:linksIdentities": "The entity associates data across contexts.", + "privacy:inference:tracksUser": "The entity follows user activity across sessions.", + "privacy:minimization": "Behaviours that reduce the amount or sensitivity of personal data processed.", + "privacy:minimization:aggregatesData": "The entity combines records into summaries.", + "privacy:minimization:anonymizesData": "The entity removes identifying information.", + "privacy:minimization:filtersData": "The entity removes unnecessary data elements.", + "privacy:minimization:generalizesData": "The entity reduces data precision.", + "privacy:minimization:limitsCollection": "The entity gathers only necessary data.", + "privacy:minimization:limitsProcessing": "The entity restricts data use to stated purposes.", + "privacy:minimization:pseudonymizesData": "The entity replaces identifiers with pseudonyms.", + "privacy:privacyEnhancement": "Behaviours that employ technical measures to protect privacy during processing.", + "privacy:privacyEnhancement:addsDifferentialPrivacy": "The entity injects noise to protect individuals.", + "privacy:privacyEnhancement:computesMultiparty": "The entity performs joint computation privately.", + "privacy:privacyEnhancement:processesHomomorphically": "The entity computes on encrypted data.", + "privacy:privacyEnhancement:processesLocally": "The entity handles data on-device.", + "privacy:retention": "Behaviours that store personal data over time.", + "privacy:retention:archivesData": "The entity moves data to long-term storage.", + "privacy:retention:backsUpData": "The entity creates copies for recovery.", + "privacy:retention:enforcesRetentionPeriod": "The entity deletes data after specified time.", + "privacy:retention:retainsBeyondPurpose": "The entity keeps data longer than necessary.", + "privacy:retention:retainsInCache": "The entity keeps data in temporary storage.", + "privacy:retention:retainsInLog": "The entity keeps data in log files.", + "privacy:retention:storesPersonalData": "The entity saves personal data persistently.", + "privacy:sharing": "Behaviours that disclose personal data to third parties or across boundaries.", + "privacy:sharing:disclosesToThirdParty": "The entity transmits personal data externally.", + "privacy:sharing:exportsData": "The entity outputs data in portable format.", + "privacy:sharing:publishesData": "The entity makes data publicly available.", + "privacy:sharing:sellsData": "The entity provides data in exchange for value.", + "privacy:sharing:sharesWithAffiliate": "The entity provides data to related entities.", + "privacy:sharing:transfersCrossBorder": "The entity sends data across jurisdictions.", + "privacy:subjectRights": "Behaviours that fulfil data subject rights under privacy regulations.", + "privacy:subjectRights:correctsData": "The entity modifies inaccurate personal data.", + "privacy:subjectRights:exportsDataPortably": "The entity provides data in portable format.", + "privacy:subjectRights:honorsErasureRequest": "The entity deletes data upon request.", + "privacy:subjectRights:honorsObjection": "The entity ceases processing upon objection.", + "privacy:subjectRights:providesDataAccess": "The entity gives individuals their data.", + "privacy:subjectRights:restrictsProcessing": "The entity limits data use upon request.", + "privacy:transparency": "Behaviours that inform individuals about data processing activities.", + "privacy:transparency:disclosesProcessing": "The entity reveals data processing activities.", + "privacy:transparency:displaysPrivacyNotice": "The entity presents privacy information.", + "privacy:transparency:explainsAutomatedDecision": "The entity describes automated decision logic.", + "privacy:transparency:recordsConsent": "The entity stores consent decisions.", + "privacy:transparency:requestsConsent": "The entity asks for processing permission.", + "privacy:transparency:withdrawsConsent": "The entity processes consent revocation.", + "safety": "Behaviours relating to the prevention of harm to users and the environment.", + "safety:autonomousBehavior": "Behaviours that govern decision-making boundaries and human oversight of autonomous systems.", + "safety:autonomousBehavior:acceptsOverride": "The entity yields to human command.", + "safety:autonomousBehavior:enforcesHumanInLoop": "The entity requires human involvement.", + "safety:autonomousBehavior:explainsDecision": "The entity provides rationale for its action.", + "safety:autonomousBehavior:requestsGuidance": "The entity asks for human direction.", + "safety:autonomousBehavior:respectsDecisionBoundary": "The entity stays within authorised decision scope.", + "safety:contentSafety": "Behaviours that detect and filter harmful or inappropriate content.", + "safety:contentSafety:detectsHarmfulContent": "The entity identifies potentially harmful content.", + "safety:contentSafety:detectsMisinformation": "The entity identifies false or misleading content.", + "safety:contentSafety:enforcesAgeRestriction": "The entity limits access by user age.", + "safety:contentSafety:filtersContent": "The entity blocks or restricts content.", + "safety:contentSafety:labelsContent": "The entity marks content with warnings or ratings.", + "safety:harmPrevention": "Behaviours that actively protect users and bystanders from physical or psychological harm.", + "safety:harmPrevention:preventsEnvironmentalHarm": "The entity acts to protect the environment.", + "safety:harmPrevention:preventsPropertyDamage": "The entity acts to protect physical property.", + "safety:harmPrevention:preventsUserHarm": "The entity acts to protect users from injury.", + "safety:harmPrevention:protectsBystanders": "The entity considers safety of non-users.", + "safety:hazardManagement": "Behaviours that identify and mitigate potentially dangerous conditions.", + "safety:hazardManagement:assessesRisk": "The entity evaluates severity and likelihood of harm.", + "safety:hazardManagement:identifiesHazard": "The entity detects a potentially harmful condition.", + "safety:hazardManagement:mitigatesHazard": "The entity reduces hazard severity or likelihood.", + "safety:hazardManagement:reportsHazard": "The entity communicates a hazardous condition.", + "safety:humanInteraction": "Behaviours that manage communication and interaction with human operators.", + "safety:humanInteraction:adaptsForAccessibility": "The entity adjusts for users with disabilities.", + "safety:humanInteraction:managesCognitiveLoad": "The entity limits information to prevent overwhelm.", + "safety:humanInteraction:requestsConfirmation": "The entity requires human approval for action.", + "safety:humanInteraction:warnsOperator": "The entity alerts human to abnormal condition.", + "safety:operationalSafety": "Behaviours that enforce safe operating limits and conditions.", + "safety:operationalSafety:acceptsManualOverride": "The entity yields control to human operator.", + "safety:operationalSafety:enforcesInterlock": "The entity prevents unsafe operation combinations.", + "safety:operationalSafety:enforcesOperatingLimits": "The entity prevents operation outside safe bounds.", + "safety:operationalSafety:executesEmergencyStop": "The entity immediately halts dangerous operation.", + "safety:operationalSafety:monitorsWatchdog": "The entity checks for uncontrolled operation.", + "safety:operationalSafety:validatesSafetyCondition": "The entity confirms safe operating state.", + "security": "Behaviours relating to the protection of systems and data from unauthorised access and threats.", + "security:auditing": "Behaviours that record security-relevant events for accountability and forensic analysis.", + "security:auditing:logsEvent": "The entity records an occurrence.", + "security:auditing:logsSecurityEvent": "The entity records a security-relevant occurrence.", + "security:auditing:protectsAuditLog": "The entity prevents tampering with log records.", + "security:auditing:purgesLog": "The entity deletes old log records.", + "security:auditing:rotatesLog": "The entity archives and starts new log files.", + "security:auditing:signsLogEntry": "The entity cryptographically signs audit records.", + "security:auditing:timestampsEvent": "The entity records when an event occurred.", + "security:auditing:transmitsLog": "The entity sends log data to a remote destination.", + "security:authentication": "Behaviours that verify the identity of users and entities.", + "security:authentication:authenticatesDevice": "The entity confirms device identity.", + "security:authentication:authenticatesService": "The entity confirms service identity.", + "security:authentication:authenticatesUser": "The entity confirms user identity.", + "security:authentication:bypassesAuthentication": "The entity permits access without authentication.", + "security:authentication:capturesBiometric": "The entity collects biometric data for authentication.", + "security:authentication:delegatesAuthentication": "The entity relies on external identity provider.", + "security:authentication:failsAuthentication": "The entity rejects invalid credentials.", + "security:authentication:locksAccount": "The entity prevents further authentication attempts.", + "security:authentication:performsMultiFactorAuthentication": "The entity requires multiple authentication factors.", + "security:authentication:promptsForCredentials": "The entity requests authentication information.", + "security:authentication:unlocksAccount": "The entity restores authentication capability.", + "security:authentication:validatesBiometric": "The entity verifies biometric data.", + "security:authentication:validatesCredentials": "The entity verifies supplied credentials.", + "security:authorization": "Behaviours that determine and enforce access permissions.", + "security:authorization:checksPermission": "The entity verifies access rights.", + "security:authorization:delegatesAuthority": "The entity transfers access rights to another.", + "security:authorization:deniesAccess": "The entity refuses a requested action.", + "security:authorization:enforcesRole": "The entity restricts actions based on assigned role.", + "security:authorization:escalatesPrivilege": "The entity gains elevated permissions.", + "security:authorization:evaluatesAttributes": "The entity uses attributes for access decisions.", + "security:authorization:evaluatesPolicy": "The entity applies rules to make access decisions.", + "security:authorization:grantsAccess": "The entity permits a requested action.", + "security:authorization:grantsImpersonation": "The entity permits another to act within its security context.", + "security:authorization:impersonatesUser": "The entity performs actions within another user's security context.", + "security:authorization:requestsImpersonation": "The entity initiates a request to act as another user.", + "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", + "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", + "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", + "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", + "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", + "security:cryptography:destroysKey": "The entity securely erases a key.", + "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", + "security:cryptography:exchangesKey": "The entity shares a key with another party.", + "security:cryptography:generatesKey": "The entity creates a cryptographic key.", + "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", + "security:cryptography:hashesData": "The entity generates a cryptographic hash.", + "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", + "security:cryptography:retrievesKey": "The entity obtains a stored key.", + "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", + "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", + "security:cryptography:signsData": "The entity creates a digital signature.", + "security:cryptography:storesKey": "The entity saves a key securely.", + "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", + "security:cryptography:verifiesHash": "The entity validates data against a hash.", + "security:cryptography:verifiesSignature": "The entity validates a digital signature.", + "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", + "security:errorHandling:catchesException": "The entity intercepts an error condition.", + "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", + "security:errorHandling:failsClosed": "The entity denies access when controls fail.", + "security:errorHandling:failsOpen": "The entity permits access when controls fail.", + "security:errorHandling:generatesError": "The entity produces an error condition.", + "security:errorHandling:logsError": "The entity records an error condition.", + "security:errorHandling:propagatesError": "The entity passes an error to caller.", + "security:errorHandling:returnsGenericError": "The entity provides minimal error information.", + "security:errorHandling:suppressesError": "The entity hides an error condition.", + "security:inputHandling": "Behaviours that validate and sanitise input data to prevent injection attacks.", + "security:inputHandling:escapesInput": "The entity encodes special characters in input.", + "security:inputHandling:normalizesInput": "The entity converts input to standard form.", + "security:inputHandling:rejectsInvalidInput": "The entity refuses malformed or dangerous input.", + "security:inputHandling:sanitizesInput": "The entity removes potentially harmful content from input.", + "security:inputHandling:truncatesInput": "The entity shortens input to acceptable length.", + "security:inputHandling:validatesFormat": "The entity verifies input conforms to expected format.", + "security:inputHandling:validatesRange": "The entity ensures values fall within acceptable bounds.", + "security:inputHandling:validatesSchema": "The entity checks input against a defined schema.", + "security:integrity": "Behaviours that verify and protect the integrity of data and code.", + "security:integrity:attestsIntegrity": "The entity provides evidence of its own integrity.", + "security:integrity:detectsTampering": "The entity identifies modification attempts.", + "security:integrity:respondsToTampering": "The entity reacts to detected tampering.", + "security:integrity:validatesComponent": "The entity verifies authenticity of a dependency.", + "security:integrity:verifiesIntegrity": "The entity confirms data or code has not been altered.", + "security:integrity:verifiesProvenance": "The entity confirms origin and history.", + "security:outputHandling": "Behaviours that encode and filter output data to prevent information leakage.", + "security:outputHandling:encodesOutput": "The entity transforms output to prevent injection.", + "security:outputHandling:enforcesContentPolicy": "The entity restricts content sources.", + "security:outputHandling:escapesOutput": "The entity encodes special characters in output.", + "security:outputHandling:filtersOutput": "The entity removes sensitive content from output.", + "security:outputHandling:masksOutput": "The entity obscures sensitive data in output.", + "security:outputHandling:setsSecurityHeader": "The entity adds security-related HTTP headers.", + "security:session": "Behaviours that manage authenticated user sessions.", + "security:session:createsSession": "The entity establishes an authenticated session.", + "security:session:detectsSessionHijacking": "The entity identifies unauthorised session use.", + "security:session:invalidatesSession": "The entity revokes session validity.", + "security:session:refreshesSession": "The entity extends session lifetime.", + "security:session:regeneratesSessionId": "The entity creates a new session identifier.", + "security:session:terminatesSession": "The entity ends an authenticated session.", + "security:session:validatesSession": "The entity verifies session validity.", + "security:threatResponse": "Behaviours that detect and respond to security threats and incidents.", + "security:threatResponse:blocksRequest": "The entity refuses a suspicious request.", + "security:threatResponse:blocksSource": "The entity prevents further requests from a source.", + "security:threatResponse:collectsForensicData": "The entity gathers evidence for investigation.", + "security:threatResponse:detectsAnomaly": "The entity recognises deviation from normal patterns.", + "security:threatResponse:detectsIntrusion": "The entity identifies a potential security breach.", + "security:threatResponse:initiatesIncidentResponse": "The entity triggers security response procedures.", + "security:threatResponse:quarantinesElement": "The entity isolates a suspicious item.", + "security:threatResponse:raisesAlert": "The entity notifies of a security event.", + "system": "Behaviours relating to operating system interactions and the management of computational resources.", + "system:configuration": "Behaviours that read and modify system configuration settings.", + "system:configuration:deletesRegistryKey": "The entity removes entries from the registry.", + "system:configuration:modifiesGroupPolicy": "The entity changes group policy settings.", + "system:configuration:readsConfigurationFile": "The entity loads settings from a configuration file.", + "system:configuration:readsEnvironmentVariable": "The entity retrieves an environment variable value.", + "system:configuration:readsGroupPolicy": "The entity retrieves group policy settings.", + "system:configuration:readsRegistry": "The entity retrieves values from the system registry.", + "system:configuration:setsEnvironmentVariable": "The entity modifies an environment variable.", + "system:configuration:writesConfigurationFile": "The entity saves settings to a configuration file.", + "system:configuration:writesRegistry": "The entity stores values in the system registry.", + "system:informationGathering": "Behaviours that collect information about the host system and its configuration.", + "system:informationGathering:detectsOsVersion": "The entity determines the operating system version.", + "system:informationGathering:gathersSystemInformation": "The entity collects system configuration details.", + "system:informationGathering:queriesHardwareInformation": "The entity retrieves hardware specifications.", + "system:informationGathering:retrievesHostname": "The entity obtains the system hostname.", + "system:kernelInteraction": "Behaviours that interact directly with the operating system kernel.", + "system:kernelInteraction:hooksKernelFunction": "The entity intercepts kernel-level calls.", + "system:kernelInteraction:installsDriver": "The entity loads a kernel-mode driver.", + "system:kernelInteraction:readsKernelMemory": "The entity accesses kernel memory space.", + "system:kernelInteraction:writesKernelMemory": "The entity modifies kernel memory space.", + "system:lifecycle": "Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.", + "system:lifecycle:appliesUpdate": "The entity installs software or firmware updates.", + "system:lifecycle:decommissions": "The entity securely retires from service.", + "system:lifecycle:initializes": "The entity performs start-up routines and loads configuration.", + "system:lifecycle:performsSelfTest": "The entity verifies its own operational readiness.", + "system:lifecycle:provisions": "The entity configures itself for deployment.", + "system:lifecycle:rollsBack": "The entity reverts to a previous known-good state.", + "system:lifecycle:shutsDown": "The entity executes orderly cessation of operations.", + "system:operationalState": "Behaviours that govern an entity's functional status and mode of operation.", + "system:operationalState:entersFailSafeState": "The entity transitions to a known safe state upon detecting a fault.", + "system:operationalState:entersFailSecureState": "The entity denies access or ceases sensitive operations upon detecting a security fault.", + "system:operationalState:operatesInDegradedMode": "The entity continues operation with reduced functionality.", + "system:operationalState:operatesNormally": "The entity performs its intended functions within designed parameters.", + "system:operationalState:performsEmergencyShutdown": "The entity immediately halts to prevent harm or damage.", + "system:persistence": "Behaviours that establish mechanisms for an entity to survive system restarts.", + "system:persistence:createsScheduledTask": "The entity schedules itself for recurring execution.", + "system:persistence:installsAsService": "The entity registers itself as a system service.", + "system:persistence:loadsAsKernelModule": "The entity loads itself into the kernel.", + "system:persistence:registersForStartup": "The entity configures itself to execute at system boot.", + "system:persistence:removesPersistence": "The entity removes its persistence mechanism.", + "system:processControl": "Behaviours that create and manipulate operating system processes.", + "system:processControl:createsProcess": "The entity starts a new process.", + "system:processControl:dumpsProcessMemory": "The entity extracts memory contents from a process.", + "system:processControl:enumeratesProcesses": "The entity lists running processes.", + "system:processControl:hooksFunction": "The entity intercepts and redirects function calls.", + "system:processControl:injectsCodeIntoProcess": "The entity inserts executable code into another process.", + "system:processControl:modifiesProcess": "The entity changes attributes of a running process.", + "system:processControl:resumesProcess": "The entity continues paused process execution.", + "system:processControl:suspendsProcess": "The entity pauses process execution.", + "system:processControl:terminatesProcess": "The entity ends a running process.", + "system:resilience": "Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.", + "system:resilience:activatesRedundancy": "The entity activates backup systems or alternative processing paths.", + "system:resilience:degradesGracefully": "The entity progressively reduces functionality rather than failing abruptly.", + "system:resilience:detectsFault": "The entity identifies an internal fault or anomalous condition.", + "system:resilience:recoversFromFailure": "The entity restores normal operation following a failure.", + "system:resilience:toleratesFault": "The entity continues operation despite the presence of a fault.", + "system:resourceManagement": "Behaviours that allocate and deallocate computational resources such as memory and threads.", + "system:resourceManagement:allocatesMemory": "The entity reserves memory for use.", + "system:resourceManagement:deallocatesMemory": "The entity releases previously allocated memory.", + "system:resourceManagement:handlesResourceExhaustion": "The entity responds to depleted resources.", + "system:resourceManagement:managesPowerState": "The entity transitions between power consumption states.", + "system:resourceManagement:readsFromStorage": "The entity retrieves data from persistent storage.", + "system:resourceManagement:resumesThread": "The entity continues paused thread execution.", + "system:resourceManagement:spawnsThread": "The entity creates a new execution thread.", + "system:resourceManagement:suspendsThread": "The entity pauses thread execution.", + "system:resourceManagement:terminatesThread": "The entity ends an execution thread.", + "system:resourceManagement:writesToStorage": "The entity saves data to persistent storage.", + "system:serviceControl": "Behaviours that manage system services and daemons.", + "system:serviceControl:createsService": "The entity installs a system service or daemon.", + "system:serviceControl:deletesService": "The entity removes a system service.", + "system:serviceControl:enumeratesServices": "The entity lists installed services.", + "system:serviceControl:modifiesService": "The entity changes service configuration.", + "system:serviceControl:startsService": "The entity initiates service execution.", + "system:serviceControl:stopsService": "The entity halts service execution.", + "system:synchronization": "Behaviours that coordinate access to shared resources across concurrent execution contexts.", + "system:synchronization:acquiresMutex": "The entity obtains exclusive access via mutex.", + "system:synchronization:releasesMutex": "The entity relinquishes mutex ownership.", + "system:synchronization:signalsEvent": "The entity triggers a synchronisation event.", + "system:synchronization:signalsSemaphore": "The entity releases a semaphore.", + "system:synchronization:waitsOnEvent": "The entity blocks until an event is signalled.", + "system:synchronization:waitsOnSemaphore": "The entity blocks until semaphore is available.", + "system:timing": "Behaviours that govern temporal aspects of execution including scheduling and synchronisation.", + "system:timing:delaysExecution": "The entity postpones an operation.", + "system:timing:enforcesDeadline": "The entity ensures completion within a timing constraint.", + "system:timing:executesScheduledTask": "The entity performs a task at a predetermined time.", + "system:timing:resetsWatchdog": "The entity signals continued operation to a watchdog monitor.", + "system:timing:synchronizesClock": "The entity aligns its internal clock with an external source.", + "system:timing:triggersTimeout": "The entity acts upon detecting an unresponsive condition.", + "system:timing:waits": "The entity pauses execution for a specified duration.", + "system:userManagement": "Behaviours that create and manipulate user accounts and privileges.", + "system:userManagement:createsUserAccount": "The entity adds a new user account.", + "system:userManagement:deletesUserAccount": "The entity removes a user account.", + "system:userManagement:elevatesPrivileges": "The entity gains higher access permissions.", + "system:userManagement:enumeratesUsers": "The entity lists user accounts.", + "system:userManagement:impersonatesUser": "The entity assumes another user's identity.", + "system:userManagement:modifiesUserAccount": "The entity changes user account properties." + } + } + } +} From 96117b4507bf4cc7f5f48254784d3bdd77748258 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 8 Jan 2026 18:21:03 +0100 Subject: [PATCH 13/44] Extend cryptography-related behaviors Signed-off-by: Basil Hess --- .../model/cyclonedx-behavior-2.0.schema.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json index 58f0914e8..8fc95e2e9 100644 --- a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -819,6 +819,24 @@ "security:cryptography:validatesCertificate", "security:cryptography:verifiesHash", "security:cryptography:verifiesSignature", + "security:cryptography:authenticates", + "security:cryptography:ensuresConfidentiality", + "security:cryptography:ensuresIntegrity", + "security:cryptography:ensuresNonRepudiation", + "security:cryptography:ensuresAccountability", + "security:cryptography:preservesPrivacy", + "security:cryptography:identifies", + "security:cryptography:usesIdentity", + "security:cryptography:validatesToken", + "security:cryptography:signsDocument", + "security:cryptography:encryptsDataAtRest", + "security:cryptography:encryptsDataInTransit", + "security:cryptography:decryptsDataAtRest", + "security:cryptography:decryptsDataInTransit", + "security:cryptography:encryptsDisk", + "security:cryptography:decryptsDisk", + "security:cryptography:encryptsSecret", + "security:cryptography:decryptsSecret", "security:errorHandling", "security:errorHandling:catchesException", "security:errorHandling:disclosesErrorDetails", From 70de9459d7ed738a590895f527d166cb99dbedee Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 14 Jan 2026 17:29:33 +0100 Subject: [PATCH 14/44] A few extensions to the crypto behaviors Signed-off-by: Basil Hess --- schema/2.0/model/cyclonedx-behavior-2.0.schema.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json index 8fc95e2e9..02d4df79e 100644 --- a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -808,13 +808,21 @@ "security:cryptography:encryptsData", "security:cryptography:exchangesKey", "security:cryptography:generatesKey", + "security:cryptography:wrapsKey", "security:cryptography:generatesRandomValue", "security:cryptography:hashesData", "security:cryptography:issuesCertificate", + "security:cryptography:presentsServerCertificate", + "security:cryptography:presentsClientCertificate", "security:cryptography:retrievesKey", "security:cryptography:revokesCertificate", "security:cryptography:rotatesKey", "security:cryptography:signsData", + "security:cryptography:verifiesDataSignature", + "security:cryptography:signsCode", + "security:cryptography:verifiesCodeSignature", + "security:cryptography:signsDocument", + "security:cryptography:verifiesDocumentSignature", "security:cryptography:storesKey", "security:cryptography:validatesCertificate", "security:cryptography:verifiesHash", @@ -828,7 +836,6 @@ "security:cryptography:identifies", "security:cryptography:usesIdentity", "security:cryptography:validatesToken", - "security:cryptography:signsDocument", "security:cryptography:encryptsDataAtRest", "security:cryptography:encryptsDataInTransit", "security:cryptography:decryptsDataAtRest", From bb7e30e578fd3164dcf046602e96524e42733663 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 22 Jan 2026 13:30:29 +0100 Subject: [PATCH 15/44] Makes sure meta:enum descrptions are available for the new behaviors. Orders new entries alphabetically in the enum Signed-off-by: Basil Hess --- .../model/cyclonedx-behavior-2.0.schema.json | 73 +++++++++++++------ 1 file changed, 50 insertions(+), 23 deletions(-) diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json index 02d4df79e..25814a61d 100644 --- a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -802,48 +802,49 @@ "security:authorization:revokesAccess", "security:authorization:revokesImpersonation", "security:cryptography", + "security:cryptography:authenticates", "security:cryptography:checksRevocation", "security:cryptography:decryptsData", + "security:cryptography:decryptsDataAtRest", + "security:cryptography:decryptsDataInTransit", + "security:cryptography:decryptsDisk", + "security:cryptography:decryptsSecret", "security:cryptography:destroysKey", "security:cryptography:encryptsData", + "security:cryptography:encryptsDataAtRest", + "security:cryptography:encryptsDataInTransit", + "security:cryptography:encryptsDisk", + "security:cryptography:encryptsSecret", + "security:cryptography:ensuresAccountability", + "security:cryptography:ensuresConfidentiality", + "security:cryptography:ensuresIntegrity", + "security:cryptography:ensuresNonRepudiation", "security:cryptography:exchangesKey", "security:cryptography:generatesKey", - "security:cryptography:wrapsKey", "security:cryptography:generatesRandomValue", "security:cryptography:hashesData", + "security:cryptography:hashesPassword", + "security:cryptography:identifies", "security:cryptography:issuesCertificate", - "security:cryptography:presentsServerCertificate", + "security:cryptography:preservesPrivacy", "security:cryptography:presentsClientCertificate", + "security:cryptography:presentsServerCertificate", "security:cryptography:retrievesKey", "security:cryptography:revokesCertificate", "security:cryptography:rotatesKey", - "security:cryptography:signsData", - "security:cryptography:verifiesDataSignature", "security:cryptography:signsCode", - "security:cryptography:verifiesCodeSignature", + "security:cryptography:signsData", "security:cryptography:signsDocument", - "security:cryptography:verifiesDocumentSignature", "security:cryptography:storesKey", + "security:cryptography:usesIdentity", "security:cryptography:validatesCertificate", + "security:cryptography:validatesToken", + "security:cryptography:verifiesCodeSignature", + "security:cryptography:verifiesDataSignature", + "security:cryptography:verifiesDocumentSignature", "security:cryptography:verifiesHash", "security:cryptography:verifiesSignature", - "security:cryptography:authenticates", - "security:cryptography:ensuresConfidentiality", - "security:cryptography:ensuresIntegrity", - "security:cryptography:ensuresNonRepudiation", - "security:cryptography:ensuresAccountability", - "security:cryptography:preservesPrivacy", - "security:cryptography:identifies", - "security:cryptography:usesIdentity", - "security:cryptography:validatesToken", - "security:cryptography:encryptsDataAtRest", - "security:cryptography:encryptsDataInTransit", - "security:cryptography:decryptsDataAtRest", - "security:cryptography:decryptsDataInTransit", - "security:cryptography:encryptsDisk", - "security:cryptography:decryptsDisk", - "security:cryptography:encryptsSecret", - "security:cryptography:decryptsSecret", + "security:cryptography:wrapsKey", "security:errorHandling", "security:errorHandling:catchesException", "security:errorHandling:disclosesErrorDetails", @@ -1543,23 +1544,49 @@ "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", + "security:cryptography:authenticates": "The entity verifies the identity of a user, process, or device.", "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", + "security:cryptography:decryptsDataAtRest": "The entity restores stored encrypted data to readable form.", + "security:cryptography:decryptsDataInTransit": "The entity restores data received over a network to readable form.", + "security:cryptography:decryptsDisk": "The entity unlocks and decrypts contents of an encrypted disk.", + "security:cryptography:decryptsSecret": "The entity retrieves and decrypts a secured credential or metadata.", "security:cryptography:destroysKey": "The entity securely erases a key.", "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", + "security:cryptography:encryptsDataAtRest": "The entity protects stored data by converting it to unreadable form.", + "security:cryptography:encryptsDataInTransit": "The entity protects data moving across a network.", + "security:cryptography:encryptsDisk": "The entity applies full-disk encryption to protect all data on a drive.", + "security:cryptography:encryptsSecret": "The entity secures sensitive credentials or metadata.", + "security:cryptography:ensuresAccountability": "The entity ensures actions can be traced to a specific individual or process.", + "security:cryptography:ensuresConfidentiality": "The entity protects sensitive information from unauthorised access.", + "security:cryptography:ensuresIntegrity": "The entity guarantees that data has not been altered or tampered with.", + "security:cryptography:ensuresNonRepudiation": "The entity provides proof of origin and integrity to prevent denial.", "security:cryptography:exchangesKey": "The entity shares a key with another party.", "security:cryptography:generatesKey": "The entity creates a cryptographic key.", "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", "security:cryptography:hashesData": "The entity generates a cryptographic hash.", + "security:cryptography:hashesPassword": "The entity applies a cryptographic hash function to a password.", + "security:cryptography:identifies": "The entity establishes a unique identity for an actor within the system.", "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", + "security:cryptography:preservesPrivacy": "The entity protects personally identifiable information and user data.", + "security:cryptography:presentsClientCertificate": "The entity provides a client certificate for authentication.", + "security:cryptography:presentsServerCertificate": "The entity provides a server certificate for authentication.", "security:cryptography:retrievesKey": "The entity obtains a stored key.", "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", + "security:cryptography:signsCode": "The entity applies a digital signature to executable code.", "security:cryptography:signsData": "The entity creates a digital signature.", + "security:cryptography:signsDocument": "The entity applies a digital signature to a document.", "security:cryptography:storesKey": "The entity saves a key securely.", + "security:cryptography:usesIdentity": "The entity utilises established identity credentials for operations.", "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", + "security:cryptography:validatesToken": "The entity verifies the authenticity and expiration of a security token.", + "security:cryptography:verifiesCodeSignature": "The entity validates a digital signature on executable code.", + "security:cryptography:verifiesDataSignature": "The entity validates a digital signature on data.", + "security:cryptography:verifiesDocumentSignature": "The entity validates a digital signature on a document.", "security:cryptography:verifiesHash": "The entity validates data against a hash.", "security:cryptography:verifiesSignature": "The entity validates a digital signature.", + "security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport.", "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", "security:errorHandling:catchesException": "The entity intercepts an error condition.", "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", From fd3b448857f63781d729b4a5fef18b94614c62f7 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 4 Mar 2026 00:38:05 -0600 Subject: [PATCH 16/44] Major changes to blueprints and other changes to supporting schemas. This currently compiles. Signed-off-by: Steve Springett --- schema/2.0/cyclonedx-2.0.schema.json | 3 + .../model/cyclonedx-blueprint-2.0.schema.json | 1622 ++++++++++------- .../2.0/model/cyclonedx-data-2.0.schema.json | 232 ++- .../2.0/model/cyclonedx-risk-2.0.schema.json | 121 +- .../model/cyclonedx-usecase-2.0.schema.json | 251 +-- 5 files changed, 1384 insertions(+), 845 deletions(-) diff --git a/schema/2.0/cyclonedx-2.0.schema.json b/schema/2.0/cyclonedx-2.0.schema.json index 6a2729634..548d0fca1 100644 --- a/schema/2.0/cyclonedx-2.0.schema.json +++ b/schema/2.0/cyclonedx-2.0.schema.json @@ -76,6 +76,9 @@ "definitions": { "$ref": "model/cyclonedx-definition-2.0.schema.json#/$defs/definitions" }, + "blueprints": { + "$ref": "model/cyclonedx-blueprint-2.0.schema.json#/$defs/blueprints" + }, "citations": { "$ref": "model/cyclonedx-citation-2.0.schema.json#/$defs/citations" }, diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index 30a683106..6a2a91815 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -4,261 +4,257 @@ "type": "null", "title": "CycloneDX Blueprint Model", "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", - "required": ["modelTypes", "methodologies"], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "modelTypes": { - "type": "array", - "minItems": 1, - "description": "The types of models being represented", - "items": { - "$ref": "#/$defs/modelType" - } - }, - "methodologies": { - "type": "array", - "minItems": 1, - "description": "The modeling methodologies used", - "items": { - "$ref": "#/$defs/methodology" - } - }, - "perspectives": { - "type": "array", - "description": "Different viewpoints or perspectives used in the model analysis", - "items": { - "$ref": "#/$defs/perspective" - } - }, - "metadata": { - "$ref": "#/$defs/blueprintMetadata" - }, - "scope": { - "$ref": "#/$defs/scope" - }, - "assets": { - "type": "array", - "items": { - "$ref": "#/$defs/asset" - }, - "description": "The assets (components, services, data, actors) included in the model" - }, - "dataStores": { - "type": "array", - "items": { - "$ref": "#/$defs/dataStore" - }, - "description": "Structured description of data stores used in the model" - }, - "dataSets": { - "type": "array", - "items": { - "$ref": "#/$defs/dataSet" - }, - "description": "Datasets handled by the system, including placements and sensitivity" - }, - "zones": { - "type": "array", - "items": { - "$ref": "#/$defs/zone" - }, - "description": "Logical, physical, or trust zones that group assets with similar characteristics" - }, - "boundaries": { - "type": "array", - "items": { - "$ref": "#/$defs/boundary" - }, - "description": "Boundaries between zones" - }, - "flows": { - "type": "array", - "items": { - "$ref": "#/$defs/flow" - }, - "description": "Data, control, or process flows between assets" - }, - "actors": { - "type": "array", - "items": { - "$ref": "#/$defs/actor" - }, - "description": "Human or system actors involved in the model, distinct from assets" - }, - "assumptions": { + "$defs": { + "blueprints": { "type": "array", + "title": "Blueprints", + "uniqueItems": true, "items": { - "$ref": "#/$defs/assumption" + "$ref": "#/$defs/blueprint" }, - "description": "Assumptions made during the modeling process" + "description": "A collection of blueprints representing system models that capture the assets, flows, zones, boundaries, and relationships necessary for architectural, threat, risk, privacy, and other forms of modelling and analysis." }, - "actor": { + "blueprint": { "type": "object", - "required": ["bom-ref", "name", "type"], + "title": "Blueprint", + "description": "A structured representation of a system model that captures the assets, flows, zones, boundaries, and relationships necessary to support architectural, threat, risk, privacy, and other forms of modelling and analysis.", + "required": ["modelTypes", "methodologies"], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Unique identifier for the actor" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "name": { - "type": "string", - "description": "Name or title of the actor" + "metadata": { + "$ref": "#/$defs/blueprintMetadata" }, - "description": { - "type": "string", - "description": "Narrative describing the actor's role and context" + "modelTypes": { + "type": "array", + "title": "Model Types", + "minItems": 1, + "uniqueItems": true, + "description": "The types of models being represented", + "items": { + "$ref": "#/$defs/modelType" + } }, - "type": { - "type": "string", - "enum": ["user", "engineer", "administrator", "operator", "system", "external"], - "description": "Classification of the actor", - "meta:enum": { - "user": "End user of a client application or service", - "engineer": "Developer or platform/DevOps engineer", - "administrator": "Administrative or privileged operator", - "operator": "Operational staff running the system", - "system": "Automated system actor or service account", - "external": "Third-party or external entity" + "methodologies": { + "type": "array", + "title": "Methodologies", + "minItems": 1, + "uniqueItems": true, + "description": "The modeling methodologies used", + "items": { + "$ref": "#/$defs/methodology" } }, - "permissions": { - "type": "string", - "description": "Key permissions, capabilities, or duties the actor holds" + "scope": { + "$ref": "#/$defs/scope" + }, + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/asset" + }, + "description": "The assets (components, services, data, actors) included in the model" + }, + "dataStores": { + "type": "array", + "title": "Data Stores", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataStore" + }, + "description": "Structured description of data stores used in the model" + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataSet" + }, + "description": "Datasets handled by the system, including placements and sensitivity" + }, + "zones": { + "type": "array", + "title": "Zones", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics" + }, + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/boundary" + }, + "description": "Boundaries between zones" + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/flow" + }, + "description": "Data, control, or process flows between assets" + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/actor" + }, + "description": "Human or system actors involved in the model, distinct from assets" + }, + "assumptions": { + "type": "array", + "title": "Assumptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/assumption" + }, + "description": "Assumptions made during the modeling process" + }, + "visualizations": { + "type": "array", + "title": "Visualizations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/visualization" + }, + "description": "Visual representations of the model" + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/useCase" + }, + { + "properties": { + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the blueprint assets that are involved in or exercised by this use case" + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the blueprint flows that are triggered or traversed during the execution of this use case" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the requirements that are implemented, validated, or addressed by this use case" + } + } + } + ] + }, + "description": "Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements." + }, + "requirements": { + "type": "array", + "items": { + "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirement" + }, + "description": "Requirements derived from or related to the model" }, - "trustZone": { - "$ref": "#/$defs/trustZoneRef", - "description": "Reference to the trust zone where the actor resides" + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } } }, - "visualizations": { - "type": "array", - "items": { - "$ref": "#/$defs/visualization" - }, - "description": "Visual representations of the model" - }, - "useCases": { - "type": "array", - "items": { - "type": "object", - "allOf": [ - { - "$ref": "cyclonedx-usecase-2.0.schema.json" - }, - { - "properties": { - "assets": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "References to assets involved in this use case" - }, - "flows": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "References to flows that are part of this use case" - }, - "requirements": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "References to requirements implemented by this use case" - } - } - } - ] - }, - "description": "Use cases analyzed as part of the model" - }, - "requirements": { - "type": "array", - "items": { - "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirement" - }, - "description": "Requirements derived from or related to the model" - }, - "externalReferences": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" - }, - "description": "External references related to the blueprint" - }, - "properties": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" - }, - "description": "Additional properties and extensions" - } - }, - "$defs": { "modelType": { "type": "object", + "title": "Model Type", + "description": "The type of model being represented, either a predefined type or a custom named type.", "oneOf": [ { + "title": "Predefined Model Type", + "description": "A model type selected from a predefined set of well-known modelling categories.", "required": ["type"], "additionalProperties": false, "properties": { "type": { "type": "string", + "title": "Pre-Defined Model Type", "enum": [ "architecture", + "behavioral", + "conceptual", "dataFlow", - "process", "deployment", + "logical", "network", - "threat", - "risk", - "privacy", "operational", - "conceptual", - "logical", "physical", - "behavioral", - "structural" + "privacy", + "process", + "risk", + "structural", + "threat" ], "meta:enum": { "architecture": "System or software architecture model", + "behavioral": "System behavior model", + "conceptual": "High-level conceptual model", "dataFlow": "Data flow model showing how data moves through the system", - "process": "Business or system process model", "deployment": "Deployment or infrastructure model", + "logical": "Logical system model", "network": "Network topology or connectivity model", - "threat": "Security threat model", - "risk": "Risk assessment model", - "privacy": "Privacy impact assessment model", "operational": "Operational model", - "conceptual": "High-level conceptual model", - "logical": "Logical system model", "physical": "Physical infrastructure model", - "behavioral": "System behavior model", - "structural": "System structure model" + "privacy": "Privacy impact assessment model", + "process": "Business or system process model", + "risk": "Risk assessment model", + "structural": "System structure model", + "threat": "Security threat model" } } } }, { + "title": "Custom Model Type", + "description": "A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.", "required": ["name"], "additionalProperties": false, "properties": { "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Custom model type name" }, "description": { "type": "string", + "title": "Description", "description": "Description of the custom model type" } } @@ -267,88 +263,106 @@ }, "methodology": { "type": "object", + "title": "Methodology", + "description": "The modelling methodology used, either a predefined type or a custom named methodology.", "oneOf": [ { + "title": "Predefined Methodology", + "description": "A modelling methodology selected from a predefined set of well-known frameworks and standards.", "required": ["type"], "additionalProperties": false, "properties": { "type": { "type": "string", + "title": "Pre-Defined Type", "enum": [ - "C4", - "UML", - "TOGAF", + "4+1", "Archimate", + "ATFAA", "BPMN", + "C4", "DFD", - "ERD", - "4+1", - "Zachman", - "SABSA", "DODAF", + "ERD", + "IDEF", + "LINDDUN", + "MAESTRO", + "MITRE-ATTACK", "MODAF", "NAF", - "Kruchten", - "IDEF", - "SysML", - "STRIDE", + "OWASP", "PASTA", - "LINDDUN", - "OCTAVE", - "ISO27005", - "NIST", - "FAIR" + "SABSA", + "STRIDE", + "SysML", + "TOGAF", + "TRIKE", + "UML", + "VAST", + "Zachman", + "attackTree" ], "meta:enum": { - "C4": "C4 Model for software architecture", - "UML": "Unified Modeling Language", - "TOGAF": "The Open Group Architecture Framework", + "4+1": "4+1 Architectural View Model", "Archimate": "Enterprise architecture modeling language", + "ATFAA": "Advanced Threat Framework for Autonomous AI Agents", "BPMN": "Business Process Model and Notation", + "C4": "C4 Model for software architecture", "DFD": "Data Flow Diagrams", - "ERD": "Entity Relationship Diagrams", - "4+1": "4+1 Architectural View Model", - "Zachman": "Zachman Framework", - "SABSA": "Sherwood Applied Business Security Architecture", "DODAF": "Department of Defense Architecture Framework", + "ERD": "Entity Relationship Diagrams", + "IDEF": "Integration Definition Methods", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome", + "MITRE-ATTACK": "MITRE ATT&CK adversarial tactics, techniques, and procedures framework", "MODAF": "Ministry of Defence Architecture Framework", "NAF": "NATO Architecture Framework", - "Kruchten": "Kruchten's 4+1 View Model", - "IDEF": "Integration Definition Methods", - "SysML": "Systems Modeling Language", - "STRIDE": "Microsoft's threat modeling methodology", + "OWASP": "OWASP threat modelling methodology", "PASTA": "Process for Attack Simulation and Threat Analysis", - "LINDDUN": "Privacy threat modeling methodology", - "OCTAVE": "Operationally Critical Threat, Asset, and Vulnerability Evaluation", - "ISO27005": "ISO/IEC 27005 Information security risk management", - "NIST": "NIST Risk Management Framework", - "FAIR": "Factor Analysis of Information Risk" + "SABSA": "Sherwood Applied Business Security Architecture", + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege", + "SysML": "Systems Modeling Language", + "TOGAF": "The Open Group Architecture Framework", + "TRIKE": "Risk-based threat modelling methodology", + "UML": "Unified Modeling Language", + "VAST": "Visual, Agile, and Simple Threat modelling", + "Zachman": "Zachman Framework", + "attackTree": "Attack tree methodology for structured threat analysis" } }, "version": { "type": "string", + "title": "Version", "description": "Version of the methodology" } } }, { + "title": "Custom Methodology", + "description": "A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.", "required": ["name"], "additionalProperties": false, "properties": { "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Custom methodology name" }, "version": { "type": "string", + "title": "Version", "description": "Version of the methodology" }, "description": { "type": "string", + "title": "Description", "description": "Description of the custom methodology" }, "externalReferences": { "type": "array", + "title": "External References", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" } @@ -357,105 +371,15 @@ } ] }, - "perspective": { - "type": "object", - "required": ["bom-ref", "type", "name"], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Unique identifier for the perspective" - }, - "type": { - "type": "string", - "enum": [ - "business", - "technical", - "user", - "operational", - "development", - "architectural", - "functional", - "informational", - "contextual", - "conceptual", - "logical", - "physical", - "security", - "compliance", - "risk", - "stakeholder", - "design-review", - "custom" - ], - "meta:enum": { - "business": "Business stakeholder perspective", - "technical": "Technical implementation perspective", - "user": "End user or customer perspective", - "operational": "Operations and maintenance perspective", - "development": "Software development perspective", - "architectural": "System architecture perspective", - "functional": "Functional requirements perspective", - "informational": "Information and data perspective", - "contextual": "Business context perspective", - "conceptual": "High-level conceptual perspective", - "logical": "Logical design perspective", - "physical": "Physical implementation perspective", - "security": "Security perspective", - "compliance": "Regulatory compliance perspective", - "risk": "Risk management perspective", - "stakeholder": "General stakeholder perspective", - "custom": "Custom or other perspective" - } - }, - "name": { - "type": "string", - "description": "Name of the perspective" - }, - "description": { - "type": "string", - "description": "Detailed description of the perspective and its focus" - }, - "role": { - "type": "string", - "description": "The role or persona associated with this perspective" - }, - "objectives": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Primary objectives or goals from this perspective" - }, - "concerns": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Primary concerns from this perspective" - }, - "viewpoint": { - "type": "string", - "description": "The architectural viewpoint this perspective represents" - }, - "scope": { - "type": "string", - "description": "The scope of this perspective" - }, - "properties": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" - } - } - } - }, "blueprintMetadata": { "type": "object", + "title": "Blueprint Metadata", + "description": "Metadata about the creation, review, and approval of the blueprint.", "additionalProperties": false, "properties": { "timestamp": { "type": "string", + "title": "Timestamp", "format": "date-time", "description": "When the blueprint was created or last updated" }, @@ -469,6 +393,7 @@ }, "reviewDate": { "type": "string", + "title": "Review Date", "format": "date-time", "description": "When the blueprint was reviewed" }, @@ -478,6 +403,7 @@ }, "approvalDate": { "type": "string", + "title": "Approval Date", "format": "date-time", "description": "When the blueprint was approved" }, @@ -494,20 +420,25 @@ }, "validityPeriod": { "type": "object", + "title": "Validity Period", + "description": "The period during which the blueprint is considered valid.", "additionalProperties": false, "properties": { "start": { "type": "string", + "title": "Start", "format": "date-time", "description": "When the blueprint becomes valid" }, "end": { "type": "string", + "title": "End", "format": "date-time", "description": "When the blueprint expires" }, "reviewFrequency": { "type": "string", + "title": "Review Frequency", "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" } @@ -515,6 +446,8 @@ }, "scope": { "type": "object", + "title": "Scope", + "description": "Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.", "required": ["name"], "additionalProperties": false, "properties": { @@ -523,21 +456,29 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the scope" }, "description": { "type": "string", + "title": "Description", "description": "Description of what is included and excluded from the model" }, "boundaries": { "type": "array", + "title": "Boundaries", + "uniqueItems": true, "items": { - "type": "string" + "type": "string", + "minLength": 1 }, "description": "Explicit boundaries of the model" }, "includedComponents": { "type": "array", + "title": "Included Components", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, @@ -545,6 +486,8 @@ }, "excludedComponents": { "type": "array", + "title": "Excluded Components", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, @@ -557,7 +500,8 @@ }, "asset": { "type": "object", - "required": ["bom-ref", "type", "name"], + "title": "Asset", + "description": "A component, service, data store, or other element included in the blueprint model.", "additionalProperties": false, "properties": { "bom-ref": { @@ -574,57 +518,73 @@ }, "type": { "type": "string", + "title": "Asset Type", "enum": [ + "actor", + "agent", + "api", + "broker", + "cache", "component", - "service", - "dataStore", + "container", "data", - "actor", - "process", - "infrastructure", + "dataStore", "device", - "network", - "container", + "endpoint", "function", - "api", + "gateway", + "infrastructure", + "interface", + "model", + "module", + "network", + "other", + "process", "queue", + "resource", + "service", "stream", - "system", "subsystem", - "module", - "interface", - "endpoint", - "resource" + "system" ], "meta:enum": { + "actor": "User, system, or external entity", + "agent": "Autonomous AI or software agent", + "api": "API endpoint or interface", + "broker": "Message broker or event bus infrastructure", + "cache": "Caching layer or in-memory data store", "component": "Software component or application", - "service": "Service or microservice", - "dataStore": "Database, file system, or data repository", + "container": "Container or orchestration unit", "data": "Dataset", - "actor": "User, system, or external entity", - "process": "Business or system process", - "infrastructure": "Infrastructure component", + "dataStore": "Database, file system, or data repository", "device": "Physical or IoT device", - "network": "Network segment or resource", - "container": "Container or orchestration unit", + "endpoint": "Service endpoint or URL", "function": "Serverless function or lambda", - "api": "API endpoint or interface", - "queue": "Message queue or event bus", + "gateway": "API gateway, load balancer, or proxy", + "infrastructure": "Infrastructure component", + "interface": "System interface or contract", + "model": "AI or machine learning model", + "module": "Software module or package", + "network": "Network segment or resource", + "other": "Asset type not covered by predefined values", + "process": "Business or system process", + "queue": "Message queue or task queue", + "resource": "Generic resource or artifact", + "service": "Service or microservice", "stream": "Data stream or event stream", - "system": "Complete system or application", "subsystem": "Part of a larger system", - "module": "Software module or package", - "interface": "System interface or contract", - "endpoint": "Service endpoint or URL", - "resource": "Generic resource or artifact" + "system": "Complete system or application" } }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the asset" }, "description": { "type": "string", + "title": "Description", "description": "Description of the asset's role and purpose" }, "zone": { @@ -638,22 +598,23 @@ "classification": { "$ref": "#/$defs/assetClassification" }, - "attributes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Generic attributes or tags for the asset" + "tags": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/tags" }, "responsibilities": { "type": "array", + "title": "Responsibilities", + "uniqueItems": true, "items": { - "type": "string" + "type": "string", + "minLength": 1 }, "description": "Responsibilities or functions of this asset" }, "interfaces": { "type": "array", + "title": "Interfaces", + "uniqueItems": true, "items": { "$ref": "#/$defs/interface" }, @@ -661,6 +622,8 @@ }, "dependencies": { "type": "array", + "title": "Dependencies", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, @@ -668,24 +631,30 @@ }, "useCases": { "type": "array", + "title": "Use Cases", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "description": "References to use cases that involve this asset" + "description": "References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." }, "authentication": { "type": "array", + "title": "Authentication", + "uniqueItems": true, "items": { "$ref": "#/$defs/authenticationType" }, "description": "Authentication methods supported/required" }, "authorization": { - "$ref": "#/$defs/accessControlType", - "description": "Access control model used" - }, - "encryption": { - "$ref": "#/$defs/encryptionType" + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models supported/required" }, "ownership": { "$ref": "#/$defs/ownership" @@ -694,15 +663,31 @@ "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" }, "externalReferences": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" - } + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" } - } + }, + "oneOf": [ + { + "title": "Component Reference Asset", + "description": "An asset defined by reference to a component declared elsewhere in the BOM.", + "required": ["bom-ref", "componentRef"] + }, + { + "title": "Service Reference Asset", + "description": "An asset defined by reference to a service declared elsewhere in the BOM.", + "required": ["bom-ref", "serviceRef"] + }, + { + "title": "Inline Asset", + "description": "An asset defined inline within the blueprint with an explicit type and name.", + "required": ["bom-ref", "type", "name"] + } + ] }, "dataStore": { "type": "object", + "title": "Data Store", + "description": "A persistent storage system used within the modelled system to hold, retrieve, or manage data.", "required": ["bom-ref", "name", "type"], "additionalProperties": false, "properties": { @@ -711,61 +696,100 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the data store" }, "description": { "type": "string", + "title": "Description", "description": "Purpose and contents of the store" }, "type": { "type": "string", + "title": "Type", "enum": [ - "sql", - "keyValue", + "blob", + "blockchain", + "cache", + "columnFamily", + "custom", + "dataLake", + "dataWarehouse", "document", - "object", + "eventLog", + "file", "graph", + "inMemory", + "keyValue", + "messageQueue", + "object", + "other", + "registry", + "search", + "spatial", + "sql", "timeSeries", - "file", - "blob", - "cache", - "custom" + "vector" ], "meta:enum": { - "sql": "Relational database", - "keyValue": "Key-value store", + "blob": "Binary/blob storage", + "blockchain": "Distributed ledger or blockchain storage", + "cache": "Caching tier", + "columnFamily": "Wide-column or column-family store (e.g., Cassandra, HBase)", + "custom": "Custom or mixed storage technology", + "dataLake": "Data lake or lakehouse for raw and semi-structured data", + "dataWarehouse": "Analytical data warehouse optimised for OLAP workloads", "document": "Document database (e.g., MongoDB)", - "object": "Object storage", + "eventLog": "Event log or append-only streaming store (e.g., Kafka)", + "file": "File system or NAS", "graph": "Graph database", + "inMemory": "In-memory data store used as a primary store", + "keyValue": "Key-value store", + "messageQueue": "Message queue or broker with persistent storage", + "object": "Object storage", + "other": "Other storage technology not listed", + "registry": "Configuration or service registry (e.g., etcd, Consul)", + "search": "Search index or full-text search engine (e.g., Elasticsearch)", + "spatial": "Spatial or geospatial database", + "sql": "Relational database", "timeSeries": "Time-series database", - "file": "File system or NAS", - "blob": "Binary/blob storage", - "cache": "Caching tier", - "custom": "Other or mixed storage technology" + "vector": "Vector database for embeddings and similarity search" } }, "vendor": { - "type": "string" + "type": "string", + "title": "Vendor", + "description": "The vendor or publisher of the data store product" }, "product": { - "type": "string" + "type": "string", + "title": "Product", + "description": "The name of the data store product" }, "version": { - "type": "string" + "type": "string", + "title": "Version", + "description": "The version of the data store product" }, "environment": { "type": "string", + "title": "Environment", "description": "Deployment environment (prod, test, etc.)" }, - "trustZone": { - "$ref": "#/$defs/trustZoneRef" + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the zone where the asset resides" }, "location": { "type": "string", + "title": "Location", "description": "Physical or logical hosting location" }, "technologies": { "type": "array", + "title": "Technologies", + "uniqueItems": true, "items": { "type": "string" }, @@ -773,16 +797,21 @@ }, "dataSets": { "type": "array", + "title": "Data Sets", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, "description": "References to data sets stored here" }, - "accessControl": { - "$ref": "#/$defs/accessControlType" - }, - "encryption": { - "$ref": "#/$defs/encryptionType" + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models supported/required" }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -791,6 +820,8 @@ }, "dataSet": { "type": "object", + "title": "Data Set", + "description": "A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.", "required": ["bom-ref", "name", "description"], "additionalProperties": false, "properties": { @@ -799,43 +830,50 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the dataset" }, "description": { "type": "string", + "title": "Description", + "minLength": 1, "description": "What information is contained and why it exists" }, - "classification": { - "$ref": "#/$defs/dataClassification" - }, - "dataTypes": { - "type": "array", - "items": { - "$ref": "#/$defs/dataObjectType" - }, - "description": "Categories of data stored (PII, PHI, etc.)" + "dataProfile": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfile" }, "recordCount": { "type": "integer", + "title": "Record Count", "description": "Approximate number of records" }, "owners": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" - }, - "regulations": { "type": "array", + "title": "Owners", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" }, - "description": "Applicable regulations or contracts" + "description": "Individuals or organizational entities that own the dataset" }, - "accessControl": { - "$ref": "#/$defs/accessControlType" + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models supported/required" }, "placements": { "type": "array", + "title": "Placements", + "uniqueItems": true, "items": { "type": "object", + "title": "Placement", + "description": "Describes where a dataset physically or logically resides and the storage characteristics at that location.", "required": ["dataStore"], "additionalProperties": false, "properties": { @@ -845,14 +883,17 @@ }, "encrypted": { "type": "boolean", + "title": "Encrypted", "description": "Whether the dataset is encrypted at this location" }, "retention": { "type": "string", + "title": "Retention", "description": "Retention policy for this placement" }, "replicated": { "type": "boolean", + "title": "Replicated", "description": "Indicates if this placement is a replica" } } @@ -911,6 +952,8 @@ }, "zone": { "type": "object", + "title": "Zone", + "description": "A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.", "required": ["bom-ref", "name", "type"], "additionalProperties": false, "properties": { @@ -919,24 +962,37 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the zone" }, "description": { "type": "string", + "title": "Description", "description": "Description of the zone's characteristics" }, "type": { "type": "string", - "enum": ["trust", "network", "physical", "logical", "deployment", "organizational", "functional", "security"], + "title": "Type", + "enum": [ + "deployment", + "functional", + "logical", + "network", + "organizational", + "other", + "physical", + "trust" + ], "meta:enum": { - "trust": "Security trust zone", - "network": "Network segmentation zone", - "physical": "Physical location or boundary", - "logical": "Logical grouping or boundary", "deployment": "Deployment environment (e.g., dev, staging, prod)", - "organizational": "Organizational or administrative boundary", "functional": "Functional grouping", - "security": "Security zone or perimeter" + "logical": "Logical grouping or boundary", + "network": "Network segmentation zone", + "organizational": "Organizational or administrative boundary", + "other": "Other zone type not listed", + "physical": "Physical location or boundary", + "trust": "Security trust zone" } }, "parent": { @@ -945,6 +1001,8 @@ }, "characteristics": { "type": "array", + "title": "Characteristics", + "uniqueItems": true, "items": { "type": "string" }, @@ -952,6 +1010,8 @@ }, "constraints": { "type": "array", + "title": "Constraints", + "uniqueItems": true, "items": { "type": "string" }, @@ -964,6 +1024,8 @@ }, "boundary": { "type": "object", + "title": "Boundary", + "description": "Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.", "required": ["bom-ref", "zones"], "additionalProperties": false, "properties": { @@ -972,23 +1034,38 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the boundary" }, "type": { "type": "string", - "enum": ["trust", "network", "process", "data", "physical", "organizational", "functional"], + "title": "Type", + "enum": [ + "data", + "functional", + "network", + "organizational", + "other", + "physical", + "process", + "trust" + ], "meta:enum": { - "trust": "Trust boundary between different security zones", - "network": "Network boundary or firewall", - "process": "Process or execution boundary", "data": "Data classification boundary", - "physical": "Physical security boundary", + "functional": "Functional boundary", + "network": "Network boundary or firewall", "organizational": "Organizational boundary", - "functional": "Functional boundary" + "other": "A boundary type not covered by the predefined enumeration", + "physical": "Physical security boundary", + "process": "Process or execution boundary", + "trust": "Trust boundary between different security zones" } }, "zones": { "type": "array", + "title": "Zones", + "uniqueItems": true, "minItems": 2, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" @@ -1005,45 +1082,57 @@ }, "crossingRequirements": { "type": "object", + "title": "Crossing Requirements", + "description": "Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.", "additionalProperties": false, "properties": { "authentication": { "type": "array", + "title": "Authentication", + "uniqueItems": true, "items": { "$ref": "#/$defs/authenticationType" }, "description": "Authentication required to cross this boundary" }, "authorization": { - "$ref": "#/$defs/accessControlType", - "description": "Access control model at this boundary" + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models enforced at this boundary" }, "dataValidation": { "type": "boolean", + "title": "Data Validation", "description": "Whether data is validated when crossing this boundary" }, "dataTransformation": { "type": "boolean", + "title": "Data Transformation", "description": "Whether data is transformed when crossing this boundary" }, - "encryption": { - "$ref": "#/$defs/encryptionType", - "description": "Encryption requirements for crossing this boundary" - }, "logging": { "type": "boolean", + "title": "Logging", "description": "Whether crossings are logged" }, "monitoring": { "type": "boolean", + "title": "Monitoring", "description": "Whether crossings are monitored" }, "rateLimit": { "type": "string", + "title": "Rate Limit", "description": "Rate limiting policy" }, "protocols": { "type": "array", + "title": "Protocols", + "uniqueItems": true, "items": { "type": "string" }, @@ -1053,6 +1142,8 @@ }, "flow": { "type": "object", + "title": "Flow", + "description": "Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.", "required": ["bom-ref", "name", "source", "destination", "type"], "additionalProperties": false, "properties": { @@ -1061,23 +1152,41 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name or description of the flow" }, "description": { "type": "string", + "title": "Description", "description": "Detailed description of what flows and why" }, "type": { "type": "string", - "enum": ["data", "control", "process", "message", "event", "dependency", "interaction"], + "title": "Type", + "enum": [ + "control", + "data", + "dependency", + "event", + "interaction", + "message", + "other", + "physical", + "process", + "signal" + ], "meta:enum": { - "data": "Data or information flow", "control": "Control or command flow", - "process": "Business process flow", - "message": "Message or communication flow", - "event": "Event or notification flow", + "data": "Data or information flow", "dependency": "Dependency relationship", - "interaction": "User or system interaction" + "event": "Event or notification flow", + "interaction": "User or system interaction", + "message": "Message or communication flow", + "other": "A flow type not covered by the predefined enumeration", + "physical": "Physical movement of goods or materials", + "process": "Business process flow", + "signal": "Hardware or system signal" } }, "source": { @@ -1090,52 +1199,127 @@ }, "bidirectional": { "type": "boolean", + "title": "Bidirectional", "default": false, "description": "Whether flow occurs in both directions" }, "synchronous": { "type": "boolean", + "title": "Synchronous", "description": "Whether the flow is synchronous or asynchronous" }, "volume": { "type": "string", + "title": "Volume", "description": "Expected volume or frequency of flow" }, - "timing": { + "timing": { + "type": "string", + "title": "Timing", + "description": "Timing characteristics (real-time, batch, scheduled)" + }, + "protocols": { + "type": "array", + "title": "Protocols", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Communication protocols used by this flow" + }, + "dataProfile": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfile" + }, + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication required for this flow" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models enforced on this flow" + }, + "sequence": { + "type": "integer", + "title": "Sequence", + "minimum": 0, + "description": "Ordering hint so flows can be assembled into sequence diagrams" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "actor": { + "type": "object", + "title": "Actor", + "description": "Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { "type": "string", - "description": "Timing characteristics (real-time, batch, scheduled)" + "title": "Name", + "minLength": 1, + "description": "Name or title of the actor" }, - "protocol": { + "description": { "type": "string", - "description": "Communication protocol used" + "title": "Description", + "description": "Narrative describing the actor's role and context" }, - "dataFormat": { + "type": { "type": "string", - "description": "Format of data in the flow" - }, - "classification": { - "$ref": "#/$defs/dataClassification" + "title": "Type", + "enum": [ + "administrator", + "agent", + "engineer", + "external", + "operator", + "other", + "system", + "user" + ], + "meta:enum": { + "administrator": "Administrative or privileged operator", + "agent": "Autonomous AI agent or intelligent software agent", + "engineer": "Developer or platform/DevOps engineer", + "external": "Third-party or external entity", + "operator": "Operational staff running the system", + "other": "An actor type not covered by the predefined enumeration", + "system": "Automated system actor or service account", + "user": "End user of a client application or service" + } }, - "dataObjects": { + "permissions": { "type": "array", + "title": "Permissions", + "uniqueItems": true, "items": { - "$ref": "#/$defs/dataObject" + "type": "string" }, - "description": "The data object(s) transported in this flow" - }, - "authentication": { - "type": "array", - "items": { - "$ref": "#/$defs/authenticationType" - } + "description": "Permissions, capabilities, or duties the actor holds" }, - "encryption": { - "$ref": "#/$defs/encryptionType" + "delegatedBy": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity" }, - "sequence": { - "type": "integer", - "minimum": 0, - "description": "Ordering hint so flows can be assembled into sequence diagrams" + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the zone where the actor resides" }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -1144,6 +1328,8 @@ }, "assumption": { "type": "object", + "title": "Assumption", + "description": "A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.", "required": ["description"], "additionalProperties": false, "properties": { @@ -1152,47 +1338,87 @@ }, "description": { "type": "string", - "description": "The assumption being made" + "title": "Description", + "minLength": 1, + "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies" }, "topic": { "type": "string", - "enum": ["technical", "business", "operational", "security", "compliance", "performance", "availability"], - "description": "Topic of the assumption" + "title": "Topic", + "enum": [ + "availability", + "business", + "compliance", + "operational", + "other", + "performance", + "security", + "technical" + ], + "meta:enum": { + "availability": "Assumption about system uptime, redundancy, or failover capabilities", + "business": "Assumption about business requirements, constraints, or organizational context", + "compliance": "Assumption about regulatory, legal, or policy compliance obligations", + "operational": "Assumption about operational procedures, staffing, or maintenance practices", + "other": "An assumption topic not covered by the predefined enumeration", + "performance": "Assumption about throughput, latency, capacity, or scalability characteristics", + "security": "Assumption about threat landscape, trust boundaries, or security controls", + "technical": "Assumption about technology choices, capabilities, or technical constraints" + } }, "relatedAssets": { "type": "array", + "title": "Related Assets", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "description": "Assets this assumption relates to" + "description": "References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes" }, "validity": { "type": "string", - "enum": ["unknown", "verified", "unverified", "invalid"], + "title": "Validity", + "enum": [ + "invalid", + "unknown", + "unverified", + "verified" + ], + "meta:enum": { + "invalid": "The assumption has been disproven or is no longer applicable", + "unknown": "The validity of the assumption has not yet been assessed", + "unverified": "The assumption has been identified but not yet validated", + "verified": "The assumption has been confirmed as true through validation" + }, "default": "unknown", - "description": "Whether the assumption has been validated" + "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound" }, "impact": { "type": "string", - "description": "Impact if this assumption proves false" + "title": "Impact", + "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components" }, "owner": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "Who owns or is responsible for this assumption" + "description": "The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model" }, "validationMethod": { "type": "string", - "description": "How this assumption can be validated" + "title": "Validation Method", + "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement" }, "validationDate": { "type": "string", + "title": "Validation Date", "format": "date-time", - "description": "When the assumption was last validated" + "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation" } } }, "visualization": { "type": "object", + "title": "Visualization", + "description": "A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.", "required": ["name", "type"], "additionalProperties": false, "properties": { @@ -1201,88 +1427,53 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name or title of the visualization" }, "description": { "type": "string", + "title": "Description", "description": "Description of what the visualization shows" }, "type": { - "type": "string", - "enum": [ - "architecture", - "dataFlow", - "sequence", - "state", - "deployment", - "network", - "process", - "useCase", - "component", - "class", - "entity", - "activity", - "collaboration", - "context", - "container", - "code" - ], - "meta:enum": { - "architecture": "System architecture diagram", - "dataFlow": "Data flow diagram (DFD)", - "sequence": "Sequence or interaction diagram", - "state": "State machine diagram", - "deployment": "Deployment or infrastructure diagram", - "network": "Network topology diagram", - "process": "Business process diagram", - "useCase": "Use case diagram", - "component": "Component diagram", - "class": "Class or object diagram", - "entity": "Entity relationship diagram", - "activity": "Activity or workflow diagram", - "collaboration": "Collaboration diagram", - "context": "Context diagram", - "container": "Container diagram (C4)", - "code": "Code structure diagram" - } + "$ref": "#/$defs/visualizationType" }, "format": { - "type": "string", - "enum": ["mermaid", "graphviz", "plantuml", "drawio", "svg", "png", "jpeg", "d3", "cytoscape", "visio", "archimate"], - "meta:enum": { - "mermaid": "Mermaid diagram language", - "graphviz": "GraphViz DOT language", - "plantuml": "PlantUML diagram language", - "drawio": "Draw.io/diagrams.net format", - "svg": "Scalable Vector Graphics", - "png": "Portable Network Graphics", - "jpeg": "JPEG image format", - "d3": "D3.js visualization", - "cytoscape": "Cytoscape graph format", - "visio": "Microsoft Visio format", - "archimate": "ArchiMate model format" - } + "$ref": "#/$defs/visualizationFormat" }, "content": { "type": "string", + "title": "Content", "description": "The diagram content (source code or base64 encoded image)" }, "url": { "type": "string", + "title": "URL", "format": "iri-reference", "description": "URL to the diagram if stored externally" }, "level": { "type": "string", - "enum": ["overview", "high", "medium", "detailed"], + "title": "Level", + "enum": [ + "detailed", + "high", + "medium", + "overview" + ], + "meta:enum": { + "detailed": "Fine-grained view showing implementation-level specifics", + "high": "High-level view showing major components and relationships", + "medium": "Intermediate view balancing breadth and depth", + "overview": "Top-level summary providing a broad perspective of the system" + }, "description": "Level of detail in the visualization" }, - "perspective": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the perspective this visualization represents" - }, "elements": { "type": "array", + "title": "Elements", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, @@ -1290,10 +1481,13 @@ }, "interactive": { "type": "boolean", + "title": "Interactive", "description": "Whether the visualization is interactive" }, "layers": { "type": "array", + "title": "Layers", + "uniqueItems": true, "items": { "type": "string" }, @@ -1304,6 +1498,144 @@ } } }, + "visualizationType": { + "type": "object", + "title": "Visualization Type", + "description": "The type of diagram or visual representation.", + "oneOf": [ + { + "title": "Predefined Visualization Type", + "description": "A visualization type selected from a predefined set of well-known diagram types.", + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "enum": [ + "activity", + "architecture", + "class", + "code", + "collaboration", + "component", + "container", + "context", + "dataFlow", + "deployment", + "entity", + "network", + "process", + "sequence", + "state", + "useCase" + ], + "meta:enum": { + "activity": "Activity or workflow diagram", + "architecture": "System architecture diagram", + "class": "Class or object diagram", + "code": "Code structure diagram", + "collaboration": "Collaboration diagram", + "component": "Component diagram", + "container": "Container diagram (C4)", + "context": "Context diagram", + "dataFlow": "Data flow diagram (DFD)", + "deployment": "Deployment or infrastructure diagram", + "entity": "Entity relationship diagram", + "network": "Network topology diagram", + "process": "Business process diagram", + "sequence": "Sequence or interaction diagram", + "state": "State machine diagram", + "useCase": "Use case diagram" + } + } + } + }, + { + "title": "Custom Visualization Type", + "description": "A custom visualization type not covered by the predefined enumeration.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom visualization type" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom visualization type" + } + } + } + ] + }, + "visualizationFormat": { + "type": "object", + "title": "Visualization Format", + "description": "The rendering format or toolchain used to produce the visualization.", + "oneOf": [ + { + "title": "Predefined Visualization Format", + "description": "A visualization format selected from a predefined set of well-known diagram formats and tools.", + "required": ["format"], + "additionalProperties": false, + "properties": { + "format": { + "type": "string", + "title": "Format", + "enum": [ + "archimate", + "cytoscape", + "d3", + "drawio", + "graphviz", + "jpeg", + "mermaid", + "plantuml", + "png", + "svg", + "visio" + ], + "meta:enum": { + "archimate": "ArchiMate model format", + "cytoscape": "Cytoscape graph format", + "d3": "D3.js visualization", + "drawio": "Draw.io/diagrams.net format", + "graphviz": "GraphViz DOT language", + "jpeg": "JPEG image format", + "mermaid": "Mermaid diagram language", + "plantuml": "PlantUML diagram language", + "png": "Portable Network Graphics", + "svg": "Scalable Vector Graphics", + "visio": "Microsoft Visio format" + } + } + } + }, + { + "title": "Custom Visualization Format", + "description": "A custom visualization format not covered by the predefined enumeration.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom visualization format" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom visualization format" + } + } + } + ] + }, "assetClassification": { "type": "object", "additionalProperties": false, @@ -1315,7 +1647,7 @@ "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" }, "dataClassification": { - "$ref": "#/$defs/dataClassification" + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataClassification" }, "tier": { "type": "string", @@ -1344,138 +1676,13 @@ } } }, - "dataClassification": { - "type": "object", - "additionalProperties": false, - "properties": { - "level": { - "type": "string", - "enum": [ - "public", - "internal", - "confidential", - "restricted" - ], - "description": "Data sensitivity classification", - "meta:enum": { - "public": "Public information that can be freely shared", - "internal": "Internal use only within the organization", - "confidential": "Confidential information requiring protection", - "restricted": "Highly restricted information with limited access and special protection measures" - } - }, - "sensitivity": { - "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" - }, - "dataTypes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific types of data" - }, - "handling": { - "type": "string", - "description": "Data handling requirements" - }, - "retention": { - "type": "string", - "description": "Data retention requirements" - }, - "disposal": { - "type": "string", - "description": "Data disposal requirements" - }, - "regulations": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Applicable regulations" - } - } - }, - "dataObject": { - "type": "object", - "required": ["name"], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Unique identifier for this data object" - }, - "name": { - "type": "string", - "description": "Name of the transported data object" - }, - "description": { - "type": "string", - "description": "Additional details about the data contents" - }, - "classification": { - "$ref": "#/$defs/dataClassification", - "description": "Inline classification details for this data object" - }, - "classificationRef": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to a shared classification definition elsewhere in the model" - }, - "type": { - "$ref": "#/$defs/dataObjectType", - "description": "Type of data (PII, PHI, PCI, etc.)" - }, - "schema": { - "type": "string", - "description": "Reference to a schema contract or document describing the data structure" - }, - "format": { - "type": "string", - "description": "Serialization or encoding format (JSON, HL7, CSV, etc.)" - }, - "attributes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Key attributes or fields transported" - }, - "properties": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" - } - } - }, - "dataObjectType": { - "type": "string", - "enum": [ - "pii", - "phi", - "pci", - "financial", - "intellectualProperty", - "telemetry", - "logs", - "credentials", - "safety", - "operational", - "custom" - ], - "description": "Common data object classifications", - "meta:enum": { - "pii": "Personally identifiable information", - "phi": "Protected health information", - "pci": "Payment card industry data", - "financial": "Financial statements or transaction data", - "intellectualProperty": "Intellectual property or trade secrets", - "telemetry": "System or product telemetry data", - "logs": "Operational or security log data", - "credentials": "Secrets, tokens, or credentials", - "safety": "Safety critical data or signals", - "operational": "Operational or process data", - "custom": "Other data types not covered by the enumerated values" - } + "dataProfile": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfile" }, "ownership": { "type": "object", + "title": "Ownership", + "description": "Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.", "additionalProperties": false, "properties": { "owner": { @@ -1491,84 +1698,93 @@ "description": "Custodian responsible for protecting the asset" }, "users": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "type": "array", + "title": "Users", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" + }, "description": "Primary users of the asset" } } }, "authenticationType": { "type": "string", + "title": "Authentication Type", + "description": "The authentication method or protocol used to verify identity.", "enum": [ - "none", + "apiKey", "basic", "bearer", - "digest", "certificate", - "apiKey", + "custom", + "digest", + "fido2", + "jwt", + "kerberos", + "ldap", + "mfa", + "mTLS", + "none", + "ntlm", "oauth1", "oauth2", - "openIdConnect", + "oidc", "saml", - "kerberos", - "ntlm", - "jwt", - "custom" + "ssh" ], - "description": "Authentication method", "meta:enum": { - "none": "No authentication required", + "apiKey": "API key authentication", "basic": "Basic authentication (username/password)", "bearer": "Bearer token authentication", - "digest": "Digest authentication", "certificate": "Certificate-based authentication", - "apiKey": "API key authentication", + "custom": "Custom authentication method", + "digest": "Digest authentication", + "fido2": "FIDO2/WebAuthn passwordless authentication", + "jwt": "JSON Web Token authentication", + "kerberos": "Kerberos authentication", + "ldap": "LDAP directory authentication", + "mfa": "Multi-factor authentication", + "mTLS": "Mutual TLS authentication", + "none": "No authentication required", + "ntlm": "NTLM authentication", "oauth1": "OAuth 1.0 authentication", "oauth2": "OAuth 2.0 authentication", - "openIdConnect": "OpenID Connect authentication", + "oidc": "OpenID Connect authentication", "saml": "SAML authentication", - "kerberos": "Kerberos authentication", - "ntlm": "NTLM authentication", - "jwt": "JSON Web Token authentication", - "custom": "Custom authentication method" + "ssh": "SSH key authentication" } }, "authorizationType": { "type": "string", - "enum": ["none", "acl", "rbac", "abac", "mac", "dac", "pbac", "cbac", "custom"], - "description": "Authorization model", + "title": "Authorization Type", + "description": "The authorization model used to determine and enforce access permissions.", + "enum": [ + "abac", + "acl", + "cbac", + "custom", + "dac", + "mac", + "none", + "other", + "pbac", + "rbac", + "rebac" + ], "meta:enum": { - "none": "No authorization controls", - "acl": "Access Control Lists", - "rbac": "Role-Based Access Control", "abac": "Attribute-Based Access Control", - "mac": "Mandatory Access Control", + "acl": "Access Control Lists", + "cbac": "Claims-Based Access Control", + "custom": "Custom authorization model", "dac": "Discretionary Access Control", + "mac": "Mandatory Access Control", + "none": "No authorization controls", + "other": "Other authorization model not listed", "pbac": "Policy-Based Access Control", - "cbac": "Claims-Based Access Control", - "custom": "Custom authorization model" - } - }, - "encryptionType": { - "type": "object", - "additionalProperties": false, - "properties": { - "inTransit": { - "type": "boolean", - "description": "Whether data is encrypted in transit" - }, - "atRest": { - "type": "boolean", - "description": "Whether data is encrypted at rest" - }, - "inProcessing": { - "type": "boolean", - "description": "Whether data is encrypted during processing" - } + "rbac": "Role-Based Access Control", + "rebac": "Relationship-Based Access Control" } - }, - "trustZoneRef": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to a zone entry whose type is 'trust'" } } } diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index 665ed5ed1..77c80cabf 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -5,6 +5,206 @@ "title": "CycloneDX Data Model", "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { + "dataProfile": { + "type": "object", + "title": "Data Profile", + "description": "Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this data profile" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system." + }, + "sensitivity": { + "type": "string", + "title": "Sensitivity", + "enum": [ + "confidential", + "internal", + "public", + "restricted" + ], + "description": "Data sensitivity classification", + "meta:enum": { + "confidential": "Confidential information requiring protection", + "internal": "Internal use only within the organization", + "public": "Public information that can be freely shared", + "restricted": "Highly restricted information with limited access and special protection measures" + } + }, + "classification": { + "title": "Classification", + "description": "Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.", + "oneOf": [ + { + "title": "Predefined Classification", + "description": "A predefined data classification from the enumeration.", + "type": "object", + "additionalProperties": false, + "required": ["type"], + "properties": { + "type": { + "type": "string", + "title": "Type", + "enum": [ + "credentials", + "financial", + "intellectualProperty", + "logs", + "operational", + "other", + "pci", + "phi", + "pii", + "safety", + "telemetry" + ], + "meta:enum": { + "credentials": "Secrets, tokens, or credentials", + "financial": "Financial statements or transaction data", + "intellectualProperty": "Intellectual property or trade secrets", + "logs": "Operational or security log data", + "operational": "Operational or process data", + "other": "Other data classification not listed", + "pci": "Payment card industry data", + "phi": "Protected health information", + "pii": "Personally identifiable information", + "safety": "Safety critical data or signals", + "telemetry": "System or product telemetry data" + } + } + } + }, + { + "title": "Custom Classification", + "description": "A custom data classification not covered by the predefined enumeration.", + "type": "object", + "additionalProperties": false, + "required": ["name"], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of a custom data classification not covered by the predefined enumeration" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom data classification" + } + } + } + ] + }, + "dataFormats": { + "type": "array", + "title": "Data Formats", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Format of data" + }, + "dataTypes": { + "type": "array", + "title": "Data Types", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Specific types of data" + }, + "schema": { + "type": "array", + "title": "Schema", + "uniqueItems": true, + "items": { + "type": "string", + "format": "uri" + }, + "description": "Reference to schema contracts or documents describing the data structure." + }, + "access": { + "type": "array", + "title": "Access", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures." + }, + "collection": { + "type": "array", + "title": "Collection", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations." + }, + "disposal": { + "type": "array", + "title": "Disposal", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction." + }, + "handling": { + "type": "array", + "title": "Handling", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations." + }, + "processing": { + "type": "array", + "title": "Processing", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions." + }, + "retention": { + "type": "array", + "title": "Retention", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation." + }, + "sharing": { + "type": "array", + "title": "Sharing", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, "dataClassification": { "type": "string", "title": "Data Classification", @@ -12,14 +212,19 @@ }, "dataSensitivity": { "type": "string", - "enum": ["public", "internal", "confidential", "restricted", "secret"], - "description": "Data sensitivity classification", + "title": "Data Sensitivity", + "description": "Classifies the sensitivity of data to indicate the level of protection required.", + "enum": [ + "confidential", + "internal", + "public", + "restricted" + ], "meta:enum": { - "public": "Public information that can be freely shared", - "internal": "Internal use only within the organization", "confidential": "Confidential information requiring protection", - "restricted": "Highly restricted information with limited access", - "secret": "Secret information requiring special handling" + "internal": "Internal use only within the organization", + "public": "Public information that can be freely shared", + "restricted": "Highly restricted information with limited access" } }, "dataGovernance": { @@ -31,18 +236,21 @@ "custodians": { "type": "array", "title": "Data Custodians", + "uniqueItems": true, "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } }, "stewards": { "type": "array", "title": "Data Stewards", + "uniqueItems": true, "description": "Data stewards are responsible for data content, context, and associated business rules.", "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } }, "owners": { "type": "array", "title": "Data Owners", + "uniqueItems": true, "description": "Data owners are concerned with risk and appropriate access to data.", "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } } @@ -50,6 +258,8 @@ }, "dataGovernanceResponsibleParty": { "type": "object", + "title": "Data Governance Responsible Party", + "description": "An organizational entity or individual responsible for a specific data governance role.", "additionalProperties": false, "properties": { "organization": { @@ -74,20 +284,20 @@ }, "dataFlowDirection": { "type": "string", + "title": "Data Flow Direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service.", "enum": [ + "bi-directional", "inbound", "outbound", - "bi-directional", "unknown" ], "meta:enum": { + "bi-directional": "Data flows in and out of the service.", "inbound": "Data that enters a service.", "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", "unknown": "The directional flow of data is not known." - }, - "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." + } } } } diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index a2bd70b0d..16f2e7798 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -330,14 +330,16 @@ "properties": { "level": { "type": "string", - "enum": ["veryLow", "low", "medium", "high", "veryHigh", "certain"], - "description": "Likelihood level", + "title": "Level", + "description": "The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.", + "enum": ["certain", "high", "low", "medium", "veryHigh", "veryLow"], "meta:enum": { - "rare": "Very unlikely to occur (< 10%)", - "unlikely": "Unlikely to occur (10-30%)", - "possible": "Possible to occur (30-60%)", - "likely": "Likely to occur (60-90%)", - "almostCertain": "Very likely to occur (> 90%)" + "certain": "Almost certain to occur (> 90% probability).", + "high": "Likely to occur (60-90% probability).", + "low": "Unlikely to occur (10-30% probability).", + "medium": "Possible to occur (30-60% probability).", + "veryHigh": "Very likely to occur (75-90% probability).", + "veryLow": "Very unlikely to occur (< 10% probability)." } }, "score": { @@ -365,6 +367,111 @@ } } }, + "likelihoodFactor": { + "type": "object", + "title": "Likelihood Factor", + "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.", + "minLength": 1 + }, + "type": { + "title": "Type", + "description": "The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", + "oneOf": [ + { + "title": "Predefined Likelihood Factor Type", + "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.", + "type": "string", + "additionalProperties": false, + "enum": [ + "attackVector", + "controlEffectiveness", + "exploitMaturity", + "exposure", + "motivation", + "opportunity", + "other", + "threatCapability", + "vulnerability" + ], + "meta:enum": { + "attackVector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", + "controlEffectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.", + "exploitMaturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", + "exposure": "Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.", + "motivation": "Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.", + "opportunity": "Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.", + "other": "A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.", + "threatCapability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", + "vulnerability": "Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor." + } + }, + { + "title": "Custom Likelihood Factor Type", + "description": "A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.", + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the custom likelihood factor type.", + "minLength": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom likelihood factor type and how it contributes to likelihood assessment." + } + } + } + ] + }, + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.", + "enum": ["certain", "high", "low", "medium", "veryHigh", "veryLow"], + "meta:enum": { + "certain": "This factor almost certainly contributes to risk realization (> 90% influence).", + "high": "This factor strongly contributes to risk realization (60-90% influence).", + "low": "This factor has limited contribution to risk realization (10-30% influence).", + "medium": "This factor moderately contributes to risk realization (30-60% influence).", + "veryHigh": "This factor very strongly contributes to risk realization (75-90% influence).", + "veryLow": "This factor has minimal contribution to risk realization (< 10% influence)." + } + }, + "score": { + "type": "number", + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.", + "minimum": 0, + "maximum": 5 + }, + "weight": { + "type": "number", + "title": "Weight", + "description": "The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.", + "minimum": 0, + "maximum": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, "impact": { "type": "object", "required": ["level"], diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json index 4f08e1326..f54e09196 100644 --- a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -4,197 +4,200 @@ "type": "null", "title": "CycloneDX Use Case Model", "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", - "properties": { - "bom-ref": { - "type": "string", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM." - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name or title of the use case." - }, - "description": { - "type": "string", - "title": "Description", - "description": "A detailed description of the use case." - }, - "actors": { - "type": "array", - "title": "Actors", - "description": "The stakeholders or users who interact with the system in this use case.", - "items": { - "type": "string" - } - }, - "preconditions": { - "type": "array", - "title": "Preconditions", - "description": "Conditions that must be true before the use case can be executed.", - "items": { - "type": "string" - } - }, - "postconditions": { - "type": "array", - "title": "Postconditions", - "description": "Conditions that will be true after the use case has been successfully executed.", - "items": { - "type": "string" - } - }, - "mainFlow": { - "type": "array", - "title": "Main Flow", - "description": "The primary sequence of steps that describe the use case.", - "items": { - "$ref": "#/$defs/step" - } - }, - "alternativeFlows": { - "type": "array", - "title": "Alternative Flows", - "description": "Alternative sequences of steps that may occur in the use case.", - "items": { - "$ref": "#/$defs/flow" - } - }, - "exceptions": { + "$defs": { + "useCases": { "type": "array", - "title": "Exceptions", - "description": "Error scenarios that may occur during the execution of the use case.", + "title": "Use Cases", + "uniqueItems": true, "items": { - "$ref": "#/$defs/exception" - } + "$ref": "#/$defs/useCase" + }, + "description": "A collection of use cases that describe how actors interact with the system to achieve specific goals." }, - "successCriteria": { - "type": "array", - "title": "Success Criteria", - "description": "Criteria that determine whether the use case has been successfully executed.", - "items": { - "type": "string" - } - }, - "notes": { - "type": "array", - "title": "Notes", - "description": "Additional information or comments about the use case.", - "items": { - "type": "string" + "useCase": { + "type": "object", + "title": "Use Case", + "description": "A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution." + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases." + }, + "postconditions": { + "type": "array", + "title": "Postconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced." + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "items": { + "$ref": "#/$defs/step" + }, + "description": "The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome." + }, + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/flow" + }, + "description": "Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome." + }, + "exceptions": { + "type": "array", + "title": "Exceptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/exception" + }, + "description": "Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully." + }, + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off." + }, + "notes": { + "type": "array", + "title": "Notes", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } } }, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", - "items": { - "$ref": "#/$defs/property" - } - } - }, - "$defs": { "step": { "type": "object", "title": "Step", - "description": "A single step in a use case flow.", + "description": "A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.", + "required": ["number", "description"], "additionalProperties": false, "properties": { "number": { "type": "integer", "title": "Number", - "description": "The sequence number of the step." + "minimum": 1, + "description": "The sequence number indicating the ordinal position of this step within its flow, starting at 1." }, "description": { "type": "string", "title": "Description", - "description": "A description of the step." + "minLength": 1, + "description": "A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'." }, "actor": { - "type": "string", - "title": "Actor", - "description": "The actor who performs this step." + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." } } }, "flow": { "type": "object", "title": "Flow", - "description": "A sequence of steps in a use case.", + "description": "An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.", + "required": ["name", "condition"], "additionalProperties": false, "properties": { "name": { "type": "string", "title": "Name", - "description": "The name of the flow." + "minLength": 1, + "description": "A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')." }, "description": { "type": "string", "title": "Description", - "description": "A description of the flow." + "description": "A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies." }, "condition": { "type": "string", "title": "Condition", - "description": "The condition under which this alternative flow is executed." + "minLength": 1, + "description": "The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path." }, "steps": { "type": "array", "title": "Steps", - "description": "The sequence of steps in the flow.", "items": { "$ref": "#/$defs/step" - } + }, + "description": "The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps." } } }, "exception": { "type": "object", "title": "Exception", - "description": "An error scenario in a use case.", + "description": "An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.", + "required": ["name", "condition"], "additionalProperties": false, "properties": { "name": { "type": "string", "title": "Name", - "description": "The name of the exception." + "minLength": 1, + "description": "A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')." }, "description": { "type": "string", "title": "Description", - "description": "A description of the exception." + "description": "A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved." }, "condition": { "type": "string", "title": "Condition", - "description": "The condition under which this exception occurs." + "minLength": 1, + "description": "The specific error condition, system state, or external event that triggers this exception during the execution of the use case." }, "handling": { "type": "string", "title": "Handling", - "description": "How the exception is handled." - } - } - }, - "property": { - "type": "object", - "title": "Property", - "description": "A name-value property.", - "additionalProperties": false, - "required": [ - "name", - "value" - ], - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the property." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The value of the property." + "description": "The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support." } } } From e4cd7d6351bbbded617ed938c8c4dda7be464723 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 4 Mar 2026 06:38:20 +0000 Subject: [PATCH 17/44] chore: update bundled schemas [skip ci] --- .../2.0/cyclonedx-2.0-bundled.min.schema.json | 2 +- schema/2.0/cyclonedx-2.0-bundled.schema.json | 4615 +++++++++++++---- 2 files changed, 3733 insertions(+), 884 deletions(-) diff --git a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json index 54f292d09..e675ddb9f 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json @@ -1 +1 @@ -{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","required":["modelTypes","methodologies"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"modelTypes":{"type":"array","minItems":1,"description":"The types of models being represented","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"methodologies":{"type":"array","minItems":1,"description":"The modeling methodologies used","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/methodology"}},"perspectives":{"type":"array","description":"Different viewpoints or perspectives used in the model analysis","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/perspective"}},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata"},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model"},"zones":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics"},"boundaries":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones"},"flows":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets"},"assumptions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process"},"visualizations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model"},"useCases":{"type":"array","items":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-usecase-2.0"},{"properties":{"assets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets involved in this use case"},"flows":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to flows that are part of this use case"},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirements implemented by this use case"}}}]},"description":"Use cases analyzed as part of the model"},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"Requirements derived from or related to the model"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"description":"External references related to the blueprint"},"properties":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},"description":"Additional properties and extensions"}},"$defs":{"modelType":{"type":"object","oneOf":[{"required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["architecture","dataFlow","process","deployment","network","threat","risk","privacy","operational","conceptual","logical","physical","behavioral","structural"],"meta:enum":{"architecture":"System or software architecture model","dataFlow":"Data flow model showing how data moves through the system","process":"Business or system process model","deployment":"Deployment or infrastructure model","network":"Network topology or connectivity model","threat":"Security threat model","risk":"Risk assessment model","privacy":"Privacy impact assessment model","operational":"Operational model","conceptual":"High-level conceptual model","logical":"Logical system model","physical":"Physical infrastructure model","behavioral":"System behavior model","structural":"System structure model"}}}},{"required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Custom model type name"},"description":{"type":"string","description":"Description of the custom model type"}}}]},"methodology":{"type":"object","oneOf":[{"required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["C4","UML","TOGAF","Archimate","BPMN","DFD","ERD","4+1","Zachman","SABSA","DODAF","MODAF","NAF","Kruchten","IDEF","SysML","STRIDE","PASTA","LINDDUN","OCTAVE","ISO27005","NIST","FAIR"],"meta:enum":{"C4":"C4 Model for software architecture","UML":"Unified Modeling Language","TOGAF":"The Open Group Architecture Framework","Archimate":"Enterprise architecture modeling language","BPMN":"Business Process Model and Notation","DFD":"Data Flow Diagrams","ERD":"Entity Relationship Diagrams","4+1":"4+1 Architectural View Model","Zachman":"Zachman Framework","SABSA":"Sherwood Applied Business Security Architecture","DODAF":"Department of Defense Architecture Framework","MODAF":"Ministry of Defence Architecture Framework","NAF":"NATO Architecture Framework","Kruchten":"Kruchten's 4+1 View Model","IDEF":"Integration Definition Methods","SysML":"Systems Modeling Language","STRIDE":"Microsoft's threat modeling methodology","PASTA":"Process for Attack Simulation and Threat Analysis","LINDDUN":"Privacy threat modeling methodology","OCTAVE":"Operationally Critical Threat, Asset, and Vulnerability Evaluation","ISO27005":"ISO/IEC 27005 Information security risk management","NIST":"NIST Risk Management Framework","FAIR":"Factor Analysis of Information Risk"}},"version":{"type":"string","description":"Version of the methodology"}}},{"required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Custom methodology name"},"version":{"type":"string","description":"Version of the methodology"},"description":{"type":"string","description":"Description of the custom methodology"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}}]},"perspective":{"type":"object","required":["bom-ref","type","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the perspective"},"type":{"type":"string","enum":["business","technical","user","operational","development","architectural","functional","informational","contextual","conceptual","logical","physical","security","compliance","risk","stakeholder","custom"],"meta:enum":{"business":"Business stakeholder perspective","technical":"Technical implementation perspective","user":"End user or customer perspective","operational":"Operations and maintenance perspective","development":"Software development perspective","architectural":"System architecture perspective","functional":"Functional requirements perspective","informational":"Information and data perspective","contextual":"Business context perspective","conceptual":"High-level conceptual perspective","logical":"Logical design perspective","physical":"Physical implementation perspective","security":"Security perspective","compliance":"Regulatory compliance perspective","risk":"Risk management perspective","stakeholder":"General stakeholder perspective","custom":"Custom or other perspective"}},"name":{"type":"string","description":"Name of the perspective"},"description":{"type":"string","description":"Detailed description of the perspective and its focus"},"role":{"type":"string","description":"The role or persona associated with this perspective"},"objectives":{"type":"array","items":{"type":"string"},"description":"Primary objectives or goals from this perspective"},"concerns":{"type":"array","items":{"type":"string"},"description":"Primary concerns from this perspective"},"viewpoint":{"type":"string","description":"The architectural viewpoint this perspective represents"},"scope":{"type":"string","description":"The scope of this perspective"},"properties":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"blueprintMetadata":{"type":"object","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","description":"When the blueprint was created or last updated"},"authors":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who created the blueprint"},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who reviewed the blueprint"},"reviewDate":{"type":"string","format":"date-time","description":"When the blueprint was reviewed"},"approver":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who approved the blueprint"},"approvalDate":{"type":"string","format":"date-time","description":"When the blueprint was approved"},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","additionalProperties":false,"properties":{"start":{"type":"string","format":"date-time","description":"When the blueprint becomes valid"},"end":{"type":"string","format":"date-time","description":"When the blueprint expires"},"reviewFrequency":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)"}}},"scope":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the scope"},"description":{"type":"string","description":"Description of what is included and excluded from the model"},"boundaries":{"type":"array","items":{"type":"string"},"description":"Explicit boundaries of the model"},"includedComponents":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly included"},"excludedComponents":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly excluded"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","required":["bom-ref","type","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset"},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the component this asset represents"},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the service this asset represents"},"type":{"type":"string","enum":["component","service","dataStore","data","actor","process","infrastructure","device","network","container","function","api","queue","stream","system","subsystem","module","interface","endpoint","resource"],"meta:enum":{"component":"Software component or application","service":"Service or microservice","dataStore":"Database, file system, or data repository","data":"Data asset or dataset","actor":"User, system, or external entity","process":"Business or system process","infrastructure":"Infrastructure component","device":"Physical or IoT device","network":"Network segment or resource","container":"Container or orchestration unit","function":"Serverless function or lambda","api":"API endpoint or interface","queue":"Message queue or event bus","stream":"Data stream or event stream","system":"Complete system or application","subsystem":"Part of a larger system","module":"Software module or package","interface":"System interface or contract","endpoint":"Service endpoint or URL","resource":"Generic resource or artifact"}},"name":{"type":"string","description":"Name of the asset"},"description":{"type":"string","description":"Description of the asset's role and purpose"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone containing this asset"},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent asset if this is a sub-component"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"attributes":{"type":"array","items":{"type":"string"},"description":"Generic attributes or tags for the asset"},"responsibilities":{"type":"array","items":{"type":"string"},"description":"Responsibilities or functions of this asset"},"interfaces":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset"},"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets this asset depends on"},"useCases":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to use cases that involve this asset"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required"},"authorization":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType","description":"Authorization model used"},"encryption":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType"},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface"},"type":{"type":"string","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"],"description":"Type of interface"},"description":{"type":"string","description":"Description of the interface"},"specification":{"type":"string","description":"Link or reference to interface specification"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed"}}},"zone":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the zone"},"description":{"type":"string","description":"Description of the zone's characteristics"},"type":{"type":"string","enum":["trust","network","physical","logical","deployment","organizational","functional","security"],"meta:enum":{"trust":"Security trust zone","network":"Network segmentation zone","physical":"Physical location or boundary","logical":"Logical grouping or boundary","deployment":"Deployment environment (e.g., dev, staging, prod)","organizational":"Organizational or administrative boundary","functional":"Functional grouping","security":"Security zone or perimeter"}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent zone if this is a sub-zone"},"characteristics":{"type":"array","items":{"type":"string"},"description":"Key characteristics of this zone"},"constraints":{"type":"array","items":{"type":"string"},"description":"Constraints or limitations of this zone"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the boundary"},"type":{"type":"string","enum":["trust","network","process","data","physical","organizational","functional"],"meta:enum":{"trust":"Trust boundary between different security zones","network":"Network boundary or firewall","process":"Process or execution boundary","data":"Data classification boundary","physical":"Physical security boundary","organizational":"Organizational boundary","functional":"Functional boundary"}},"zones":{"type":"array","minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"The zones this boundary connects or separates"},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","additionalProperties":false,"properties":{"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary"},"authorization":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType","description":"Authorization model at this boundary"},"dataValidation":{"type":"boolean","description":"Whether data is validated when crossing this boundary"},"dataTransformation":{"type":"boolean","description":"Whether data is transformed when crossing this boundary"},"encryption":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType","description":"Encryption requirements for crossing this boundary"},"logging":{"type":"boolean","description":"Whether crossings are logged"},"monitoring":{"type":"boolean","description":"Whether crossings are monitored"},"rateLimit":{"type":"string","description":"Rate limiting policy"},"protocols":{"type":"array","items":{"type":"string"},"description":"Allowed protocols for crossing"}}},"flow":{"type":"object","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or description of the flow"},"description":{"type":"string","description":"Detailed description of what flows and why"},"type":{"type":"string","enum":["data","control","process","message","event","dependency","interaction"],"meta:enum":{"data":"Data or information flow","control":"Control or command flow","process":"Business process flow","message":"Message or communication flow","event":"Event or notification flow","dependency":"Dependency relationship","interaction":"User or system interaction"}},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the source asset"},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the destination asset"},"bidirectional":{"type":"boolean","default":false,"description":"Whether flow occurs in both directions"},"synchronous":{"type":"boolean","description":"Whether the flow is synchronous or asynchronous"},"volume":{"type":"string","description":"Expected volume or frequency of flow"},"timing":{"type":"string","description":"Timing characteristics (real-time, batch, scheduled)"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Format of data in the flow"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"encryption":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","description":"The assumption being made"},"category":{"type":"string","enum":["technical","business","operational","security","compliance","performance","availability"],"description":"Category of the assumption"},"relatedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this assumption relates to"},"validity":{"type":"string","enum":["unknown","verified","unverified","invalid"],"default":"unknown","description":"Whether the assumption has been validated"},"impact":{"type":"string","description":"Impact if this assumption proves false"},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who owns or is responsible for this assumption"},"validationMethod":{"type":"string","description":"How this assumption can be validated"},"validationDate":{"type":"string","format":"date-time","description":"When the assumption was last validated"}}},"visualization":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or title of the visualization"},"description":{"type":"string","description":"Description of what the visualization shows"},"type":{"type":"string","enum":["architecture","dataFlow","sequence","state","deployment","network","process","useCase","component","class","entity","activity","collaboration","context","container","code"],"meta:enum":{"architecture":"System architecture diagram","dataFlow":"Data flow diagram (DFD)","sequence":"Sequence or interaction diagram","state":"State machine diagram","deployment":"Deployment or infrastructure diagram","network":"Network topology diagram","process":"Business process diagram","useCase":"Use case diagram","component":"Component diagram","class":"Class or object diagram","entity":"Entity relationship diagram","activity":"Activity or workflow diagram","collaboration":"Collaboration diagram","context":"Context diagram","container":"Container diagram (C4)","code":"Code structure diagram"}},"format":{"type":"string","enum":["mermaid","graphviz","plantuml","drawio","svg","png","jpeg","d3","cytoscape","visio","archimate"],"meta:enum":{"mermaid":"Mermaid diagram language","graphviz":"GraphViz DOT language","plantuml":"PlantUML diagram language","drawio":"Draw.io/diagrams.net format","svg":"Scalable Vector Graphics","png":"Portable Network Graphics","jpeg":"JPEG image format","d3":"D3.js visualization","cytoscape":"Cytoscape graph format","visio":"Microsoft Visio format","archimate":"ArchiMate model format"}},"content":{"type":"string","description":"The diagram content (source code or base64 encoded image)"},"url":{"type":"string","format":"iri-reference","description":"URL to the diagram if stored externally"},"level":{"type":"string","enum":["overview","high","medium","detailed"],"description":"Level of detail in the visualization"},"perspective":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the perspective this visualization represents"},"elements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to elements shown in this visualization"},"interactive":{"type":"boolean","description":"Whether the visualization is interactive"},"layers":{"type":"array","items":{"type":"string"},"description":"Layers or views available in the visualization"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataClassification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification"},"tier":{"type":"string","enum":["tier0","tier1","tier2","tier3","tier4"],"meta:enum":{"tier0":"Mission critical - highest priority","tier1":"Business critical - high priority","tier2":"Business important - medium priority","tier3":"Business supporting - low priority","tier4":"Non-critical - minimal priority"}},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search"}}},"dataClassification":{"type":"object","additionalProperties":false,"properties":{"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Specific types of data"},"handling":{"type":"string","description":"Data handling requirements"},"retention":{"type":"string","description":"Data retention requirements"},"disposal":{"type":"string","description":"Data disposal requirements"},"regulations":{"type":"array","items":{"type":"string"},"description":"Applicable regulations"}}},"ownership":{"type":"object","additionalProperties":false,"properties":{"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary owner of the asset"},"steward":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Steward responsible for the asset"},"custodian":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Custodian responsible for protecting the asset"},"users":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary users of the asset"}}},"authenticationType":{"type":"string","enum":["none","basic","bearer","digest","certificate","apiKey","oauth1","oauth2","openIdConnect","saml","kerberos","ntlm","jwt","custom"],"description":"Authentication method","meta:enum":{"none":"No authentication required","basic":"Basic authentication (username/password)","bearer":"Bearer token authentication","digest":"Digest authentication","certificate":"Certificate-based authentication","apiKey":"API key authentication","oauth1":"OAuth 1.0 authentication","oauth2":"OAuth 2.0 authentication","openIdConnect":"OpenID Connect authentication","saml":"SAML authentication","kerberos":"Kerberos authentication","ntlm":"NTLM authentication","jwt":"JSON Web Token authentication","custom":"Custom authentication method"}},"authorizationType":{"type":"string","enum":["none","acl","rbac","abac","mac","dac","pbac","cbac","custom"],"description":"Authorization model","meta:enum":{"none":"No authorization controls","acl":"Access Control Lists","rbac":"Role-Based Access Control","abac":"Attribute-Based Access Control","mac":"Mandatory Access Control","dac":"Discretionary Access Control","pbac":"Policy-Based Access Control","cbac":"Claims-Based Access Control","custom":"Custom authorization model"}},"encryptionType":{"type":"object","additionalProperties":false,"properties":{"inTransit":{"type":"boolean","description":"Whether data is encrypted in transit"},"atRest":{"type":"boolean","description":"Whether data is encrypted at rest"},"inProcessing":{"type":"boolean","description":"Whether data is encrypted during processing"}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataSensitivity":{"type":"string","enum":["public","internal","confidential","restricted","secret"],"description":"Data sensitivity classification","meta:enum":{"public":"Public information that can be freely shared","internal":"Internal use only within the organization","confidential":"Confidential information requiring protection","restricted":"Highly restricted information with limited access","secret":"Secret information requiring special handling"}},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","enum":["inbound","outbound","bi-directional","unknown"],"meta:enum":{"inbound":"Data that enters a service.","outbound":"Data that exits a service.","bi-directional":"Data flows in and out of the service.","unknown":"The directional flow of data is not known."},"title":"Data flow direction","description":"Specifies the flow direction of the data. Direction is relative to the service."}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"}},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"}},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"}},"parent":{"type":"string","title":"Parent BOM Reference","description":"The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"externalReferences":{"type":"array","title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the risk assessment elsewhere in the BOM"},"domains":{"type":"array","description":"Risk domains covered by this assessment","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"}},"scenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},"description":"Risk scenarios identified"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Controls, countermeasures, or mitigations to address identified risks"},"assessments":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Risk assessments and evaluations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}},"$defs":{"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply_chain","technical","project"],"meta:enum":{"security":"Information security and cybersecurity risks","privacy":"Data protection and privacy risks","operational":"Business operations and continuity risks","financial":"Financial loss and economic impact risks","compliance":"Regulatory and legal compliance risks","strategic":"Strategic business and market risks","reputational":"Brand and reputation damage risks","safety":"Human safety and physical security risks","environmental":"Environmental impact and sustainability risks","supply_chain":"Supply chain and third-party risks","technical":"Technical and technology risks","project":"Project delivery and execution risks"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain"}}},"riskAttribute":{"type":"string","description":"A classification of security and privacy attributes that represent potential impact areas when a risk is realized","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data_subject_rights","integrity","minimisation","non-repudiation","possession","privacy","purpose_limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities","authentication":"Verifying the identity of users, devices, or systems before granting access","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified","availability":"Ensuring systems, data, and services are accessible and operational when needed","compliance":"Adherence to applicable laws, regulations, policies, and standards","confidentiality":"Preventing unauthorised access to or disclosure of information","connectivity":"Maintaining secure and reliable communication between systems or components","control":"Enabling individuals to manage how their personal data is used and shared","data_subject_rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorised actors","minimisation":"Limiting data collection and retention to what is strictly necessary for the intended purpose","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications","possession":"Ensuring control or custody over data or assets, regardless of ownership","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards","purpose_limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing","utility":"Ensuring data is usable and in a format suitable for the intended purpose"}},"scenario":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the risk scenario"},"description":{"type":"string","description":"Detailed description of the scenario"},"type":{"type":"string","enum":["threat","vulnerability","weakness","risk","incident","opportunity","hazard"],"meta:enum":{"threat":"Security threat scenario","vulnerability":"Exploitable vulnerability","weakness":"System or design weakness","risk":"General risk scenario","incident":"Potential incident scenario","opportunity":"Positive risk (opportunity)","hazard":"Safety hazard scenario"}},"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"category":{"type":"string","description":"Category or classification of the scenario"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected by this scenario"},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to affected assets"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations that address this scenario"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["veryLow","low","medium","high","veryHigh","certain"],"description":"Likelihood level","meta:enum":{"veryLow":"Very unlikely to occur (< 10%)","low":"Unlikely to occur (10-30%)","medium":"Possible to occur (30-60%)","high":"Likely to occur (60-90%)","veryHigh":"Very likely to occur (> 90%)","certain":"Will certainly occur (100%)"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric likelihood score"},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal (0-1)"},"rationale":{"type":"string","description":"Justification for the likelihood rating"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","high","severe","catastrophic"],"description":"Impact severity level","meta:enum":{"negligible":"Minimal impact with no significant consequences","low":"Minor impact with limited consequences","moderate":"Moderate impact affecting some operations","high":"Significant impact with serious consequences","severe":"Severe impact with critical consequences","catastrophic":"Catastrophic impact with existential consequences"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric impact score"},"categories":{"type":"array","items":{"type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic"],"meta:enum":{"confidentiality":"Impact on data confidentiality","integrity":"Impact on data or system integrity","availability":"Impact on service availability","financial":"Financial loss or impact","reputation":"Reputational damage","regulatory":"Regulatory compliance impact","safety":"Human safety impact","privacy":"Privacy violation impact","operational":"Operational disruption","strategic":"Strategic business impact"}},"description":"Categories of impact"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected"},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"Description of the potential impact"}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"Estimated financial loss in currency units"},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"ISO 4217 currency code"},"affectedUsers":{"type":"integer","description":"Number of affected users"},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Expected downtime as ISO 8601 duration"},"dataRecords":{"type":"integer","description":"Number of data records affected"},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Recovery time as ISO 8601 duration"}}},"riskScore":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Overall risk level","meta:enum":{"info":"Informational - no immediate action required","low":"Low risk - monitor and address in normal cycle","medium":"Medium risk - plan mitigation activities","high":"High risk - prioritize mitigation efforts","critical":"Critical risk - immediate action required"}},"score":{"type":"number","minimum":0,"description":"Numeric risk score"},"vector":{"type":"string","description":"Risk scoring vector (e.g., L:H/I:M)"},"methodology":{"type":"string","description":"Risk scoring methodology used"}}},"mitigation":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the mitigation"},"description":{"type":"string","description":"Description of what the mitigation does"},"type":{"type":"string","enum":["avoid","reduce","transfer","accept","control","countermeasure","safeguard","practice","procedure"],"meta:enum":{"avoid":"Avoid the risk entirely","reduce":"Reduce likelihood or impact","transfer":"Transfer risk to another party","accept":"Accept the risk","control":"Preventive or detective control","countermeasure":"Reactive measure to counter risks","safeguard":"Protective measure","practice":"Risk management practice","procedure":"Documented procedure"}},"strategy":{"type":"string","enum":["prevent","detect","respond","recover"],"meta:enum":{"prevent":"Prevents the risk from occurring","detect":"Detects when the risk occurs","respond":"Responds to the risk when detected","recover":"Recovers from the impact"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"effectiveness":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/effectiveness"},"cost":{"type":"string","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort","low":"Low cost and effort","medium":"Moderate cost and effort","high":"High cost and significant effort","extreme":"Extreme cost and major effort"}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this mitigation addresses"},"implementedBy":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets that implement this mitigation"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"effectiveness":{"type":"object","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":100,"description":"Effectiveness as percentage"},"rating":{"type":"string","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk","marginal":"Slightly reduces risk","adequate":"Adequately reduces risk","good":"Significantly reduces risk","excellent":"Nearly eliminates risk"}}}},"assessment":{"type":"object","required":["bom-ref","type","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"type":{"type":"string","enum":["initial","periodic","continuous","triggered"],"meta:enum":{"initial":"Initial risk assessment","periodic":"Scheduled periodic assessment","continuous":"Continuous monitoring assessment","triggered":"Event-triggered assessment"}},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed"},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who performed the assessment"},"summary":{"type":"string","description":"Executive summary of the assessment"},"findings":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/finding"},"description":"Specific findings from the assessment"},"overallRisk":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore","description":"Overall risk score/level"},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment"},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"finding":{"type":"object","required":["title","severity"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"title":{"type":"string","description":"Title of the finding"},"description":{"type":"string","description":"Detailed description of the finding"},"severity":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/severity"},"relatedScenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Scenarios related to this finding"},"relatedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this finding"},"remediation":{"type":"string","description":"Recommended remediation"},"status":{"type":"string","enum":["open","inProgress","resolved","accepted"],"meta:enum":{"open":"Finding is open and unaddressed","inProgress":"Remediation is in progress","resolved":"Finding has been resolved","accepted":"Risk has been accepted"}}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level","meta:enum":{"none":"No priority assigned","low":"Low priority - address when convenient","medium":"Medium priority - address in normal cycle","high":"High priority - address soon","critical":"Critical priority - address immediately"}},"severity":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Severity level","meta:enum":{"info":"Informational finding","low":"Low severity issue","medium":"Medium severity issue","high":"High severity issue","critical":"Critical severity issue"}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level","meta:enum":{"minimal":"Minimal impact on business operations","low":"Low impact with minor inconvenience","moderate":"Moderate impact affecting some operations","high":"High impact affecting critical operations","critical":"Critical impact with severe business consequences"}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threatScenario":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},{"properties":{"threatCategory":{"type":"string","description":"Threat category based on methodology (e.g., STRIDE category)"},"threatActor":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"attackPattern":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference"},"weakness":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"killChainPhase":{"type":"string","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target","weaponization":"Creating malicious payloads","delivery":"Transmitting weapon to target","exploitation":"Exploiting vulnerabilities","installation":"Installing malware or backdoors","command-and-control":"Establishing C2 channel","actions-on-objectives":"Achieving attack goals"}},"technicalImpact":{"type":"array","items":{"type":"string","enum":["unauthorized-access","data-breach","data-corruption","service-disruption","privilege-escalation","code-execution","information-disclosure","denial-of-service"]}}}}]},"threatActor":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier of the threat actor"},"description":{"type":"string","description":"Description of the threat actor"},"type":{"type":"string","enum":["individual","group","organization","nation-state","unknown"],"meta:enum":{"individual":"Individual threat actor","group":"Organized group or collective","organization":"Corporate or criminal organization","nation-state":"Nation-state sponsored actor","unknown":"Unknown threat actor type"}},"aliases":{"type":"array","items":{"type":"string"},"description":"Known aliases or alternative names"},"profile":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"observedTTPs":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/ttp"},"description":"Observed tactics, techniques, and procedures"},"attributedAttacks":{"type":"array","items":{"type":"string"},"description":"Attacks attributed to this actor"},"targeting":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/targeting"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"threatActorProfile":{"type":"object","additionalProperties":false,"properties":{"sophistication":{"type":"string","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication","minimal":"Script kiddie level","intermediate":"Intermediate technical skills","advanced":"Advanced persistent threat","expert":"Nation-state level capabilities"}},"motivation":{"type":"array","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"]},"description":"Primary motivations"},"capability":{"type":"string","enum":["minimal","limited","moderate","significant","advanced"],"description":"Overall capability level"},"intent":{"type":"string","enum":["accidental","opportunistic","targeted","persistent"],"description":"Intent level"},"resources":{"type":"string","enum":["minimal","limited","moderate","substantial","unlimited"],"description":"Resource availability"},"accessLevel":{"type":"string","enum":["none","external","internal","privileged","physical"],"description":"Level of access to target systems"},"skillSet":{"type":"array","items":{"type":"string"},"description":"Specific skills possessed"}}},"attackVector":{"type":"object","additionalProperties":false,"properties":{"type":{"type":"string","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via network","adjacent":"Exploitable from adjacent network","local":"Requires local access","physical":"Requires physical access"}},"complexity":{"type":"string","enum":["low","high"],"description":"Attack complexity"},"privileges":{"type":"string","enum":["none","low","high"],"description":"Privileges required"},"userInteraction":{"type":"string","enum":["none","required"],"description":"User interaction requirement"},"scope":{"type":"string","enum":["unchanged","changed"],"description":"Scope impact"}}},"attackPattern":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"capecId":{"type":"integer","description":"CAPEC (Common Attack Pattern Enumeration and Classification) ID"},"name":{"type":"string","description":"Name of the attack pattern"},"description":{"type":"string","description":"Description of the attack pattern"},"severity":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/severity"},"likelihood":{"type":"string","enum":["low","medium","high"],"description":"Likelihood of this pattern being used"},"prerequisites":{"type":"array","items":{"type":"string"},"description":"Prerequisites for the attack"},"techniques":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"Techniques used in the attack"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations"},"examples":{"type":"array","items":{"type":"string"},"description":"Real-world examples"}}},"attackPatternReference":{"type":"object","additionalProperties":false,"properties":{"patternRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to attack pattern"},"capecId":{"type":"integer","description":"CAPEC ID if not referencing internal pattern"},"customization":{"type":"string","description":"How this pattern is customized for the specific scenario"}}},"technique":{"type":"object","additionalProperties":false,"properties":{"id":{"type":"string","description":"Technique ID (e.g., MITRE ATT&CK ID)"},"name":{"type":"string","description":"Name of the technique"},"tactic":{"type":"string","description":"Associated tactic"},"procedure":{"type":"string","description":"Specific procedure"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools used with this technique"}}},"weakness":{"type":"object","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"cweId":{"type":"integer","description":"CWE (Common Weakness Enumeration) ID"},"name":{"type":"string","description":"Name of the weakness"},"description":{"type":"string","description":"Description of the weakness"},"abstraction":{"type":"string","enum":["pillar","class","base","variant","compound"],"meta:enum":{"pillar":"Most abstract type of weakness","class":"Weakness described in generic terms","base":"Weakness described in abstract terms","variant":"Weakness specific to a resource/technology","compound":"Combination of two or more weaknesses"}},"ordinality":{"type":"string","enum":["primary","resultant","indirect"],"meta:enum":{"primary":"Weakness exists independent of other weaknesses","resultant":"Weakness is caused by another weakness","indirect":"Weakness is indirectly caused by another weakness"}},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this weakness"},"exploitationDifficulty":{"type":"string","enum":["trivial","easy","moderate","difficult","impractical"],"description":"Difficulty of exploiting this weakness"},"detectionMethods":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod"},"description":"Methods for detecting this weakness"}}},"weaknessReference":{"type":"object","additionalProperties":false,"properties":{"weaknessRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to weakness"},"cweId":{"type":"integer","description":"CWE ID if not referencing internal weakness"},"instance":{"type":"string","description":"Specific instance or manifestation of the weakness"}}},"exploitability":{"type":"object","additionalProperties":false,"properties":{"level":{"type":"string","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Theoretically possible but not demonstrated","proof-of-concept":"Proof of concept exists","functional":"Functional exploit exists","weaponized":"Weaponized exploit in the wild"}},"complexity":{"type":"string","enum":["trivial","low","medium","high","very-high"],"description":"Complexity to exploit"},"skillRequired":{"type":"string","enum":["none","basic","intermediate","advanced","expert"],"description":"Skill level required"},"toolsRequired":{"type":"array","items":{"type":"string"},"description":"Tools required for exploitation"},"timeRequired":{"type":"string","description":"Estimated time to develop exploit"},"reliability":{"type":"string","enum":["unreliable","occasional","reliable","highly-reliable"],"description":"Reliability of exploitation"},"automatable":{"type":"boolean","description":"Whether exploitation can be automated"}}},"indicators":{"type":"object","additionalProperties":false,"properties":{"compromise":{"type":"array","items":{"type":"string"},"description":"Indicators of compromise"},"attack":{"type":"array","items":{"type":"string"},"description":"Indicators of attack"},"behavioral":{"type":"array","items":{"type":"string"},"description":"Behavioral indicators"},"signatures":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"Detection signatures"}}},"signature":{"type":"object","required":["type","value"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["yara","snort","regex","hash","behavior"],"description":"Type of signature"},"value":{"type":"string","description":"Signature value or pattern"},"description":{"type":"string","description":"Description of what the signature detects"},"confidence":{"type":"string","enum":["low","medium","high"],"description":"Confidence level of detection"}}},"ttp":{"type":"object","additionalProperties":false,"properties":{"tactic":{"type":"string","description":"High-level tactic"},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"procedure":{"type":"string","description":"Specific implementation"},"tools":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/tool"},"description":"Tools used"},"infrastructure":{"type":"array","items":{"type":"string"},"description":"Infrastructure used"}}},"tool":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Tool name"},"type":{"type":"string","enum":["exploit","scanner","fuzzer","proxy","framework","custom"],"description":"Type of tool"},"version":{"type":"string","description":"Tool version"},"capabilities":{"type":"array","items":{"type":"string"},"description":"Tool capabilities"}}},"targeting":{"type":"object","additionalProperties":false,"properties":{"sectors":{"type":"array","items":{"type":"string"},"description":"Targeted sectors or industries"},"regions":{"type":"array","items":{"type":"string"},"description":"Targeted geographic regions"},"technologies":{"type":"array","items":{"type":"string"},"description":"Targeted technologies or platforms"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Types of data targeted"}}},"detectionMethod":{"type":"object","required":["method"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["static-analysis","dynamic-analysis","penetration-test","code-review","architecture-review","automated-scan"],"description":"Detection method type"},"description":{"type":"string","description":"Description of the detection method"},"effectiveness":{"type":"string","enum":["low","medium","high"],"description":"Effectiveness of the method"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools that implement this method"}}},"securityPolicy":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Policy name"},"type":{"type":"string","enum":["access-control","data-protection","network-security","application-security","operational-security","compliance"],"description":"Type of security policy"},"description":{"type":"string","description":"Policy description"},"requirements":{"type":"array","items":{"type":"string"},"description":"Policy requirements"},"enforcement":{"type":"string","enum":["mandatory","recommended","optional"],"description":"Enforcement level"},"appliesTo":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this policy applies to"},"exceptions":{"type":"array","items":{"type":"string"},"description":"Policy exceptions"}}},"trustBoundary":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},{"properties":{"trustLevel":{"type":"string","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"description":"Trust level differential"},"securityRequirements":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements"},"threatsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Threats that could exploit this boundary"},"controlsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Controls implemented at this boundary"}}}]},"boundarySecurityRequirements":{"type":"object","additionalProperties":false,"properties":{"authenticationStrength":{"type":"string","enum":["none","weak","moderate","strong","very-strong"],"description":"Required authentication strength"},"authorizationGranularity":{"type":"string","enum":["coarse","medium","fine","very-fine"],"description":"Authorization granularity required"},"integrityVerification":{"type":"boolean","description":"Whether integrity verification is required"},"confidentialityProtection":{"type":"boolean","description":"Whether confidentiality protection is required"},"auditingLevel":{"type":"string","enum":["none","basic","detailed","comprehensive"],"description":"Level of auditing required"},"dataValidationRules":{"type":"array","items":{"type":"string"},"description":"Data validation rules at boundary"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","properties":{"bom-ref":{"type":"string","title":"BOM Reference","description":"An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name or title of the use case."},"description":{"type":"string","title":"Description","description":"A detailed description of the use case."},"actors":{"type":"array","title":"Actors","description":"The stakeholders or users who interact with the system in this use case.","items":{"type":"string"}},"preconditions":{"type":"array","title":"Preconditions","description":"Conditions that must be true before the use case can be executed.","items":{"type":"string"}},"postconditions":{"type":"array","title":"Postconditions","description":"Conditions that will be true after the use case has been successfully executed.","items":{"type":"string"}},"mainFlow":{"type":"array","title":"Main Flow","description":"The primary sequence of steps that describe the use case.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"}},"alternativeFlows":{"type":"array","title":"Alternative Flows","description":"Alternative sequences of steps that may occur in the use case.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"}},"exceptions":{"type":"array","title":"Exceptions","description":"Error scenarios that may occur during the execution of the use case.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"}},"successCriteria":{"type":"array","title":"Success Criteria","description":"Criteria that determine whether the use case has been successfully executed.","items":{"type":"string"}},"notes":{"type":"array","title":"Notes","description":"Additional information or comments about the use case.","items":{"type":"string"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/property"}}},"$defs":{"step":{"type":"object","title":"Step","description":"A single step in a use case flow.","additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","description":"The sequence number of the step."},"description":{"type":"string","title":"Description","description":"A description of the step."},"actor":{"type":"string","title":"Actor","description":"The actor who performs this step."}}},"flow":{"type":"object","title":"Flow","description":"A sequence of steps in a use case.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the flow."},"description":{"type":"string","title":"Description","description":"A description of the flow."},"condition":{"type":"string","title":"Condition","description":"The condition under which this alternative flow is executed."},"steps":{"type":"array","title":"Steps","description":"The sequence of steps in the flow.","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"}}}},"exception":{"type":"object","title":"Exception","description":"An error scenario in a use case.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the exception."},"description":{"type":"string","title":"Description","description":"A description of the exception."},"condition":{"type":"string","title":"Condition","description":"The condition under which this exception occurs."},"handling":{"type":"string","title":"Handling","description":"How the exception is handled."}}},"property":{"type":"object","title":"Property","description":"A name-value property.","additionalProperties":false,"required":["name","value"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property."},"value":{"type":"string","title":"Value","description":"The value of the property."}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file +{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-behavior-2.0":{"type":"null","title":"CycloneDX Behavior Model","properties":{"behaviors":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviors"}},"$defs":{"trigger":{"type":"string","title":"Trigger","description":"The condition or event that initiates a behavior.","enum":["startup","shutdown","scheduled","event-driven","user-initiated","api-call","signal","condition-based","continuous","on-demand","unknown"],"meta:enum":{"startup":"Triggered during system or component initialisation.","shutdown":"Triggered during system or component termination.","scheduled":"Triggered at predetermined times or intervals.","event-driven":"Triggered in response to a specific event.","user-initiated":"Triggered by explicit user action.","api-call":"Triggered by an API invocation.","signal":"Triggered by a system or inter-process signal.","condition-based":"Triggered when specific conditions are met.","continuous":"Runs continuously during normal operation.","on-demand":"Triggered on demand as needed.","unknown":"The trigger mechanism is not known."}},"ordering":{"type":"string","title":"Ordering","description":"Execution semantics for steps within a flow.","default":"sequential","enum":["sequential","unordered","parallel","conditional"],"meta:enum":{"sequential":"Steps execute in ordinal order. Each completes before the next begins.","unordered":"All steps execute, but order is not guaranteed.","parallel":"Steps may execute concurrently.","conditional":"Step execution is determined by runtime conditions."}},"acknowledgment":{"type":"array","title":"Acknowledgment","description":"Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.","uniqueItems":true,"items":{"type":"string","enum":["declared","observed"],"meta:enum":{"declared":"The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.","observed":"The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis."}}},"behaviors":{"type":"object","title":"Behaviors","description":"Behaviors performed by objects within the BOM.","additionalProperties":false,"properties":{"instances":{"type":"array","title":"Instances","description":"Individual behavior instances.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance"}},"flows":{"type":"array","title":"Flows","description":"Behavior flows that organise behaviors into operational patterns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorFlow"}}}},"behaviorInstance":{"type":"object","title":"Behavior Instance","description":"A behavior performed by one or more objects within the BOM.","additionalProperties":false,"required":["bom-ref","behavior"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"behavior":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behavior","title":"Behavior","description":"The behavior from the taxonomy."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}},"behaviorFlow":{"type":"object","title":"Behavior Flow","description":"An organised collection of behaviors forming a coherent process.","additionalProperties":false,"required":["bom-ref","steps"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"ordering":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/ordering"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"steps":{"type":"array","title":"Steps","description":"The steps that comprise this flow.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/flowStep"}}},"allOf":[{"if":{"anyOf":[{"properties":{"ordering":{"const":"sequential"}},"required":["ordering"]},{"not":{"required":["ordering"]}}]},"then":{"properties":{"steps":{"items":{"required":["ordinal"]}}}}}]},"flowStep":{"type":"object","title":"Flow Step","description":"A single step within a behavior flow.","additionalProperties":false,"properties":{"ordinal":{"type":"integer","title":"Ordinal","description":"Position within the flow. Required when ordering is 'sequential' or omitted.","minimum":1},"behavior":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behavior","title":"Behavior","description":"The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'."},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Behavior Reference","description":"Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'."},"flow":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Flow Reference","description":"Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'."},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}},"oneOf":[{"required":["behavior"]},{"required":["ref"]},{"required":["flow"]}]},"behavior":{"type":"string","title":"Behavior","description":"Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.","enum":["ai","ai:agent","ai:agent:actsOnBehalfOfUser","ai:agent:coordinatesAgents","ai:agent:delegatesTask","ai:agent:executesAction","ai:agent:invokesTool","ai:agent:observesResult","ai:agent:plansAction","ai:agent:receivesHumanDelegation","ai:agent:reflectsOnResult","ai:agent:reportsDelegatedAction","ai:agent:requestsUserApproval","ai:agent:returnsDelegation","ai:agent:revisesPlan","ai:explainability","ai:explainability:attributesFeatures","ai:explainability:documentsModel","ai:explainability:explainsDecision","ai:explainability:tracesPrediction","ai:explainability:visualizesModel","ai:fairness","ai:fairness:auditsModelFairness","ai:fairness:calculatesFairnessMetric","ai:fairness:detectsBias","ai:fairness:handlesProtectedAttribute","ai:fairness:mitigatesBias","ai:generative","ai:generative:citesSource","ai:generative:filtersOutput","ai:generative:generatesAudio","ai:generative:generatesCode","ai:generative:generatesEmbedding","ai:generative:generatesImage","ai:generative:generatesText","ai:generative:mitigatesHallucination","ai:generative:processesPrompt","ai:generative:streamsResponse","ai:inference","ai:inference:appliesThreshold","ai:inference:batchesInference","ai:inference:cachesPrediction","ai:inference:ensemblesModels","ai:inference:generatesPrediction","ai:inference:infersInRealTime","ai:inference:ranksResults","ai:inference:scoresConfidence","ai:management","ai:management:comparesModels","ai:management:deploysModel","ai:management:loadsModel","ai:management:monitorsModel","ai:management:retiresModel","ai:management:rollsBackModel","ai:management:unloadsModel","ai:management:versionsModel","ai:quality","ai:quality:detectsConceptDrift","ai:quality:detectsDataDrift","ai:quality:detectsOutlier","ai:quality:engineersFeatures","ai:quality:selectsFeatures","ai:quality:validatesInputData","ai:robustness","ai:robustness:defendsAgainstAdversarial","ai:robustness:detectsAdversarialInput","ai:robustness:detectsOutOfDistribution","ai:robustness:estimatesUncertainty","ai:robustness:validatesRobustness","ai:training","ai:training:appliesTransferLearning","ai:training:checkpointsModel","ai:training:fineTunesModel","ai:training:ingestsTrainingData","ai:training:preprocessesTrainingData","ai:training:trainsFederatedly","ai:training:trainsModel","ai:training:tunesHyperparameters","ai:training:validatesModel","ai:training:validatesTrainingData","application","application:codeExecution","application:codeExecution:compilesCode","application:codeExecution:evaluatesExpression","application:codeExecution:executesNativeCommand","application:codeExecution:executesScript","application:codeExecution:interpretsCode","application:codeExecution:invokesViaReflection","application:codeExecution:loadsCodeDynamically","application:configuration","application:configuration:detectsEnvironment","application:configuration:evaluatesFeatureFlag","application:configuration:loadsConfiguration","application:configuration:reloadsConfiguration","application:controlFlow","application:controlFlow:awaitsAsyncResult","application:controlFlow:catchesException","application:controlFlow:emitsEvent","application:controlFlow:handlesEvent","application:controlFlow:invokesCallback","application:controlFlow:invokesHandler","application:controlFlow:invokesMiddleware","application:controlFlow:schedulesAsyncOperation","application:controlFlow:throwsException","application:dependencyManagement","application:dependencyManagement:closesCircuitBreaker","application:dependencyManagement:fallsBack","application:dependencyManagement:injectsDependency","application:dependencyManagement:opensCircuitBreaker","application:dependencyManagement:resolvesDependency","application:externalIntegration","application:externalIntegration:callsExternalService","application:externalIntegration:consumesEvent","application:externalIntegration:publishesEvent","application:externalIntegration:receivesWebhook","application:observability","application:observability:emitsTelemetry","application:observability:logsOperation","application:observability:recordsMetric","application:observability:reportsHealth","application:observability:tracesRequest","application:requestHandling","application:requestHandling:authenticatesRequest","application:requestHandling:authorizesRequest","application:requestHandling:bindsParameters","application:requestHandling:parsesRequest","application:requestHandling:receivesHttpRequest","application:requestHandling:rejectsRequest","application:requestHandling:routesRequest","application:requestHandling:validatesRequest","application:responseGeneration","application:responseGeneration:generatesResponse","application:responseGeneration:readsCookie","application:responseGeneration:redirectsRequest","application:responseGeneration:returnsError","application:responseGeneration:returnsSuccess","application:responseGeneration:sendsHttpResponse","application:responseGeneration:setsCookie","application:responseGeneration:setsHeader","application:stateManagement","application:stateManagement:acquiresLock","application:stateManagement:beginsTransaction","application:stateManagement:commitsTransaction","application:stateManagement:createsSessionState","application:stateManagement:destroysSessionState","application:stateManagement:readsSessionState","application:stateManagement:releasesLock","application:stateManagement:rollsBackTransaction","application:stateManagement:synchronizesState","application:stateManagement:updatesSessionState","data","data:encoding","data:encoding:appliesXor","data:encoding:decodesBaseSixtyFour","data:encoding:decodesUrl","data:encoding:encodesBaseSixtyFour","data:encoding:encodesUrl","data:ingestion","data:ingestion:pollsSource","data:ingestion:readsFile","data:ingestion:readsStream","data:ingestion:receivesInput","data:ingestion:receivesMessage","data:ingestion:receivesRequest","data:ingestion:subscribesToFeed","data:output","data:output:formatsResponse","data:output:producesOutput","data:output:publishesMessage","data:output:rendersTemplate","data:output:sendsResponse","data:output:serializesObject","data:output:streamsOutput","data:output:writesFile","data:parsing","data:parsing:decodesData","data:parsing:deserializesObject","data:parsing:extractsFields","data:parsing:parsesData","data:parsing:parsesHtml","data:parsing:parsesJson","data:parsing:parsesXml","data:query","data:query:executesLdapQuery","data:query:executesNoSqlQuery","data:query:executesSearch","data:query:executesSql","data:query:executesXPath","data:query:queriesData","data:storage","data:storage:cachesData","data:storage:deletesData","data:storage:flushesCache","data:storage:invalidatesCache","data:storage:retrievesData","data:storage:storesData","data:storage:updatesData","data:transformation","data:transformation:aggregatesData","data:transformation:compressesData","data:transformation:decompressesData","data:transformation:encodesData","data:transformation:enrichesData","data:transformation:filtersData","data:transformation:joinsData","data:transformation:mapsData","data:transformation:normalizesData","data:transformation:sortsData","data:transformation:transformsData","evasion","evasion:analysisResistance","evasion:analysisResistance:detectsAnalysisTool","evasion:analysisResistance:detectsDebugger","evasion:analysisResistance:detectsEmulator","evasion:analysisResistance:detectsSandbox","evasion:analysisResistance:detectsVirtualMachine","evasion:analysisResistance:evadesDebugger","evasion:analysisResistance:evadesEmulator","evasion:analysisResistance:evadesSandbox","evasion:analysisResistance:evadesVirtualMachine","evasion:analysisResistance:usesTimingEvasion","evasion:antiSecurity","evasion:antiSecurity:detectsAntivirus","evasion:antiSecurity:disablesSecuritySoftware","evasion:antiSecurity:evadesAntivirus","evasion:antiSecurity:terminatesSecurityProcess","evasion:indirection","evasion:indirection:resolvesApiDynamically","evasion:indirection:usesIndirectCalls","evasion:indirection:usesProxyExecution","evasion:obfuscation","evasion:obfuscation:obfuscatesCode","evasion:obfuscation:obfuscatesControlFlow","evasion:obfuscation:obfuscatesData","evasion:obfuscation:obfuscatesStrings","evasion:obfuscation:packsCode","evasion:obfuscation:unpacksAtRuntime","file","file:directory","file:directory:changesDirectory","file:directory:createsDirectory","file:directory:deletesDirectory","file:directory:listsDirectory","file:directory:traversesDirectory","file:disk","file:disk:decryptsVolume","file:disk:encryptsVolume","file:disk:formatsVolume","file:disk:mountsVolume","file:disk:unmountsVolume","file:disk:wipesDisk","file:operations","file:operations:appendsToFile","file:operations:checksFileExistence","file:operations:closesFile","file:operations:copiesFile","file:operations:createsFile","file:operations:deletesFile","file:operations:getsFileAttributes","file:operations:movesFile","file:operations:opensFile","file:operations:readsFile","file:operations:renamesFile","file:operations:setsFileAttributes","file:operations:setsFilePermissions","file:operations:writesFile","gui","gui:display","gui:display:displaysData","gui:display:monitorsDisplay","gui:display:updatesDisplay","gui:session","gui:session:displaysLogin","gui:session:interactsWithSession","gui:session:switchesSession","gui:window","gui:window:capturesWindow","gui:window:createsWindow","gui:window:destroysWindow","gui:window:enumeratesWindows","gui:window:interactsWithTaskbar","gui:window:modifiesWindow","hardware","hardware:actuator","hardware:actuator:calibratesActuator","hardware:actuator:controlsBattery","hardware:actuator:controlsHeating","hardware:actuator:controlsLed","hardware:actuator:controlsMotor","hardware:actuator:controlsPower","hardware:actuator:controlsPump","hardware:actuator:controlsTemperature","hardware:boot","hardware:boot:entersRecoveryMode","hardware:boot:executesSecureBoot","hardware:boot:locksBootConfiguration","hardware:boot:modifiesBootConfiguration","hardware:boot:readsBootConfiguration","hardware:boot:recordsBootMeasurement","hardware:boot:verifiesBootLoader","hardware:firmware","hardware:firmware:monitorsFirmwareIntegrity","hardware:firmware:preventsFirmwareRollback","hardware:firmware:readsFirmwareVersion","hardware:firmware:updatesFirmware","hardware:firmware:verifiesFirmwareSignature","hardware:memory","hardware:memory:encryptsMemory","hardware:memory:isolatesMemory","hardware:memory:protectsStack","hardware:memory:randomizesAddressSpace","hardware:memory:readsProtectedMemory","hardware:memory:writesProtectedMemory","hardware:peripheral","hardware:peripheral:accessesCamera","hardware:peripheral:accessesDisplay","hardware:peripheral:accessesGpio","hardware:peripheral:accessesJtag","hardware:peripheral:accessesKeyboard","hardware:peripheral:accessesStorageDevice","hardware:peripheral:accessesUsbDevice","hardware:peripheral:configuresDma","hardware:peripheral:protectsDma","hardware:physicalSecurity","hardware:physicalSecurity:detectsPhysicalTamper","hardware:physicalSecurity:disablesDebugInterface","hardware:physicalSecurity:enablesDebugInterface","hardware:physicalSecurity:monitorsEnclosure","hardware:physicalSecurity:respondsToTamper","hardware:physicalSecurity:zeroizesKeys","hardware:security","hardware:security:anchorsInHardwareRoot","hardware:security:executesInTee","hardware:security:generatesPufResponse","hardware:security:usesHsm","hardware:security:usesSecureElement","hardware:sensor","hardware:sensor:calibratesSensor","hardware:sensor:readsBatteryStatus","hardware:sensor:readsBloodOxygen","hardware:sensor:readsBloodPressure","hardware:sensor:readsCoTwoLevel","hardware:sensor:readsEcg","hardware:sensor:readsPowerStatus","hardware:sensor:readsTemperature","hardware:sideChannelDefense","hardware:sideChannelDefense:controlsEmEmissions","hardware:sideChannelDefense:resistsFaultInjection","hardware:sideChannelDefense:resistsPowerAnalysis","hardware:sideChannelDefense:resistsTimingAnalysis","network","network:connection","network:connection:acceptsConnection","network:connection:detectsConnectionLoss","network:connection:establishesConnection","network:connection:reconnects","network:connection:reusesConnection","network:connection:sendsHeartbeat","network:connection:terminatesConnection","network:discovery","network:discovery:advertisesService","network:discovery:discoversService","network:discovery:enumeratesInterfaces","network:discovery:probesPort","network:discovery:queriesDns","network:discovery:resolvesName","network:discovery:scansNetwork","network:protocol","network:protocol:downgradesProtocol","network:protocol:framesMessage","network:protocol:negotiatesProtocol","network:protocol:parsesMessage","network:protocol:retransmitsMessage","network:protocol:upgradesProtocol","network:protocol:validatesMessage","network:remoteInteraction","network:remoteInteraction:accessesRemoteDesktop","network:remoteInteraction:accessesRemoteShell","network:remoteInteraction:executesRemoteCommand","network:remoteInteraction:invokesRemoteProcedure","network:remoteInteraction:sendsEmail","network:remoteInteraction:sendsSms","network:remoteInteraction:transfersFile","network:routing","network:routing:configuresProxy","network:routing:forwardsPacket","network:routing:redirectsTraffic","network:routing:routesTraffic","network:routing:tunnelsTraffic","network:trafficControl","network:trafficControl:balancesLoad","network:trafficControl:filtersTraffic","network:trafficControl:inspectsTraffic","network:trafficControl:interceptsTraffic","network:trafficControl:limitsRate","network:trafficControl:modifiesTraffic","network:trafficControl:shapesTraffic","network:transmission","network:transmission:broadcastsData","network:transmission:multicastsData","network:transmission:receivesData","network:transmission:sendsData","network:transmission:streamsData","privacy","privacy:collection","privacy:collection:capturesAudio","privacy:collection:capturesKeystrokes","privacy:collection:capturesScreen","privacy:collection:capturesVideo","privacy:collection:collectsBehavioralData","privacy:collection:collectsBiometricData","privacy:collection:collectsCommunicationContent","privacy:collection:collectsDeviceInformation","privacy:collection:collectsFinancialData","privacy:collection:collectsHealthData","privacy:collection:collectsInBackground","privacy:collection:collectsLocationData","privacy:collection:collectsPersonalData","privacy:collection:collectsSilently","privacy:collection:readsBrowserHistory","privacy:collection:readsClipboard","privacy:deletion","privacy:deletion:clearsCache","privacy:deletion:deletesPersonalData","privacy:deletion:erasesSecurely","privacy:deletion:purgesFromBackup","privacy:deletion:redactsData","privacy:inference","privacy:inference:correlatesData","privacy:inference:createsProfile","privacy:inference:fingerprintsDevice","privacy:inference:infersPersonalInformation","privacy:inference:linksIdentities","privacy:inference:tracksUser","privacy:minimization","privacy:minimization:aggregatesData","privacy:minimization:anonymizesData","privacy:minimization:filtersData","privacy:minimization:generalizesData","privacy:minimization:limitsCollection","privacy:minimization:limitsProcessing","privacy:minimization:pseudonymizesData","privacy:privacyEnhancement","privacy:privacyEnhancement:addsDifferentialPrivacy","privacy:privacyEnhancement:computesMultiparty","privacy:privacyEnhancement:processesHomomorphically","privacy:privacyEnhancement:processesLocally","privacy:retention","privacy:retention:archivesData","privacy:retention:backsUpData","privacy:retention:enforcesRetentionPeriod","privacy:retention:retainsBeyondPurpose","privacy:retention:retainsInCache","privacy:retention:retainsInLog","privacy:retention:storesPersonalData","privacy:sharing","privacy:sharing:disclosesToThirdParty","privacy:sharing:exportsData","privacy:sharing:publishesData","privacy:sharing:sellsData","privacy:sharing:sharesWithAffiliate","privacy:sharing:transfersCrossBorder","privacy:subjectRights","privacy:subjectRights:correctsData","privacy:subjectRights:exportsDataPortably","privacy:subjectRights:honorsErasureRequest","privacy:subjectRights:honorsObjection","privacy:subjectRights:providesDataAccess","privacy:subjectRights:restrictsProcessing","privacy:transparency","privacy:transparency:disclosesProcessing","privacy:transparency:displaysPrivacyNotice","privacy:transparency:explainsAutomatedDecision","privacy:transparency:recordsConsent","privacy:transparency:requestsConsent","privacy:transparency:withdrawsConsent","safety","safety:autonomousBehavior","safety:autonomousBehavior:acceptsOverride","safety:autonomousBehavior:enforcesHumanInLoop","safety:autonomousBehavior:explainsDecision","safety:autonomousBehavior:requestsGuidance","safety:autonomousBehavior:respectsDecisionBoundary","safety:contentSafety","safety:contentSafety:detectsHarmfulContent","safety:contentSafety:detectsMisinformation","safety:contentSafety:enforcesAgeRestriction","safety:contentSafety:filtersContent","safety:contentSafety:labelsContent","safety:harmPrevention","safety:harmPrevention:preventsEnvironmentalHarm","safety:harmPrevention:preventsPropertyDamage","safety:harmPrevention:preventsUserHarm","safety:harmPrevention:protectsBystanders","safety:hazardManagement","safety:hazardManagement:assessesRisk","safety:hazardManagement:identifiesHazard","safety:hazardManagement:mitigatesHazard","safety:hazardManagement:reportsHazard","safety:humanInteraction","safety:humanInteraction:adaptsForAccessibility","safety:humanInteraction:managesCognitiveLoad","safety:humanInteraction:requestsConfirmation","safety:humanInteraction:warnsOperator","safety:operationalSafety","safety:operationalSafety:acceptsManualOverride","safety:operationalSafety:enforcesInterlock","safety:operationalSafety:enforcesOperatingLimits","safety:operationalSafety:executesEmergencyStop","safety:operationalSafety:monitorsWatchdog","safety:operationalSafety:validatesSafetyCondition","security","security:auditing","security:auditing:logsEvent","security:auditing:logsSecurityEvent","security:auditing:protectsAuditLog","security:auditing:purgesLog","security:auditing:rotatesLog","security:auditing:signsLogEntry","security:auditing:timestampsEvent","security:auditing:transmitsLog","security:authentication","security:authentication:authenticatesDevice","security:authentication:authenticatesService","security:authentication:authenticatesUser","security:authentication:bypassesAuthentication","security:authentication:capturesBiometric","security:authentication:delegatesAuthentication","security:authentication:failsAuthentication","security:authentication:locksAccount","security:authentication:performsMultiFactorAuthentication","security:authentication:promptsForCredentials","security:authentication:unlocksAccount","security:authentication:validatesBiometric","security:authentication:validatesCredentials","security:authorization","security:authorization:checksPermission","security:authorization:delegatesAuthority","security:authorization:deniesAccess","security:authorization:enforcesRole","security:authorization:escalatesPrivilege","security:authorization:evaluatesAttributes","security:authorization:evaluatesPolicy","security:authorization:grantsAccess","security:authorization:grantsImpersonation","security:authorization:impersonatesUser","security:authorization:requestsImpersonation","security:authorization:revokesAccess","security:authorization:revokesImpersonation","security:cryptography","security:cryptography:authenticates","security:cryptography:checksRevocation","security:cryptography:decryptsData","security:cryptography:decryptsDataAtRest","security:cryptography:decryptsDataInTransit","security:cryptography:decryptsDisk","security:cryptography:decryptsSecret","security:cryptography:destroysKey","security:cryptography:encryptsData","security:cryptography:encryptsDataAtRest","security:cryptography:encryptsDataInTransit","security:cryptography:encryptsDisk","security:cryptography:encryptsSecret","security:cryptography:ensuresAccountability","security:cryptography:ensuresConfidentiality","security:cryptography:ensuresIntegrity","security:cryptography:ensuresNonRepudiation","security:cryptography:exchangesKey","security:cryptography:generatesKey","security:cryptography:generatesRandomValue","security:cryptography:hashesData","security:cryptography:hashesPassword","security:cryptography:identifies","security:cryptography:issuesCertificate","security:cryptography:preservesPrivacy","security:cryptography:presentsClientCertificate","security:cryptography:presentsServerCertificate","security:cryptography:retrievesKey","security:cryptography:revokesCertificate","security:cryptography:rotatesKey","security:cryptography:signsCode","security:cryptography:signsData","security:cryptography:signsDocument","security:cryptography:storesKey","security:cryptography:usesIdentity","security:cryptography:validatesCertificate","security:cryptography:validatesToken","security:cryptography:verifiesCodeSignature","security:cryptography:verifiesDataSignature","security:cryptography:verifiesDocumentSignature","security:cryptography:verifiesHash","security:cryptography:verifiesSignature","security:cryptography:wrapsKey","security:errorHandling","security:errorHandling:catchesException","security:errorHandling:disclosesErrorDetails","security:errorHandling:failsClosed","security:errorHandling:failsOpen","security:errorHandling:generatesError","security:errorHandling:logsError","security:errorHandling:propagatesError","security:errorHandling:returnsGenericError","security:errorHandling:suppressesError","security:inputHandling","security:inputHandling:escapesInput","security:inputHandling:normalizesInput","security:inputHandling:rejectsInvalidInput","security:inputHandling:sanitizesInput","security:inputHandling:truncatesInput","security:inputHandling:validatesFormat","security:inputHandling:validatesRange","security:inputHandling:validatesSchema","security:integrity","security:integrity:attestsIntegrity","security:integrity:detectsTampering","security:integrity:respondsToTampering","security:integrity:validatesComponent","security:integrity:verifiesIntegrity","security:integrity:verifiesProvenance","security:outputHandling","security:outputHandling:encodesOutput","security:outputHandling:enforcesContentPolicy","security:outputHandling:escapesOutput","security:outputHandling:filtersOutput","security:outputHandling:masksOutput","security:outputHandling:setsSecurityHeader","security:session","security:session:createsSession","security:session:detectsSessionHijacking","security:session:invalidatesSession","security:session:refreshesSession","security:session:regeneratesSessionId","security:session:terminatesSession","security:session:validatesSession","security:threatResponse","security:threatResponse:blocksRequest","security:threatResponse:blocksSource","security:threatResponse:collectsForensicData","security:threatResponse:detectsAnomaly","security:threatResponse:detectsIntrusion","security:threatResponse:initiatesIncidentResponse","security:threatResponse:quarantinesElement","security:threatResponse:raisesAlert","system","system:configuration","system:configuration:deletesRegistryKey","system:configuration:modifiesGroupPolicy","system:configuration:readsConfigurationFile","system:configuration:readsEnvironmentVariable","system:configuration:readsGroupPolicy","system:configuration:readsRegistry","system:configuration:setsEnvironmentVariable","system:configuration:writesConfigurationFile","system:configuration:writesRegistry","system:informationGathering","system:informationGathering:detectsOsVersion","system:informationGathering:gathersSystemInformation","system:informationGathering:queriesHardwareInformation","system:informationGathering:retrievesHostname","system:kernelInteraction","system:kernelInteraction:hooksKernelFunction","system:kernelInteraction:installsDriver","system:kernelInteraction:readsKernelMemory","system:kernelInteraction:writesKernelMemory","system:lifecycle","system:lifecycle:appliesUpdate","system:lifecycle:decommissions","system:lifecycle:initializes","system:lifecycle:performsSelfTest","system:lifecycle:provisions","system:lifecycle:rollsBack","system:lifecycle:shutsDown","system:operationalState","system:operationalState:entersFailSafeState","system:operationalState:entersFailSecureState","system:operationalState:operatesInDegradedMode","system:operationalState:operatesNormally","system:operationalState:performsEmergencyShutdown","system:persistence","system:persistence:createsScheduledTask","system:persistence:installsAsService","system:persistence:loadsAsKernelModule","system:persistence:registersForStartup","system:persistence:removesPersistence","system:processControl","system:processControl:createsProcess","system:processControl:dumpsProcessMemory","system:processControl:enumeratesProcesses","system:processControl:hooksFunction","system:processControl:injectsCodeIntoProcess","system:processControl:modifiesProcess","system:processControl:resumesProcess","system:processControl:suspendsProcess","system:processControl:terminatesProcess","system:resilience","system:resilience:activatesRedundancy","system:resilience:degradesGracefully","system:resilience:detectsFault","system:resilience:recoversFromFailure","system:resilience:toleratesFault","system:resourceManagement","system:resourceManagement:allocatesMemory","system:resourceManagement:deallocatesMemory","system:resourceManagement:handlesResourceExhaustion","system:resourceManagement:managesPowerState","system:resourceManagement:readsFromStorage","system:resourceManagement:resumesThread","system:resourceManagement:spawnsThread","system:resourceManagement:suspendsThread","system:resourceManagement:terminatesThread","system:resourceManagement:writesToStorage","system:serviceControl","system:serviceControl:createsService","system:serviceControl:deletesService","system:serviceControl:enumeratesServices","system:serviceControl:modifiesService","system:serviceControl:startsService","system:serviceControl:stopsService","system:synchronization","system:synchronization:acquiresMutex","system:synchronization:releasesMutex","system:synchronization:signalsEvent","system:synchronization:signalsSemaphore","system:synchronization:waitsOnEvent","system:synchronization:waitsOnSemaphore","system:timing","system:timing:delaysExecution","system:timing:enforcesDeadline","system:timing:executesScheduledTask","system:timing:resetsWatchdog","system:timing:synchronizesClock","system:timing:triggersTimeout","system:timing:waits","system:userManagement","system:userManagement:createsUserAccount","system:userManagement:deletesUserAccount","system:userManagement:elevatesPrivileges","system:userManagement:enumeratesUsers","system:userManagement:impersonatesUser","system:userManagement:modifiesUserAccount"],"meta:enum":{"ai":"Behaviours relating to artificial intelligence and machine learning operations.","ai:agent":"Behaviours that enable autonomous agents to plan and execute tasks.","ai:agent:actsOnBehalfOfUser":"The entity performs actions within a delegated user context.","ai:agent:coordinatesAgents":"The entity orchestrates multiple agents.","ai:agent:delegatesTask":"The entity assigns work to another agent.","ai:agent:executesAction":"The entity performs planned step.","ai:agent:invokesTool":"The entity calls external capability.","ai:agent:observesResult":"The entity captures action outcome.","ai:agent:plansAction":"The entity determines steps to achieve goal.","ai:agent:receivesHumanDelegation":"The entity accepts authority delegated by a human user.","ai:agent:reflectsOnResult":"The entity evaluates action effectiveness.","ai:agent:reportsDelegatedAction":"The entity notifies the delegating user of actions taken.","ai:agent:requestsUserApproval":"The entity seeks explicit user authorisation before acting.","ai:agent:returnsDelegation":"The entity relinquishes delegated authority.","ai:agent:revisesPlan":"The entity modifies approach based on results.","ai:explainability":"Behaviours that provide interpretable explanations for model decisions.","ai:explainability:attributesFeatures":"The entity identifies influential inputs.","ai:explainability:documentsModel":"The entity records model design and behaviour.","ai:explainability:explainsDecision":"The entity provides human-readable rationale.","ai:explainability:tracesPrediction":"The entity records basis for output.","ai:explainability:visualizesModel":"The entity renders model behaviour graphically.","ai:fairness":"Behaviours that detect and mitigate bias in machine learning models.","ai:fairness:auditsModelFairness":"The entity evaluates model for bias.","ai:fairness:calculatesFairnessMetric":"The entity measures outcome equality.","ai:fairness:detectsBias":"The entity identifies unfair model behaviour.","ai:fairness:handlesProtectedAttribute":"The entity manages sensitive attributes.","ai:fairness:mitigatesBias":"The entity reduces unfair treatment.","ai:generative":"Behaviours that produce content using generative models.","ai:generative:citesSource":"The entity attributes generated content.","ai:generative:filtersOutput":"The entity screens generated content.","ai:generative:generatesAudio":"The entity produces sound content.","ai:generative:generatesCode":"The entity produces executable code.","ai:generative:generatesEmbedding":"The entity produces vector representation.","ai:generative:generatesImage":"The entity produces visual content.","ai:generative:generatesText":"The entity produces natural language.","ai:generative:mitigatesHallucination":"The entity reduces false content generation.","ai:generative:processesPrompt":"The entity interprets user instruction.","ai:generative:streamsResponse":"The entity delivers output incrementally.","ai:inference":"Behaviours that generate predictions using trained models.","ai:inference:appliesThreshold":"The entity uses decision boundary.","ai:inference:batchesInference":"The entity processes multiple inputs together.","ai:inference:cachesPrediction":"The entity stores prediction for reuse.","ai:inference:ensemblesModels":"The entity combines multiple model outputs.","ai:inference:generatesPrediction":"The entity produces model output.","ai:inference:infersInRealTime":"The entity generates prediction with low latency.","ai:inference:ranksResults":"The entity orders predictions by relevance.","ai:inference:scoresConfidence":"The entity assigns certainty to prediction.","ai:management":"Behaviours that deploy and manage machine learning models throughout their lifecycle.","ai:management:comparesModels":"The entity evaluates relative model performance.","ai:management:deploysModel":"The entity places model into service.","ai:management:loadsModel":"The entity retrieves model for use.","ai:management:monitorsModel":"The entity observes model performance.","ai:management:retiresModel":"The entity removes model from service.","ai:management:rollsBackModel":"The entity reverts to previous version.","ai:management:unloadsModel":"The entity removes model from memory.","ai:management:versionsModel":"The entity tracks model versions.","ai:quality":"Behaviours that monitor and maintain model and data quality.","ai:quality:detectsConceptDrift":"The entity identifies input-output relationship change.","ai:quality:detectsDataDrift":"The entity identifies input distribution change.","ai:quality:detectsOutlier":"The entity identifies anomalous input.","ai:quality:engineersFeatures":"The entity transforms raw data for model.","ai:quality:selectsFeatures":"The entity chooses relevant input features.","ai:quality:validatesInputData":"The entity checks inference input quality.","ai:robustness":"Behaviours that defend against adversarial attacks and handle uncertain inputs.","ai:robustness:defendsAgainstAdversarial":"The entity resists adversarial manipulation.","ai:robustness:detectsAdversarialInput":"The entity identifies crafted malicious input.","ai:robustness:detectsOutOfDistribution":"The entity identifies unfamiliar input.","ai:robustness:estimatesUncertainty":"The entity quantifies prediction confidence.","ai:robustness:validatesRobustness":"The entity tests model resilience.","ai:training":"Behaviours that prepare data and train machine learning models.","ai:training:appliesTransferLearning":"The entity adapts pre-trained model.","ai:training:checkpointsModel":"The entity saves model state during training.","ai:training:fineTunesModel":"The entity refines model for specific task.","ai:training:ingestsTrainingData":"The entity acquires data for training.","ai:training:preprocessesTrainingData":"The entity prepares data for training.","ai:training:trainsFederatedly":"The entity trains on distributed data.","ai:training:trainsModel":"The entity adjusts model parameters.","ai:training:tunesHyperparameters":"The entity optimises configuration parameters.","ai:training:validatesModel":"The entity evaluates model during training.","ai:training:validatesTrainingData":"The entity checks training data quality.","application":"Behaviours relating to application-level request processing and business logic.","application:codeExecution":"Behaviours that dynamically load and execute code at runtime.","application:codeExecution:compilesCode":"The entity transforms source to executable form.","application:codeExecution:evaluatesExpression":"The entity interprets and executes an expression.","application:codeExecution:executesNativeCommand":"The entity runs an operating system command.","application:codeExecution:executesScript":"The entity runs script code.","application:codeExecution:interpretsCode":"The entity executes code without compilation.","application:codeExecution:invokesViaReflection":"The entity calls method through reflection.","application:codeExecution:loadsCodeDynamically":"The entity loads executable code at runtime.","application:configuration":"Behaviours that load and manage application configuration settings.","application:configuration:detectsEnvironment":"The entity determines deployment context.","application:configuration:evaluatesFeatureFlag":"The entity checks feature toggle state.","application:configuration:loadsConfiguration":"The entity reads configuration settings.","application:configuration:reloadsConfiguration":"The entity refreshes configuration dynamically.","application:controlFlow":"Behaviours that manage the execution sequence and event handling within an application.","application:controlFlow:awaitsAsyncResult":"The entity waits for asynchronous completion.","application:controlFlow:catchesException":"The entity handles an error condition.","application:controlFlow:emitsEvent":"The entity triggers an event.","application:controlFlow:handlesEvent":"The entity responds to an event.","application:controlFlow:invokesCallback":"The entity executes a callback function.","application:controlFlow:invokesHandler":"The entity calls a request handler.","application:controlFlow:invokesMiddleware":"The entity executes middleware component.","application:controlFlow:schedulesAsyncOperation":"The entity queues work for later execution.","application:controlFlow:throwsException":"The entity raises an error condition.","application:dependencyManagement":"Behaviours that resolve and manage dependencies on other components.","application:dependencyManagement:closesCircuitBreaker":"The entity resumes calls to recovered dependency.","application:dependencyManagement:fallsBack":"The entity uses alternative when primary fails.","application:dependencyManagement:injectsDependency":"The entity provides component to dependent.","application:dependencyManagement:opensCircuitBreaker":"The entity stops calls to failing dependency.","application:dependencyManagement:resolvesDependency":"The entity locates required component.","application:externalIntegration":"Behaviours that communicate with external services and systems.","application:externalIntegration:callsExternalService":"The entity invokes an external API.","application:externalIntegration:consumesEvent":"The entity receives event from external system.","application:externalIntegration:publishesEvent":"The entity sends event to external system.","application:externalIntegration:receivesWebhook":"The entity accepts callback from external service.","application:observability":"Behaviours that emit telemetry for monitoring and debugging purposes.","application:observability:emitsTelemetry":"The entity transmits operational data.","application:observability:logsOperation":"The entity records an operational event.","application:observability:recordsMetric":"The entity captures a quantitative measurement.","application:observability:reportsHealth":"The entity communicates operational status.","application:observability:tracesRequest":"The entity tracks request across services.","application:requestHandling":"Behaviours that receive and process incoming requests.","application:requestHandling:authenticatesRequest":"The entity verifies requestor identity.","application:requestHandling:authorizesRequest":"The entity verifies requestor permissions.","application:requestHandling:bindsParameters":"The entity maps request data to parameters.","application:requestHandling:parsesRequest":"The entity interprets incoming request.","application:requestHandling:receivesHttpRequest":"The entity accepts an HTTP request.","application:requestHandling:rejectsRequest":"The entity refuses to process request.","application:requestHandling:routesRequest":"The entity directs request to appropriate handler.","application:requestHandling:validatesRequest":"The entity verifies request validity.","application:responseGeneration":"Behaviours that construct and transmit responses to requests.","application:responseGeneration:generatesResponse":"The entity creates a response.","application:responseGeneration:readsCookie":"The entity retrieves cookie value.","application:responseGeneration:redirectsRequest":"The entity sends client to different location.","application:responseGeneration:returnsError":"The entity indicates failure.","application:responseGeneration:returnsSuccess":"The entity indicates successful completion.","application:responseGeneration:sendsHttpResponse":"The entity transmits an HTTP response.","application:responseGeneration:setsCookie":"The entity creates or modifies a cookie.","application:responseGeneration:setsHeader":"The entity adds HTTP header to response.","application:stateManagement":"Behaviours that maintain and synchronise application state across requests.","application:stateManagement:acquiresLock":"The entity obtains exclusive access to resource.","application:stateManagement:beginsTransaction":"The entity starts an atomic operation group.","application:stateManagement:commitsTransaction":"The entity finalises transaction changes.","application:stateManagement:createsSessionState":"The entity initialises session data.","application:stateManagement:destroysSessionState":"The entity removes session data.","application:stateManagement:readsSessionState":"The entity retrieves session data.","application:stateManagement:releasesLock":"The entity relinquishes exclusive access.","application:stateManagement:rollsBackTransaction":"The entity undoes transaction changes.","application:stateManagement:synchronizesState":"The entity maintains consistency across replicas.","application:stateManagement:updatesSessionState":"The entity modifies session data.","data":"Behaviours relating to the ingestion and transformation of structured and unstructured data.","data:encoding":"Behaviours that apply specific encoding schemes to data.","data:encoding:appliesXor":"The entity transforms data using XOR operation.","data:encoding:decodesBaseSixtyFour":"The entity converts Base64 to original form.","data:encoding:decodesUrl":"The entity converts URL-encoded data.","data:encoding:encodesBaseSixtyFour":"The entity converts data to Base64.","data:encoding:encodesUrl":"The entity converts data for URL inclusion.","data:ingestion":"Behaviours that acquire data from external sources.","data:ingestion:pollsSource":"The entity periodically checks for new data.","data:ingestion:readsFile":"The entity retrieves data from a file.","data:ingestion:readsStream":"The entity consumes data from a continuous source.","data:ingestion:receivesInput":"The entity accepts data from an external source.","data:ingestion:receivesMessage":"The entity accepts a message from a queue.","data:ingestion:receivesRequest":"The entity accepts an incoming request.","data:ingestion:subscribesToFeed":"The entity registers to receive updates.","data:output":"Behaviours that produce and transmit data to external consumers.","data:output:formatsResponse":"The entity structures data for delivery.","data:output:producesOutput":"The entity generates data for consumption.","data:output:publishesMessage":"The entity sends a message to a queue.","data:output:rendersTemplate":"The entity generates output from a template.","data:output:sendsResponse":"The entity transmits a reply.","data:output:serializesObject":"The entity converts object to transmittable form.","data:output:streamsOutput":"The entity continuously produces data.","data:output:writesFile":"The entity saves data to a file.","data:parsing":"Behaviours that interpret and extract information from structured data formats.","data:parsing:decodesData":"The entity converts encoded data to original form.","data:parsing:deserializesObject":"The entity reconstructs object from serialised form.","data:parsing:extractsFields":"The entity isolates specific data elements.","data:parsing:parsesData":"The entity interprets structured data.","data:parsing:parsesHtml":"The entity interprets HTML content.","data:parsing:parsesJson":"The entity interprets JSON-formatted data.","data:parsing:parsesXml":"The entity interprets XML-formatted data.","data:query":"Behaviours that retrieve data based on specified criteria.","data:query:executesLdapQuery":"The entity queries an LDAP directory.","data:query:executesNoSqlQuery":"The entity queries a NoSQL database.","data:query:executesSearch":"The entity performs full-text or indexed search.","data:query:executesSql":"The entity runs a SQL statement.","data:query:executesXPath":"The entity evaluates an XPath expression.","data:query:queriesData":"The entity retrieves data matching criteria.","data:storage":"Behaviours that persist and retrieve data from storage systems.","data:storage:cachesData":"The entity stores data for quick retrieval.","data:storage:deletesData":"The entity removes stored data.","data:storage:flushesCache":"The entity writes cached data to persistent storage.","data:storage:invalidatesCache":"The entity marks cached data as stale.","data:storage:retrievesData":"The entity fetches stored data.","data:storage:storesData":"The entity saves data persistently.","data:storage:updatesData":"The entity modifies stored data.","data:transformation":"Behaviours that convert data from one form or structure to another.","data:transformation:aggregatesData":"The entity combines multiple values.","data:transformation:compressesData":"The entity reduces data size.","data:transformation:decompressesData":"The entity restores compressed data.","data:transformation:encodesData":"The entity converts data to encoded form.","data:transformation:enrichesData":"The entity adds information from external sources.","data:transformation:filtersData":"The entity removes unwanted elements.","data:transformation:joinsData":"The entity combines data from multiple sources.","data:transformation:mapsData":"The entity converts between data structures.","data:transformation:normalizesData":"The entity converts to standard form.","data:transformation:sortsData":"The entity orders data elements.","data:transformation:transformsData":"The entity converts data from one form to another.","evasion":"Behaviours relating to techniques that avoid detection and analysis.","evasion:analysisResistance":"Behaviours that detect and evade analysis environments.","evasion:analysisResistance:detectsAnalysisTool":"The entity identifies analysis software.","evasion:analysisResistance:detectsDebugger":"The entity identifies debugger presence.","evasion:analysisResistance:detectsEmulator":"The entity identifies emulation environment.","evasion:analysisResistance:detectsSandbox":"The entity identifies sandbox environment.","evasion:analysisResistance:detectsVirtualMachine":"The entity identifies VM environment.","evasion:analysisResistance:evadesDebugger":"The entity modifies behaviour under debugging.","evasion:analysisResistance:evadesEmulator":"The entity modifies behaviour under emulation.","evasion:analysisResistance:evadesSandbox":"The entity modifies behaviour in sandbox.","evasion:analysisResistance:evadesVirtualMachine":"The entity modifies behaviour in VM.","evasion:analysisResistance:usesTimingEvasion":"The entity uses delays to evade analysis.","evasion:antiSecurity":"Behaviours that detect and disable security software.","evasion:antiSecurity:detectsAntivirus":"The entity identifies AV software.","evasion:antiSecurity:disablesSecuritySoftware":"The entity deactivates security tools.","evasion:antiSecurity:evadesAntivirus":"The entity avoids AV detection.","evasion:antiSecurity:terminatesSecurityProcess":"The entity kills security software processes.","evasion:indirection":"Behaviours that use indirect methods to execute code.","evasion:indirection:resolvesApiDynamically":"The entity finds API addresses at runtime.","evasion:indirection:usesIndirectCalls":"The entity invokes functions indirectly.","evasion:indirection:usesProxyExecution":"The entity executes through intermediary.","evasion:obfuscation":"Behaviours that obscure code and data to hinder analysis.","evasion:obfuscation:obfuscatesCode":"The entity makes code difficult to analyse.","evasion:obfuscation:obfuscatesControlFlow":"The entity obscures execution paths.","evasion:obfuscation:obfuscatesData":"The entity hides data structures.","evasion:obfuscation:obfuscatesStrings":"The entity hides string contents.","evasion:obfuscation:packsCode":"The entity compresses or encrypts executable.","evasion:obfuscation:unpacksAtRuntime":"The entity decompresses code during execution.","file":"Behaviours relating to file system operations and disk management.","file:directory":"Behaviours that create and navigate directory structures.","file:directory:changesDirectory":"The entity sets current working directory.","file:directory:createsDirectory":"The entity creates a new directory.","file:directory:deletesDirectory":"The entity removes a directory.","file:directory:listsDirectory":"The entity enumerates directory contents.","file:directory:traversesDirectory":"The entity recursively explores directories.","file:disk":"Behaviours that manage storage volumes and disk-level operations.","file:disk:decryptsVolume":"The entity decrypts a storage volume.","file:disk:encryptsVolume":"The entity encrypts a storage volume.","file:disk:formatsVolume":"The entity prepares storage for use.","file:disk:mountsVolume":"The entity attaches a storage volume.","file:disk:unmountsVolume":"The entity detaches a storage volume.","file:disk:wipesDisk":"The entity securely erases disk contents.","file:operations":"Behaviours that create and manipulate files.","file:operations:appendsToFile":"The entity adds data to end of file.","file:operations:checksFileExistence":"The entity verifies whether a file exists.","file:operations:closesFile":"The entity releases file access.","file:operations:copiesFile":"The entity duplicates a file.","file:operations:createsFile":"The entity creates a new file.","file:operations:deletesFile":"The entity removes a file.","file:operations:getsFileAttributes":"The entity retrieves file metadata.","file:operations:movesFile":"The entity relocates a file.","file:operations:opensFile":"The entity prepares a file for access.","file:operations:readsFile":"The entity retrieves file contents.","file:operations:renamesFile":"The entity changes a file name.","file:operations:setsFileAttributes":"The entity modifies file metadata.","file:operations:setsFilePermissions":"The entity modifies file access permissions.","file:operations:writesFile":"The entity modifies file contents.","gui":"Behaviours relating to graphical user interface interactions.","gui:display":"Behaviours that render and monitor visual output.","gui:display:displaysData":"The entity renders information visually.","gui:display:monitorsDisplay":"The entity observes displayed content.","gui:display:updatesDisplay":"The entity refreshes visual presentation.","gui:session":"Behaviours that interact with user login sessions.","gui:session:displaysLogin":"The entity presents login interface.","gui:session:interactsWithSession":"The entity operates within user session.","gui:session:switchesSession":"The entity changes active user session.","gui:window":"Behaviours that create and manipulate graphical windows.","gui:window:capturesWindow":"The entity captures window contents.","gui:window:createsWindow":"The entity creates a graphical window.","gui:window:destroysWindow":"The entity closes a window.","gui:window:enumeratesWindows":"The entity lists open windows.","gui:window:interactsWithTaskbar":"The entity modifies taskbar elements.","gui:window:modifiesWindow":"The entity changes window properties.","hardware":"Behaviours relating to hardware components and physical device interactions.","hardware:actuator":"Behaviours that control physical actuators and output devices.","hardware:actuator:calibratesActuator":"The entity adjusts actuator accuracy.","hardware:actuator:controlsBattery":"The entity manages battery charging.","hardware:actuator:controlsHeating":"The entity manages heating element.","hardware:actuator:controlsLed":"The entity manages LED indicator.","hardware:actuator:controlsMotor":"The entity manages motor operation.","hardware:actuator:controlsPower":"The entity manages power distribution.","hardware:actuator:controlsPump":"The entity manages fluid pump.","hardware:actuator:controlsTemperature":"The entity regulates temperature.","hardware:boot":"Behaviours that verify and configure system startup processes.","hardware:boot:entersRecoveryMode":"The entity boots via alternative path.","hardware:boot:executesSecureBoot":"The entity verifies code integrity at startup.","hardware:boot:locksBootConfiguration":"The entity prevents boot setting changes.","hardware:boot:modifiesBootConfiguration":"The entity changes boot settings.","hardware:boot:readsBootConfiguration":"The entity retrieves boot settings.","hardware:boot:recordsBootMeasurement":"The entity logs boot component hashes.","hardware:boot:verifiesBootLoader":"The entity validates boot loader authenticity.","hardware:firmware":"Behaviours that manage and verify firmware integrity.","hardware:firmware:monitorsFirmwareIntegrity":"The entity checks for firmware tampering.","hardware:firmware:preventsFirmwareRollback":"The entity blocks reversion to old firmware.","hardware:firmware:readsFirmwareVersion":"The entity retrieves firmware version.","hardware:firmware:updatesFirmware":"The entity applies firmware changes.","hardware:firmware:verifiesFirmwareSignature":"The entity validates firmware authenticity.","hardware:memory":"Behaviours that protect and isolate memory regions.","hardware:memory:encryptsMemory":"The entity protects memory contents.","hardware:memory:isolatesMemory":"The entity separates memory regions.","hardware:memory:protectsStack":"The entity defends against stack attacks.","hardware:memory:randomizesAddressSpace":"The entity applies ASLR.","hardware:memory:readsProtectedMemory":"The entity accesses protected memory region.","hardware:memory:writesProtectedMemory":"The entity modifies protected memory region.","hardware:peripheral":"Behaviours that interact with peripheral devices and interfaces.","hardware:peripheral:accessesCamera":"The entity interacts with camera hardware.","hardware:peripheral:accessesDisplay":"The entity interacts with display hardware.","hardware:peripheral:accessesGpio":"The entity reads or writes GPIO pins.","hardware:peripheral:accessesJtag":"The entity uses JTAG debug interface.","hardware:peripheral:accessesKeyboard":"The entity interacts with keyboard hardware.","hardware:peripheral:accessesStorageDevice":"The entity interacts with storage hardware.","hardware:peripheral:accessesUsbDevice":"The entity interacts with USB peripheral.","hardware:peripheral:configuresDma":"The entity sets up direct memory access.","hardware:peripheral:protectsDma":"The entity prevents unauthorised DMA.","hardware:physicalSecurity":"Behaviours that detect and respond to physical tampering.","hardware:physicalSecurity:detectsPhysicalTamper":"The entity identifies physical interference.","hardware:physicalSecurity:disablesDebugInterface":"The entity prevents debug access.","hardware:physicalSecurity:enablesDebugInterface":"The entity permits debug access.","hardware:physicalSecurity:monitorsEnclosure":"The entity detects housing penetration.","hardware:physicalSecurity:respondsToTamper":"The entity reacts to physical attack.","hardware:physicalSecurity:zeroizesKeys":"The entity destroys keys on tamper detection.","hardware:security":"Behaviours that utilise hardware security features and trusted execution environments.","hardware:security:anchorsInHardwareRoot":"The entity uses tamper-resistant hardware for trust.","hardware:security:executesInTee":"The entity runs in trusted execution environment.","hardware:security:generatesPufResponse":"The entity uses physical unclonable function.","hardware:security:usesHsm":"The entity employs hardware security module.","hardware:security:usesSecureElement":"The entity employs dedicated security hardware.","hardware:sensor":"Behaviours that read measurements from hardware sensors.","hardware:sensor:calibratesSensor":"The entity adjusts sensor accuracy.","hardware:sensor:readsBatteryStatus":"The entity obtains battery state.","hardware:sensor:readsBloodOxygen":"The entity obtains SpO2 measurement.","hardware:sensor:readsBloodPressure":"The entity obtains blood pressure measurement.","hardware:sensor:readsCoTwoLevel":"The entity obtains CO2 measurement.","hardware:sensor:readsEcg":"The entity obtains electrocardiogram data.","hardware:sensor:readsPowerStatus":"The entity obtains power state.","hardware:sensor:readsTemperature":"The entity obtains temperature measurement.","hardware:sideChannelDefense":"Behaviours that protect against side-channel attacks.","hardware:sideChannelDefense:controlsEmEmissions":"The entity limits electromagnetic leakage.","hardware:sideChannelDefense:resistsFaultInjection":"The entity protects against induced faults.","hardware:sideChannelDefense:resistsPowerAnalysis":"The entity protects against power-based attacks.","hardware:sideChannelDefense:resistsTimingAnalysis":"The entity protects against timing-based attacks.","network":"Behaviours relating to network communication and data transmission between systems.","network:connection":"Behaviours that establish and manage network connections.","network:connection:acceptsConnection":"The entity receives an incoming connection.","network:connection:detectsConnectionLoss":"The entity identifies a dropped connection.","network:connection:establishesConnection":"The entity initiates a network connection.","network:connection:reconnects":"The entity re-establishes a dropped connection.","network:connection:reusesConnection":"The entity uses a pooled connection.","network:connection:sendsHeartbeat":"The entity transmits a keep-alive signal.","network:connection:terminatesConnection":"The entity closes a network connection.","network:discovery":"Behaviours that locate and advertise network services and resources.","network:discovery:advertisesService":"The entity announces its availability.","network:discovery:discoversService":"The entity locates an available service.","network:discovery:enumeratesInterfaces":"The entity lists network interfaces.","network:discovery:probesPort":"The entity checks if a port is open.","network:discovery:queriesDns":"The entity requests DNS resolution.","network:discovery:resolvesName":"The entity translates a name to an address.","network:discovery:scansNetwork":"The entity probes for active hosts or services.","network:protocol":"Behaviours that negotiate and implement communication protocols.","network:protocol:downgradesProtocol":"The entity falls back to a less secure protocol version.","network:protocol:framesMessage":"The entity structures data for transmission.","network:protocol:negotiatesProtocol":"The entity agrees on communication protocol with peer.","network:protocol:parsesMessage":"The entity interprets received network data.","network:protocol:retransmitsMessage":"The entity resends data after transmission failure.","network:protocol:upgradesProtocol":"The entity transitions to a more secure protocol version.","network:protocol:validatesMessage":"The entity verifies message format and integrity.","network:remoteInteraction":"Behaviours that execute operations on remote systems.","network:remoteInteraction:accessesRemoteDesktop":"The entity controls a remote graphical interface.","network:remoteInteraction:accessesRemoteShell":"The entity interacts with a remote command line.","network:remoteInteraction:executesRemoteCommand":"The entity runs a command on a remote system.","network:remoteInteraction:invokesRemoteProcedure":"The entity calls a function on a remote system.","network:remoteInteraction:sendsEmail":"The entity transmits an email message.","network:remoteInteraction:sendsSms":"The entity transmits a text message.","network:remoteInteraction:transfersFile":"The entity sends or receives a file remotely.","network:routing":"Behaviours that direct network traffic to its destination.","network:routing:configuresProxy":"The entity sets up traffic to route through a proxy.","network:routing:forwardsPacket":"The entity passes a packet toward its destination.","network:routing:redirectsTraffic":"The entity diverts traffic to a different destination.","network:routing:routesTraffic":"The entity directs network traffic to destinations.","network:routing:tunnelsTraffic":"The entity encapsulates traffic within another protocol.","network:trafficControl":"Behaviours that manage and manipulate network traffic flow.","network:trafficControl:balancesLoad":"The entity distributes requests across destinations.","network:trafficControl:filtersTraffic":"The entity blocks or allows traffic based on rules.","network:trafficControl:inspectsTraffic":"The entity examines traffic contents.","network:trafficControl:interceptsTraffic":"The entity captures traffic in transit.","network:trafficControl:limitsRate":"The entity restricts traffic volume.","network:trafficControl:modifiesTraffic":"The entity alters traffic in transit.","network:trafficControl:shapesTraffic":"The entity manages traffic timing and priority.","network:transmission":"Behaviours that send and receive data over network connections.","network:transmission:broadcastsData":"The entity sends data to multiple recipients.","network:transmission:multicastsData":"The entity sends data to a group of recipients.","network:transmission:receivesData":"The entity accepts data from the network.","network:transmission:sendsData":"The entity transmits data over the network.","network:transmission:streamsData":"The entity continuously transmits or receives data.","privacy":"Behaviours relating to the collection and processing of personal and sensitive data.","privacy:collection":"Behaviours that gather personal or sensitive information from individuals or systems.","privacy:collection:capturesAudio":"The entity records sound via microphone.","privacy:collection:capturesKeystrokes":"The entity records keyboard input.","privacy:collection:capturesScreen":"The entity records display contents.","privacy:collection:capturesVideo":"The entity records images via camera.","privacy:collection:collectsBehavioralData":"The entity records user actions and patterns.","privacy:collection:collectsBiometricData":"The entity captures biometric information.","privacy:collection:collectsCommunicationContent":"The entity captures message or call contents.","privacy:collection:collectsDeviceInformation":"The entity gathers device identifiers or characteristics.","privacy:collection:collectsFinancialData":"The entity gathers payment or financial information.","privacy:collection:collectsHealthData":"The entity gathers protected health information.","privacy:collection:collectsInBackground":"The entity gathers data without active user engagement.","privacy:collection:collectsLocationData":"The entity gathers geographical position information.","privacy:collection:collectsPersonalData":"The entity gathers personally identifiable information.","privacy:collection:collectsSilently":"The entity gathers data without user awareness.","privacy:collection:readsBrowserHistory":"The entity accesses web browsing history.","privacy:collection:readsClipboard":"The entity accesses clipboard contents.","privacy:deletion":"Behaviours that remove or destroy personal data.","privacy:deletion:clearsCache":"The entity removes data from temporary storage.","privacy:deletion:deletesPersonalData":"The entity removes personal data.","privacy:deletion:erasesSecurely":"The entity irreversibly destroys data.","privacy:deletion:purgesFromBackup":"The entity removes data from backup systems.","privacy:deletion:redactsData":"The entity removes specific content from records.","privacy:inference":"Behaviours that derive personal information through analysis and correlation of data.","privacy:inference:correlatesData":"The entity combines data from multiple sources.","privacy:inference:createsProfile":"The entity builds a profile from collected data.","privacy:inference:fingerprintsDevice":"The entity identifies device via characteristics.","privacy:inference:infersPersonalInformation":"The entity derives personal data from other data.","privacy:inference:linksIdentities":"The entity associates data across contexts.","privacy:inference:tracksUser":"The entity follows user activity across sessions.","privacy:minimization":"Behaviours that reduce the amount or sensitivity of personal data processed.","privacy:minimization:aggregatesData":"The entity combines records into summaries.","privacy:minimization:anonymizesData":"The entity removes identifying information.","privacy:minimization:filtersData":"The entity removes unnecessary data elements.","privacy:minimization:generalizesData":"The entity reduces data precision.","privacy:minimization:limitsCollection":"The entity gathers only necessary data.","privacy:minimization:limitsProcessing":"The entity restricts data use to stated purposes.","privacy:minimization:pseudonymizesData":"The entity replaces identifiers with pseudonyms.","privacy:privacyEnhancement":"Behaviours that employ technical measures to protect privacy during processing.","privacy:privacyEnhancement:addsDifferentialPrivacy":"The entity injects noise to protect individuals.","privacy:privacyEnhancement:computesMultiparty":"The entity performs joint computation privately.","privacy:privacyEnhancement:processesHomomorphically":"The entity computes on encrypted data.","privacy:privacyEnhancement:processesLocally":"The entity handles data on-device.","privacy:retention":"Behaviours that store personal data over time.","privacy:retention:archivesData":"The entity moves data to long-term storage.","privacy:retention:backsUpData":"The entity creates copies for recovery.","privacy:retention:enforcesRetentionPeriod":"The entity deletes data after specified time.","privacy:retention:retainsBeyondPurpose":"The entity keeps data longer than necessary.","privacy:retention:retainsInCache":"The entity keeps data in temporary storage.","privacy:retention:retainsInLog":"The entity keeps data in log files.","privacy:retention:storesPersonalData":"The entity saves personal data persistently.","privacy:sharing":"Behaviours that disclose personal data to third parties or across boundaries.","privacy:sharing:disclosesToThirdParty":"The entity transmits personal data externally.","privacy:sharing:exportsData":"The entity outputs data in portable format.","privacy:sharing:publishesData":"The entity makes data publicly available.","privacy:sharing:sellsData":"The entity provides data in exchange for value.","privacy:sharing:sharesWithAffiliate":"The entity provides data to related entities.","privacy:sharing:transfersCrossBorder":"The entity sends data across jurisdictions.","privacy:subjectRights":"Behaviours that fulfil data subject rights under privacy regulations.","privacy:subjectRights:correctsData":"The entity modifies inaccurate personal data.","privacy:subjectRights:exportsDataPortably":"The entity provides data in portable format.","privacy:subjectRights:honorsErasureRequest":"The entity deletes data upon request.","privacy:subjectRights:honorsObjection":"The entity ceases processing upon objection.","privacy:subjectRights:providesDataAccess":"The entity gives individuals their data.","privacy:subjectRights:restrictsProcessing":"The entity limits data use upon request.","privacy:transparency":"Behaviours that inform individuals about data processing activities.","privacy:transparency:disclosesProcessing":"The entity reveals data processing activities.","privacy:transparency:displaysPrivacyNotice":"The entity presents privacy information.","privacy:transparency:explainsAutomatedDecision":"The entity describes automated decision logic.","privacy:transparency:recordsConsent":"The entity stores consent decisions.","privacy:transparency:requestsConsent":"The entity asks for processing permission.","privacy:transparency:withdrawsConsent":"The entity processes consent revocation.","safety":"Behaviours relating to the prevention of harm to users and the environment.","safety:autonomousBehavior":"Behaviours that govern decision-making boundaries and human oversight of autonomous systems.","safety:autonomousBehavior:acceptsOverride":"The entity yields to human command.","safety:autonomousBehavior:enforcesHumanInLoop":"The entity requires human involvement.","safety:autonomousBehavior:explainsDecision":"The entity provides rationale for its action.","safety:autonomousBehavior:requestsGuidance":"The entity asks for human direction.","safety:autonomousBehavior:respectsDecisionBoundary":"The entity stays within authorised decision scope.","safety:contentSafety":"Behaviours that detect and filter harmful or inappropriate content.","safety:contentSafety:detectsHarmfulContent":"The entity identifies potentially harmful content.","safety:contentSafety:detectsMisinformation":"The entity identifies false or misleading content.","safety:contentSafety:enforcesAgeRestriction":"The entity limits access by user age.","safety:contentSafety:filtersContent":"The entity blocks or restricts content.","safety:contentSafety:labelsContent":"The entity marks content with warnings or ratings.","safety:harmPrevention":"Behaviours that actively protect users and bystanders from physical or psychological harm.","safety:harmPrevention:preventsEnvironmentalHarm":"The entity acts to protect the environment.","safety:harmPrevention:preventsPropertyDamage":"The entity acts to protect physical property.","safety:harmPrevention:preventsUserHarm":"The entity acts to protect users from injury.","safety:harmPrevention:protectsBystanders":"The entity considers safety of non-users.","safety:hazardManagement":"Behaviours that identify and mitigate potentially dangerous conditions.","safety:hazardManagement:assessesRisk":"The entity evaluates severity and likelihood of harm.","safety:hazardManagement:identifiesHazard":"The entity detects a potentially harmful condition.","safety:hazardManagement:mitigatesHazard":"The entity reduces hazard severity or likelihood.","safety:hazardManagement:reportsHazard":"The entity communicates a hazardous condition.","safety:humanInteraction":"Behaviours that manage communication and interaction with human operators.","safety:humanInteraction:adaptsForAccessibility":"The entity adjusts for users with disabilities.","safety:humanInteraction:managesCognitiveLoad":"The entity limits information to prevent overwhelm.","safety:humanInteraction:requestsConfirmation":"The entity requires human approval for action.","safety:humanInteraction:warnsOperator":"The entity alerts human to abnormal condition.","safety:operationalSafety":"Behaviours that enforce safe operating limits and conditions.","safety:operationalSafety:acceptsManualOverride":"The entity yields control to human operator.","safety:operationalSafety:enforcesInterlock":"The entity prevents unsafe operation combinations.","safety:operationalSafety:enforcesOperatingLimits":"The entity prevents operation outside safe bounds.","safety:operationalSafety:executesEmergencyStop":"The entity immediately halts dangerous operation.","safety:operationalSafety:monitorsWatchdog":"The entity checks for uncontrolled operation.","safety:operationalSafety:validatesSafetyCondition":"The entity confirms safe operating state.","security":"Behaviours relating to the protection of systems and data from unauthorised access and threats.","security:auditing":"Behaviours that record security-relevant events for accountability and forensic analysis.","security:auditing:logsEvent":"The entity records an occurrence.","security:auditing:logsSecurityEvent":"The entity records a security-relevant occurrence.","security:auditing:protectsAuditLog":"The entity prevents tampering with log records.","security:auditing:purgesLog":"The entity deletes old log records.","security:auditing:rotatesLog":"The entity archives and starts new log files.","security:auditing:signsLogEntry":"The entity cryptographically signs audit records.","security:auditing:timestampsEvent":"The entity records when an event occurred.","security:auditing:transmitsLog":"The entity sends log data to a remote destination.","security:authentication":"Behaviours that verify the identity of users and entities.","security:authentication:authenticatesDevice":"The entity confirms device identity.","security:authentication:authenticatesService":"The entity confirms service identity.","security:authentication:authenticatesUser":"The entity confirms user identity.","security:authentication:bypassesAuthentication":"The entity permits access without authentication.","security:authentication:capturesBiometric":"The entity collects biometric data for authentication.","security:authentication:delegatesAuthentication":"The entity relies on external identity provider.","security:authentication:failsAuthentication":"The entity rejects invalid credentials.","security:authentication:locksAccount":"The entity prevents further authentication attempts.","security:authentication:performsMultiFactorAuthentication":"The entity requires multiple authentication factors.","security:authentication:promptsForCredentials":"The entity requests authentication information.","security:authentication:unlocksAccount":"The entity restores authentication capability.","security:authentication:validatesBiometric":"The entity verifies biometric data.","security:authentication:validatesCredentials":"The entity verifies supplied credentials.","security:authorization":"Behaviours that determine and enforce access permissions.","security:authorization:checksPermission":"The entity verifies access rights.","security:authorization:delegatesAuthority":"The entity transfers access rights to another.","security:authorization:deniesAccess":"The entity refuses a requested action.","security:authorization:enforcesRole":"The entity restricts actions based on assigned role.","security:authorization:escalatesPrivilege":"The entity gains elevated permissions.","security:authorization:evaluatesAttributes":"The entity uses attributes for access decisions.","security:authorization:evaluatesPolicy":"The entity applies rules to make access decisions.","security:authorization:grantsAccess":"The entity permits a requested action.","security:authorization:grantsImpersonation":"The entity permits another to act within its security context.","security:authorization:impersonatesUser":"The entity performs actions within another user's security context.","security:authorization:requestsImpersonation":"The entity initiates a request to act as another user.","security:authorization:revokesAccess":"The entity withdraws previously granted permissions.","security:authorization:revokesImpersonation":"The entity terminates another's permission to act on its behalf.","security:cryptography":"Behaviours that employ cryptographic operations to protect data confidentiality and integrity.","security:cryptography:authenticates":"The entity verifies the identity of a user, process, or device.","security:cryptography:checksRevocation":"The entity queries certificate revocation status.","security:cryptography:decryptsData":"The entity restores encrypted data to readable form.","security:cryptography:decryptsDataAtRest":"The entity restores stored encrypted data to readable form.","security:cryptography:decryptsDataInTransit":"The entity restores data received over a network to readable form.","security:cryptography:decryptsDisk":"The entity unlocks and decrypts contents of an encrypted disk.","security:cryptography:decryptsSecret":"The entity retrieves and decrypts a secured credential or metadata.","security:cryptography:destroysKey":"The entity securely erases a key.","security:cryptography:encryptsData":"The entity transforms data to prevent unauthorised reading.","security:cryptography:encryptsDataAtRest":"The entity protects stored data by converting it to unreadable form.","security:cryptography:encryptsDataInTransit":"The entity protects data moving across a network.","security:cryptography:encryptsDisk":"The entity applies full-disk encryption to protect all data on a drive.","security:cryptography:encryptsSecret":"The entity secures sensitive credentials or metadata.","security:cryptography:ensuresAccountability":"The entity ensures actions can be traced to a specific individual or process.","security:cryptography:ensuresConfidentiality":"The entity protects sensitive information from unauthorised access.","security:cryptography:ensuresIntegrity":"The entity guarantees that data has not been altered or tampered with.","security:cryptography:ensuresNonRepudiation":"The entity provides proof of origin and integrity to prevent denial.","security:cryptography:exchangesKey":"The entity shares a key with another party.","security:cryptography:generatesKey":"The entity creates a cryptographic key.","security:cryptography:generatesRandomValue":"The entity produces a cryptographically secure random value.","security:cryptography:hashesData":"The entity generates a cryptographic hash.","security:cryptography:hashesPassword":"The entity applies a cryptographic hash function to a password.","security:cryptography:identifies":"The entity establishes a unique identity for an actor within the system.","security:cryptography:issuesCertificate":"The entity creates and signs a digital certificate.","security:cryptography:preservesPrivacy":"The entity protects personally identifiable information and user data.","security:cryptography:presentsClientCertificate":"The entity provides a client certificate for authentication.","security:cryptography:presentsServerCertificate":"The entity provides a server certificate for authentication.","security:cryptography:retrievesKey":"The entity obtains a stored key.","security:cryptography:revokesCertificate":"The entity invalidates a certificate.","security:cryptography:rotatesKey":"The entity replaces a key with a new one.","security:cryptography:signsCode":"The entity applies a digital signature to executable code.","security:cryptography:signsData":"The entity creates a digital signature.","security:cryptography:signsDocument":"The entity applies a digital signature to a document.","security:cryptography:storesKey":"The entity saves a key securely.","security:cryptography:usesIdentity":"The entity utilises established identity credentials for operations.","security:cryptography:validatesCertificate":"The entity verifies certificate authenticity.","security:cryptography:validatesToken":"The entity verifies the authenticity and expiration of a security token.","security:cryptography:verifiesCodeSignature":"The entity validates a digital signature on executable code.","security:cryptography:verifiesDataSignature":"The entity validates a digital signature on data.","security:cryptography:verifiesDocumentSignature":"The entity validates a digital signature on a document.","security:cryptography:verifiesHash":"The entity validates data against a hash.","security:cryptography:verifiesSignature":"The entity validates a digital signature.","security:cryptography:wrapsKey":"The entity encrypts a key for secure storage or transport.","security:errorHandling":"Behaviours that manage error conditions to prevent information disclosure.","security:errorHandling:catchesException":"The entity intercepts an error condition.","security:errorHandling:disclosesErrorDetails":"The entity reveals internal information in error messages.","security:errorHandling:failsClosed":"The entity denies access when controls fail.","security:errorHandling:failsOpen":"The entity permits access when controls fail.","security:errorHandling:generatesError":"The entity produces an error condition.","security:errorHandling:logsError":"The entity records an error condition.","security:errorHandling:propagatesError":"The entity passes an error to caller.","security:errorHandling:returnsGenericError":"The entity provides minimal error information.","security:errorHandling:suppressesError":"The entity hides an error condition.","security:inputHandling":"Behaviours that validate and sanitise input data to prevent injection attacks.","security:inputHandling:escapesInput":"The entity encodes special characters in input.","security:inputHandling:normalizesInput":"The entity converts input to standard form.","security:inputHandling:rejectsInvalidInput":"The entity refuses malformed or dangerous input.","security:inputHandling:sanitizesInput":"The entity removes potentially harmful content from input.","security:inputHandling:truncatesInput":"The entity shortens input to acceptable length.","security:inputHandling:validatesFormat":"The entity verifies input conforms to expected format.","security:inputHandling:validatesRange":"The entity ensures values fall within acceptable bounds.","security:inputHandling:validatesSchema":"The entity checks input against a defined schema.","security:integrity":"Behaviours that verify and protect the integrity of data and code.","security:integrity:attestsIntegrity":"The entity provides evidence of its own integrity.","security:integrity:detectsTampering":"The entity identifies modification attempts.","security:integrity:respondsToTampering":"The entity reacts to detected tampering.","security:integrity:validatesComponent":"The entity verifies authenticity of a dependency.","security:integrity:verifiesIntegrity":"The entity confirms data or code has not been altered.","security:integrity:verifiesProvenance":"The entity confirms origin and history.","security:outputHandling":"Behaviours that encode and filter output data to prevent information leakage.","security:outputHandling:encodesOutput":"The entity transforms output to prevent injection.","security:outputHandling:enforcesContentPolicy":"The entity restricts content sources.","security:outputHandling:escapesOutput":"The entity encodes special characters in output.","security:outputHandling:filtersOutput":"The entity removes sensitive content from output.","security:outputHandling:masksOutput":"The entity obscures sensitive data in output.","security:outputHandling:setsSecurityHeader":"The entity adds security-related HTTP headers.","security:session":"Behaviours that manage authenticated user sessions.","security:session:createsSession":"The entity establishes an authenticated session.","security:session:detectsSessionHijacking":"The entity identifies unauthorised session use.","security:session:invalidatesSession":"The entity revokes session validity.","security:session:refreshesSession":"The entity extends session lifetime.","security:session:regeneratesSessionId":"The entity creates a new session identifier.","security:session:terminatesSession":"The entity ends an authenticated session.","security:session:validatesSession":"The entity verifies session validity.","security:threatResponse":"Behaviours that detect and respond to security threats and incidents.","security:threatResponse:blocksRequest":"The entity refuses a suspicious request.","security:threatResponse:blocksSource":"The entity prevents further requests from a source.","security:threatResponse:collectsForensicData":"The entity gathers evidence for investigation.","security:threatResponse:detectsAnomaly":"The entity recognises deviation from normal patterns.","security:threatResponse:detectsIntrusion":"The entity identifies a potential security breach.","security:threatResponse:initiatesIncidentResponse":"The entity triggers security response procedures.","security:threatResponse:quarantinesElement":"The entity isolates a suspicious item.","security:threatResponse:raisesAlert":"The entity notifies of a security event.","system":"Behaviours relating to operating system interactions and the management of computational resources.","system:configuration":"Behaviours that read and modify system configuration settings.","system:configuration:deletesRegistryKey":"The entity removes entries from the registry.","system:configuration:modifiesGroupPolicy":"The entity changes group policy settings.","system:configuration:readsConfigurationFile":"The entity loads settings from a configuration file.","system:configuration:readsEnvironmentVariable":"The entity retrieves an environment variable value.","system:configuration:readsGroupPolicy":"The entity retrieves group policy settings.","system:configuration:readsRegistry":"The entity retrieves values from the system registry.","system:configuration:setsEnvironmentVariable":"The entity modifies an environment variable.","system:configuration:writesConfigurationFile":"The entity saves settings to a configuration file.","system:configuration:writesRegistry":"The entity stores values in the system registry.","system:informationGathering":"Behaviours that collect information about the host system and its configuration.","system:informationGathering:detectsOsVersion":"The entity determines the operating system version.","system:informationGathering:gathersSystemInformation":"The entity collects system configuration details.","system:informationGathering:queriesHardwareInformation":"The entity retrieves hardware specifications.","system:informationGathering:retrievesHostname":"The entity obtains the system hostname.","system:kernelInteraction":"Behaviours that interact directly with the operating system kernel.","system:kernelInteraction:hooksKernelFunction":"The entity intercepts kernel-level calls.","system:kernelInteraction:installsDriver":"The entity loads a kernel-mode driver.","system:kernelInteraction:readsKernelMemory":"The entity accesses kernel memory space.","system:kernelInteraction:writesKernelMemory":"The entity modifies kernel memory space.","system:lifecycle":"Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.","system:lifecycle:appliesUpdate":"The entity installs software or firmware updates.","system:lifecycle:decommissions":"The entity securely retires from service.","system:lifecycle:initializes":"The entity performs start-up routines and loads configuration.","system:lifecycle:performsSelfTest":"The entity verifies its own operational readiness.","system:lifecycle:provisions":"The entity configures itself for deployment.","system:lifecycle:rollsBack":"The entity reverts to a previous known-good state.","system:lifecycle:shutsDown":"The entity executes orderly cessation of operations.","system:operationalState":"Behaviours that govern an entity's functional status and mode of operation.","system:operationalState:entersFailSafeState":"The entity transitions to a known safe state upon detecting a fault.","system:operationalState:entersFailSecureState":"The entity denies access or ceases sensitive operations upon detecting a security fault.","system:operationalState:operatesInDegradedMode":"The entity continues operation with reduced functionality.","system:operationalState:operatesNormally":"The entity performs its intended functions within designed parameters.","system:operationalState:performsEmergencyShutdown":"The entity immediately halts to prevent harm or damage.","system:persistence":"Behaviours that establish mechanisms for an entity to survive system restarts.","system:persistence:createsScheduledTask":"The entity schedules itself for recurring execution.","system:persistence:installsAsService":"The entity registers itself as a system service.","system:persistence:loadsAsKernelModule":"The entity loads itself into the kernel.","system:persistence:registersForStartup":"The entity configures itself to execute at system boot.","system:persistence:removesPersistence":"The entity removes its persistence mechanism.","system:processControl":"Behaviours that create and manipulate operating system processes.","system:processControl:createsProcess":"The entity starts a new process.","system:processControl:dumpsProcessMemory":"The entity extracts memory contents from a process.","system:processControl:enumeratesProcesses":"The entity lists running processes.","system:processControl:hooksFunction":"The entity intercepts and redirects function calls.","system:processControl:injectsCodeIntoProcess":"The entity inserts executable code into another process.","system:processControl:modifiesProcess":"The entity changes attributes of a running process.","system:processControl:resumesProcess":"The entity continues paused process execution.","system:processControl:suspendsProcess":"The entity pauses process execution.","system:processControl:terminatesProcess":"The entity ends a running process.","system:resilience":"Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.","system:resilience:activatesRedundancy":"The entity activates backup systems or alternative processing paths.","system:resilience:degradesGracefully":"The entity progressively reduces functionality rather than failing abruptly.","system:resilience:detectsFault":"The entity identifies an internal fault or anomalous condition.","system:resilience:recoversFromFailure":"The entity restores normal operation following a failure.","system:resilience:toleratesFault":"The entity continues operation despite the presence of a fault.","system:resourceManagement":"Behaviours that allocate and deallocate computational resources such as memory and threads.","system:resourceManagement:allocatesMemory":"The entity reserves memory for use.","system:resourceManagement:deallocatesMemory":"The entity releases previously allocated memory.","system:resourceManagement:handlesResourceExhaustion":"The entity responds to depleted resources.","system:resourceManagement:managesPowerState":"The entity transitions between power consumption states.","system:resourceManagement:readsFromStorage":"The entity retrieves data from persistent storage.","system:resourceManagement:resumesThread":"The entity continues paused thread execution.","system:resourceManagement:spawnsThread":"The entity creates a new execution thread.","system:resourceManagement:suspendsThread":"The entity pauses thread execution.","system:resourceManagement:terminatesThread":"The entity ends an execution thread.","system:resourceManagement:writesToStorage":"The entity saves data to persistent storage.","system:serviceControl":"Behaviours that manage system services and daemons.","system:serviceControl:createsService":"The entity installs a system service or daemon.","system:serviceControl:deletesService":"The entity removes a system service.","system:serviceControl:enumeratesServices":"The entity lists installed services.","system:serviceControl:modifiesService":"The entity changes service configuration.","system:serviceControl:startsService":"The entity initiates service execution.","system:serviceControl:stopsService":"The entity halts service execution.","system:synchronization":"Behaviours that coordinate access to shared resources across concurrent execution contexts.","system:synchronization:acquiresMutex":"The entity obtains exclusive access via mutex.","system:synchronization:releasesMutex":"The entity relinquishes mutex ownership.","system:synchronization:signalsEvent":"The entity triggers a synchronisation event.","system:synchronization:signalsSemaphore":"The entity releases a semaphore.","system:synchronization:waitsOnEvent":"The entity blocks until an event is signalled.","system:synchronization:waitsOnSemaphore":"The entity blocks until semaphore is available.","system:timing":"Behaviours that govern temporal aspects of execution including scheduling and synchronisation.","system:timing:delaysExecution":"The entity postpones an operation.","system:timing:enforcesDeadline":"The entity ensures completion within a timing constraint.","system:timing:executesScheduledTask":"The entity performs a task at a predetermined time.","system:timing:resetsWatchdog":"The entity signals continued operation to a watchdog monitor.","system:timing:synchronizesClock":"The entity aligns its internal clock with an external source.","system:timing:triggersTimeout":"The entity acts upon detecting an unresponsive condition.","system:timing:waits":"The entity pauses execution for a specified duration.","system:userManagement":"Behaviours that create and manipulate user accounts and privileges.","system:userManagement:createsUserAccount":"The entity adds a new user account.","system:userManagement:deletesUserAccount":"The entity removes a user account.","system:userManagement:elevatesPrivileges":"The entity gains higher access permissions.","system:userManagement:enumeratesUsers":"The entity lists user accounts.","system:userManagement:impersonatesUser":"The entity assumes another user's identity.","system:userManagement:modifiesUserAccount":"The entity changes user account properties."}}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","$defs":{"blueprints":{"type":"array","title":"Blueprints","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint"},"description":"A collection of blueprints representing system models that capture the assets, flows, zones, boundaries, and relationships necessary for architectural, threat, risk, privacy, and other forms of modelling and analysis."},"blueprint":{"type":"object","title":"Blueprint","description":"A structured representation of a system model that captures the assets, flows, zones, boundaries, and relationships necessary to support architectural, threat, risk, privacy, and other forms of modelling and analysis.","required":["modelTypes","methodologies"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata"},"modelTypes":{"type":"array","title":"Model Types","minItems":1,"uniqueItems":true,"description":"The types of models being represented","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"methodologies":{"type":"array","title":"Methodologies","minItems":1,"uniqueItems":true,"description":"The modeling methodologies used","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/methodology"}},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model"},"dataStores":{"type":"array","title":"Data Stores","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore"},"description":"Structured description of data stores used in the model"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet"},"description":"Datasets handled by the system, including placements and sensitivity"},"zones":{"type":"array","title":"Zones","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets"},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/actor"},"description":"Human or system actors involved in the model, distinct from assets"},"assumptions":{"type":"array","title":"Assumptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process"},"visualizations":{"type":"array","title":"Visualizations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},{"properties":{"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint assets that are involved in or exercised by this use case"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint flows that are triggered or traversed during the execution of this use case"},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the requirements that are implemented, validated, or addressed by this use case"}}}]},"description":"Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements."},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"Requirements derived from or related to the model"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"modelType":{"type":"object","title":"Model Type","description":"The type of model being represented, either a predefined type or a custom named type.","oneOf":[{"title":"Predefined Model Type","description":"A model type selected from a predefined set of well-known modelling categories.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Model Type","enum":["architecture","behavioral","conceptual","dataFlow","deployment","logical","network","operational","physical","privacy","process","risk","structural","threat"],"meta:enum":{"architecture":"System or software architecture model","behavioral":"System behavior model","conceptual":"High-level conceptual model","dataFlow":"Data flow model showing how data moves through the system","deployment":"Deployment or infrastructure model","logical":"Logical system model","network":"Network topology or connectivity model","operational":"Operational model","physical":"Physical infrastructure model","privacy":"Privacy impact assessment model","process":"Business or system process model","risk":"Risk assessment model","structural":"System structure model","threat":"Security threat model"}}}},{"title":"Custom Model Type","description":"A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom model type name"},"description":{"type":"string","title":"Description","description":"Description of the custom model type"}}}]},"methodology":{"type":"object","title":"Methodology","description":"The modelling methodology used, either a predefined type or a custom named methodology.","oneOf":[{"title":"Predefined Methodology","description":"A modelling methodology selected from a predefined set of well-known frameworks and standards.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Type","enum":["4+1","Archimate","ATFAA","BPMN","C4","DFD","DODAF","ERD","IDEF","LINDDUN","MAESTRO","MITRE-ATTACK","MODAF","NAF","OWASP","PASTA","SABSA","STRIDE","SysML","TOGAF","TRIKE","UML","VAST","Zachman","attackTree"],"meta:enum":{"4+1":"4+1 Architectural View Model","Archimate":"Enterprise architecture modeling language","ATFAA":"Advanced Threat Framework for Autonomous AI Agents","BPMN":"Business Process Model and Notation","C4":"C4 Model for software architecture","DFD":"Data Flow Diagrams","DODAF":"Department of Defense Architecture Framework","ERD":"Entity Relationship Diagrams","IDEF":"Integration Definition Methods","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome","MITRE-ATTACK":"MITRE ATT&CK adversarial tactics, techniques, and procedures framework","MODAF":"Ministry of Defence Architecture Framework","NAF":"NATO Architecture Framework","OWASP":"OWASP threat modelling methodology","PASTA":"Process for Attack Simulation and Threat Analysis","SABSA":"Sherwood Applied Business Security Architecture","STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege","SysML":"Systems Modeling Language","TOGAF":"The Open Group Architecture Framework","TRIKE":"Risk-based threat modelling methodology","UML":"Unified Modeling Language","VAST":"Visual, Agile, and Simple Threat modelling","Zachman":"Zachman Framework","attackTree":"Attack tree methodology for structured threat analysis"}},"version":{"type":"string","title":"Version","description":"Version of the methodology"}}},{"title":"Custom Methodology","description":"A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom methodology name"},"version":{"type":"string","title":"Version","description":"Version of the methodology"},"description":{"type":"string","title":"Description","description":"Description of the custom methodology"},"externalReferences":{"type":"array","title":"External References","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}}]},"blueprintMetadata":{"type":"object","title":"Blueprint Metadata","description":"Metadata about the creation, review, and approval of the blueprint.","additionalProperties":false,"properties":{"timestamp":{"type":"string","title":"Timestamp","format":"date-time","description":"When the blueprint was created or last updated"},"authors":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who created the blueprint"},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who reviewed the blueprint"},"reviewDate":{"type":"string","title":"Review Date","format":"date-time","description":"When the blueprint was reviewed"},"approver":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who approved the blueprint"},"approvalDate":{"type":"string","title":"Approval Date","format":"date-time","description":"When the blueprint was approved"},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","title":"Validity Period","description":"The period during which the blueprint is considered valid.","additionalProperties":false,"properties":{"start":{"type":"string","title":"Start","format":"date-time","description":"When the blueprint becomes valid"},"end":{"type":"string","title":"End","format":"date-time","description":"When the blueprint expires"},"reviewFrequency":{"type":"string","title":"Review Frequency","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)"}}},"scope":{"type":"object","title":"Scope","description":"Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the scope"},"description":{"type":"string","title":"Description","description":"Description of what is included and excluded from the model"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Explicit boundaries of the model"},"includedComponents":{"type":"array","title":"Included Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly included"},"excludedComponents":{"type":"array","title":"Excluded Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly excluded"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","title":"Asset","description":"A component, service, data store, or other element included in the blueprint model.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset"},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the component this asset represents"},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the service this asset represents"},"type":{"type":"string","title":"Asset Type","enum":["actor","agent","api","broker","cache","component","container","data","dataStore","device","endpoint","function","gateway","infrastructure","interface","model","module","network","other","process","queue","resource","service","stream","subsystem","system"],"meta:enum":{"actor":"User, system, or external entity","agent":"Autonomous AI or software agent","api":"API endpoint or interface","broker":"Message broker or event bus infrastructure","cache":"Caching layer or in-memory data store","component":"Software component or application","container":"Container or orchestration unit","data":"Dataset","dataStore":"Database, file system, or data repository","device":"Physical or IoT device","endpoint":"Service endpoint or URL","function":"Serverless function or lambda","gateway":"API gateway, load balancer, or proxy","infrastructure":"Infrastructure component","interface":"System interface or contract","model":"AI or machine learning model","module":"Software module or package","network":"Network segment or resource","other":"Asset type not covered by predefined values","process":"Business or system process","queue":"Message queue or task queue","resource":"Generic resource or artifact","service":"Service or microservice","stream":"Data stream or event stream","subsystem":"Part of a larger system","system":"Complete system or application"}},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the asset"},"description":{"type":"string","title":"Description","description":"Description of the asset's role and purpose"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone containing this asset"},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent asset if this is a sub-component"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"responsibilities":{"type":"array","title":"Responsibilities","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Responsibilities or functions of this asset"},"interfaces":{"type":"array","title":"Interfaces","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset"},"dependencies":{"type":"array","title":"Dependencies","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets this asset depends on"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage."},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"title":"Component Reference Asset","description":"An asset defined by reference to a component declared elsewhere in the BOM.","required":["bom-ref","componentRef"]},{"title":"Service Reference Asset","description":"An asset defined by reference to a service declared elsewhere in the BOM.","required":["bom-ref","serviceRef"]},{"title":"Inline Asset","description":"An asset defined inline within the blueprint with an explicit type and name.","required":["bom-ref","type","name"]}]},"dataStore":{"type":"object","title":"Data Store","description":"A persistent storage system used within the modelled system to hold, retrieve, or manage data.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the data store"},"description":{"type":"string","title":"Description","description":"Purpose and contents of the store"},"type":{"type":"string","title":"Type","enum":["blob","blockchain","cache","columnFamily","custom","dataLake","dataWarehouse","document","eventLog","file","graph","inMemory","keyValue","messageQueue","object","other","registry","search","spatial","sql","timeSeries","vector"],"meta:enum":{"blob":"Binary/blob storage","blockchain":"Distributed ledger or blockchain storage","cache":"Caching tier","columnFamily":"Wide-column or column-family store (e.g., Cassandra, HBase)","custom":"Custom or mixed storage technology","dataLake":"Data lake or lakehouse for raw and semi-structured data","dataWarehouse":"Analytical data warehouse optimised for OLAP workloads","document":"Document database (e.g., MongoDB)","eventLog":"Event log or append-only streaming store (e.g., Kafka)","file":"File system or NAS","graph":"Graph database","inMemory":"In-memory data store used as a primary store","keyValue":"Key-value store","messageQueue":"Message queue or broker with persistent storage","object":"Object storage","other":"Other storage technology not listed","registry":"Configuration or service registry (e.g., etcd, Consul)","search":"Search index or full-text search engine (e.g., Elasticsearch)","spatial":"Spatial or geospatial database","sql":"Relational database","timeSeries":"Time-series database","vector":"Vector database for embeddings and similarity search"}},"vendor":{"type":"string","title":"Vendor","description":"The vendor or publisher of the data store product"},"product":{"type":"string","title":"Product","description":"The name of the data store product"},"version":{"type":"string","title":"Version","description":"The version of the data store product"},"environment":{"type":"string","title":"Environment","description":"Deployment environment (prod, test, etc.)"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the asset resides"},"location":{"type":"string","title":"Location","description":"Physical or logical hosting location"},"technologies":{"type":"array","title":"Technologies","uniqueItems":true,"items":{"type":"string"},"description":"Supporting technologies or services"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to data sets stored here"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataSet":{"type":"object","title":"Data Set","description":"A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.","required":["bom-ref","name","description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the dataset"},"description":{"type":"string","title":"Description","minLength":1,"description":"What information is contained and why it exists"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"recordCount":{"type":"integer","title":"Record Count","description":"Approximate number of records"},"owners":{"type":"array","title":"Owners","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Individuals or organizational entities that own the dataset"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"placements":{"type":"array","title":"Placements","uniqueItems":true,"items":{"type":"object","title":"Placement","description":"Describes where a dataset physically or logically resides and the storage characteristics at that location.","required":["dataStore"],"additionalProperties":false,"properties":{"dataStore":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the store holding this dataset"},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the dataset is encrypted at this location"},"retention":{"type":"string","title":"Retention","description":"Retention policy for this placement"},"replicated":{"type":"boolean","title":"Replicated","description":"Indicates if this placement is a replica"}}},"description":"Where the dataset resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface"},"type":{"type":"string","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"],"description":"Type of interface"},"description":{"type":"string","description":"Description of the interface"},"specification":{"type":"string","description":"Link or reference to interface specification"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed"}}},"zone":{"type":"object","title":"Zone","description":"A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the zone"},"description":{"type":"string","title":"Description","description":"Description of the zone's characteristics"},"type":{"type":"string","title":"Type","enum":["deployment","functional","logical","network","organizational","other","physical","trust"],"meta:enum":{"deployment":"Deployment environment (e.g., dev, staging, prod)","functional":"Functional grouping","logical":"Logical grouping or boundary","network":"Network segmentation zone","organizational":"Organizational or administrative boundary","other":"Other zone type not listed","physical":"Physical location or boundary","trust":"Security trust zone"}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent zone if this is a sub-zone"},"characteristics":{"type":"array","title":"Characteristics","uniqueItems":true,"items":{"type":"string"},"description":"Key characteristics of this zone"},"constraints":{"type":"array","title":"Constraints","uniqueItems":true,"items":{"type":"string"},"description":"Constraints or limitations of this zone"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","title":"Boundary","description":"Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the boundary"},"type":{"type":"string","title":"Type","enum":["data","functional","network","organizational","other","physical","process","trust"],"meta:enum":{"data":"Data classification boundary","functional":"Functional boundary","network":"Network boundary or firewall","organizational":"Organizational boundary","other":"A boundary type not covered by the predefined enumeration","physical":"Physical security boundary","process":"Process or execution boundary","trust":"Trust boundary between different security zones"}},"zones":{"type":"array","title":"Zones","uniqueItems":true,"minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"The zones this boundary connects or separates"},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","title":"Crossing Requirements","description":"Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.","additionalProperties":false,"properties":{"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced at this boundary"},"dataValidation":{"type":"boolean","title":"Data Validation","description":"Whether data is validated when crossing this boundary"},"dataTransformation":{"type":"boolean","title":"Data Transformation","description":"Whether data is transformed when crossing this boundary"},"logging":{"type":"boolean","title":"Logging","description":"Whether crossings are logged"},"monitoring":{"type":"boolean","title":"Monitoring","description":"Whether crossings are monitored"},"rateLimit":{"type":"string","title":"Rate Limit","description":"Rate limiting policy"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Allowed protocols for crossing"}}},"flow":{"type":"object","title":"Flow","description":"Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or description of the flow"},"description":{"type":"string","title":"Description","description":"Detailed description of what flows and why"},"type":{"type":"string","title":"Type","enum":["control","data","dependency","event","interaction","message","other","physical","process","signal"],"meta:enum":{"control":"Control or command flow","data":"Data or information flow","dependency":"Dependency relationship","event":"Event or notification flow","interaction":"User or system interaction","message":"Message or communication flow","other":"A flow type not covered by the predefined enumeration","physical":"Physical movement of goods or materials","process":"Business process flow","signal":"Hardware or system signal"}},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the source asset"},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the destination asset"},"bidirectional":{"type":"boolean","title":"Bidirectional","default":false,"description":"Whether flow occurs in both directions"},"synchronous":{"type":"boolean","title":"Synchronous","description":"Whether the flow is synchronous or asynchronous"},"volume":{"type":"string","title":"Volume","description":"Expected volume or frequency of flow"},"timing":{"type":"string","title":"Timing","description":"Timing characteristics (real-time, batch, scheduled)"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Communication protocols used by this flow"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required for this flow"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced on this flow"},"sequence":{"type":"integer","title":"Sequence","minimum":0,"description":"Ordering hint so flows can be assembled into sequence diagrams"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"actor":{"type":"object","title":"Actor","description":"Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the actor"},"description":{"type":"string","title":"Description","description":"Narrative describing the actor's role and context"},"type":{"type":"string","title":"Type","enum":["administrator","agent","engineer","external","operator","other","system","user"],"meta:enum":{"administrator":"Administrative or privileged operator","agent":"Autonomous AI agent or intelligent software agent","engineer":"Developer or platform/DevOps engineer","external":"Third-party or external entity","operator":"Operational staff running the system","other":"An actor type not covered by the predefined enumeration","system":"Automated system actor or service account","user":"End user of a client application or service"}},"permissions":{"type":"array","title":"Permissions","uniqueItems":true,"items":{"type":"string"},"description":"Permissions, capabilities, or duties the actor holds"},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the actor resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","title":"Assumption","description":"A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies"},"topic":{"type":"string","title":"Topic","enum":["availability","business","compliance","operational","other","performance","security","technical"],"meta:enum":{"availability":"Assumption about system uptime, redundancy, or failover capabilities","business":"Assumption about business requirements, constraints, or organizational context","compliance":"Assumption about regulatory, legal, or policy compliance obligations","operational":"Assumption about operational procedures, staffing, or maintenance practices","other":"An assumption topic not covered by the predefined enumeration","performance":"Assumption about throughput, latency, capacity, or scalability characteristics","security":"Assumption about threat landscape, trust boundaries, or security controls","technical":"Assumption about technology choices, capabilities, or technical constraints"}},"relatedAssets":{"type":"array","title":"Related Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes"},"validity":{"type":"string","title":"Validity","enum":["invalid","unknown","unverified","verified"],"meta:enum":{"invalid":"The assumption has been disproven or is no longer applicable","unknown":"The validity of the assumption has not yet been assessed","unverified":"The assumption has been identified but not yet validated","verified":"The assumption has been confirmed as true through validation"},"default":"unknown","description":"The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound"},"impact":{"type":"string","title":"Impact","description":"A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components"},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model"},"validationMethod":{"type":"string","title":"Validation Method","description":"The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement"},"validationDate":{"type":"string","title":"Validation Date","format":"date-time","description":"The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation"}}},"visualization":{"type":"object","title":"Visualization","description":"A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the visualization"},"description":{"type":"string","title":"Description","description":"Description of what the visualization shows"},"type":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType"},"format":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationFormat"},"content":{"type":"string","title":"Content","description":"The diagram content (source code or base64 encoded image)"},"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL to the diagram if stored externally"},"level":{"type":"string","title":"Level","enum":["detailed","high","medium","overview"],"meta:enum":{"detailed":"Fine-grained view showing implementation-level specifics","high":"High-level view showing major components and relationships","medium":"Intermediate view balancing breadth and depth","overview":"Top-level summary providing a broad perspective of the system"},"description":"Level of detail in the visualization"},"elements":{"type":"array","title":"Elements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to elements shown in this visualization"},"interactive":{"type":"boolean","title":"Interactive","description":"Whether the visualization is interactive"},"layers":{"type":"array","title":"Layers","uniqueItems":true,"items":{"type":"string"},"description":"Layers or views available in the visualization"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"visualizationType":{"type":"object","title":"Visualization Type","description":"The type of diagram or visual representation.","oneOf":[{"title":"Predefined Visualization Type","description":"A visualization type selected from a predefined set of well-known diagram types.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","enum":["activity","architecture","class","code","collaboration","component","container","context","dataFlow","deployment","entity","network","process","sequence","state","useCase"],"meta:enum":{"activity":"Activity or workflow diagram","architecture":"System architecture diagram","class":"Class or object diagram","code":"Code structure diagram","collaboration":"Collaboration diagram","component":"Component diagram","container":"Container diagram (C4)","context":"Context diagram","dataFlow":"Data flow diagram (DFD)","deployment":"Deployment or infrastructure diagram","entity":"Entity relationship diagram","network":"Network topology diagram","process":"Business process diagram","sequence":"Sequence or interaction diagram","state":"State machine diagram","useCase":"Use case diagram"}}}},{"title":"Custom Visualization Type","description":"A custom visualization type not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization type"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization type"}}}]},"visualizationFormat":{"type":"object","title":"Visualization Format","description":"The rendering format or toolchain used to produce the visualization.","oneOf":[{"title":"Predefined Visualization Format","description":"A visualization format selected from a predefined set of well-known diagram formats and tools.","required":["format"],"additionalProperties":false,"properties":{"format":{"type":"string","title":"Format","enum":["archimate","cytoscape","d3","drawio","graphviz","jpeg","mermaid","plantuml","png","svg","visio"],"meta:enum":{"archimate":"ArchiMate model format","cytoscape":"Cytoscape graph format","d3":"D3.js visualization","drawio":"Draw.io/diagrams.net format","graphviz":"GraphViz DOT language","jpeg":"JPEG image format","mermaid":"Mermaid diagram language","plantuml":"PlantUML diagram language","png":"Portable Network Graphics","svg":"Scalable Vector Graphics","visio":"Microsoft Visio format"}}}},{"title":"Custom Visualization Format","description":"A custom visualization format not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization format"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization format"}}}]},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataClassification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"tier":{"type":"string","enum":["tier0","tier1","tier2","tier3","tier4"],"meta:enum":{"tier0":"Mission critical - highest priority","tier1":"Business critical - high priority","tier2":"Business important - medium priority","tier3":"Business supporting - low priority","tier4":"Non-critical - minimal priority"}},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search"}}},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"ownership":{"type":"object","title":"Ownership","description":"Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.","additionalProperties":false,"properties":{"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary owner of the asset"},"steward":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Steward responsible for the asset"},"custodian":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Custodian responsible for protecting the asset"},"users":{"type":"array","title":"Users","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Primary users of the asset"}}},"authenticationType":{"type":"string","title":"Authentication Type","description":"The authentication method or protocol used to verify identity.","enum":["apiKey","basic","bearer","certificate","custom","digest","fido2","jwt","kerberos","ldap","mfa","mTLS","none","ntlm","oauth1","oauth2","oidc","saml","ssh"],"meta:enum":{"apiKey":"API key authentication","basic":"Basic authentication (username/password)","bearer":"Bearer token authentication","certificate":"Certificate-based authentication","custom":"Custom authentication method","digest":"Digest authentication","fido2":"FIDO2/WebAuthn passwordless authentication","jwt":"JSON Web Token authentication","kerberos":"Kerberos authentication","ldap":"LDAP directory authentication","mfa":"Multi-factor authentication","mTLS":"Mutual TLS authentication","none":"No authentication required","ntlm":"NTLM authentication","oauth1":"OAuth 1.0 authentication","oauth2":"OAuth 2.0 authentication","oidc":"OpenID Connect authentication","saml":"SAML authentication","ssh":"SSH key authentication"}},"authorizationType":{"type":"string","title":"Authorization Type","description":"The authorization model used to determine and enforce access permissions.","enum":["abac","acl","cbac","custom","dac","mac","none","other","pbac","rbac","rebac"],"meta:enum":{"abac":"Attribute-Based Access Control","acl":"Access Control Lists","cbac":"Claims-Based Access Control","custom":"Custom authorization model","dac":"Discretionary Access Control","mac":"Mandatory Access Control","none":"No authorization controls","other":"Other authorization model not listed","pbac":"Policy-Based Access Control","rbac":"Role-Based Access Control","rebac":"Relationship-Based Access Control"}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataProfile":{"type":"object","title":"Data Profile","description":"Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data profile"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes."},"description":{"type":"string","title":"Description","description":"A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system."},"sensitivity":{"type":"string","title":"Sensitivity","enum":["confidential","internal","public","restricted"],"description":"Data sensitivity classification","meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access and special protection measures"}},"classification":{"title":"Classification","description":"Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.","oneOf":[{"title":"Predefined Classification","description":"A predefined data classification from the enumeration.","type":"object","additionalProperties":false,"required":["type"],"properties":{"type":{"type":"string","title":"Type","enum":["credentials","financial","intellectualProperty","logs","operational","other","pci","phi","pii","safety","telemetry"],"meta:enum":{"credentials":"Secrets, tokens, or credentials","financial":"Financial statements or transaction data","intellectualProperty":"Intellectual property or trade secrets","logs":"Operational or security log data","operational":"Operational or process data","other":"Other data classification not listed","pci":"Payment card industry data","phi":"Protected health information","pii":"Personally identifiable information","safety":"Safety critical data or signals","telemetry":"System or product telemetry data"}}}},{"title":"Custom Classification","description":"A custom data classification not covered by the predefined enumeration.","type":"object","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of a custom data classification not covered by the predefined enumeration"},"description":{"type":"string","title":"Description","description":"A description of the custom data classification"}}}]},"dataFormats":{"type":"array","title":"Data Formats","uniqueItems":true,"items":{"type":"string"},"description":"Format of data"},"dataTypes":{"type":"array","title":"Data Types","uniqueItems":true,"items":{"type":"string"},"description":"Specific types of data"},"schema":{"type":"array","title":"Schema","uniqueItems":true,"items":{"type":"string","format":"uri"},"description":"Reference to schema contracts or documents describing the data structure."},"access":{"type":"array","title":"Access","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures."},"collection":{"type":"array","title":"Collection","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations."},"disposal":{"type":"array","title":"Disposal","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction."},"handling":{"type":"array","title":"Handling","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations."},"processing":{"type":"array","title":"Processing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions."},"retention":{"type":"array","title":"Retention","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation."},"sharing":{"type":"array","title":"Sharing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataSensitivity":{"type":"string","title":"Data Sensitivity","description":"Classifies the sensitivity of data to indicate the level of protection required.","enum":["confidential","internal","public","restricted"],"meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access"}},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","uniqueItems":true,"description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","uniqueItems":true,"description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","uniqueItems":true,"description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","title":"Data Governance Responsible Party","description":"An organizational entity or individual responsible for a specific data governance role.","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","title":"Data Flow Direction","description":"Specifies the flow direction of the data. Direction is relative to the service.","enum":["bi-directional","inbound","outbound","unknown"],"meta:enum":{"bi-directional":"Data flows in and out of the service.","inbound":"Data that enters a service.","outbound":"Data that exits a service.","unknown":"The directional flow of data is not known."}}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"}},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"}},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"}},"parent":{"type":"string","title":"Parent BOM Reference","description":"The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"externalReferences":{"type":"array","title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the risk assessment elsewhere in the BOM"},"domains":{"type":"array","description":"Risk domains covered by this assessment","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"}},"scenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},"description":"Risk scenarios identified"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risk"},"description":"Documented risks derived from scenarios"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Controls, countermeasures, or mitigations to address identified risks"},"assessments":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Risk assessments and evaluations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}},"$defs":{"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply_chain","technical","project"],"meta:enum":{"security":"Information security and cybersecurity risks","privacy":"Data protection and privacy risks","operational":"Business operations and continuity risks","financial":"Financial loss and economic impact risks","compliance":"Regulatory and legal compliance risks","strategic":"Strategic business and market risks","reputational":"Brand and reputation damage risks","safety":"Human safety and physical security risks","environmental":"Environmental impact and sustainability risks","supply_chain":"Supply chain and third-party risks","technical":"Technical and technology risks","project":"Project delivery and execution risks"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain"}}},"riskAttribute":{"type":"string","description":"A classification of security and privacy attributes that represent potential impact areas when a risk is realized","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data_subject_rights","integrity","minimisation","non-repudiation","possession","privacy","purpose_limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities","authentication":"Verifying the identity of users, devices, or systems before granting access","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified","availability":"Ensuring systems, data, and services are accessible and operational when needed","compliance":"Adherence to applicable laws, regulations, policies, and standards","confidentiality":"Preventing unauthorised access to or disclosure of information","connectivity":"Maintaining secure and reliable communication between systems or components","control":"Enabling individuals to manage how their personal data is used and shared","data_subject_rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorised actors","minimisation":"Limiting data collection and retention to what is strictly necessary for the intended purpose","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications","possession":"Ensuring control or custody over data or assets, regardless of ownership","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards","purpose_limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing","utility":"Ensuring data is usable and in a format suitable for the intended purpose"}},"scenario":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the risk scenario"},"description":{"type":"string","description":"Detailed description of the scenario"},"type":{"type":"string","enum":["threat","vulnerability","weakness","risk","incident","opportunity","hazard"],"meta:enum":{"threat":"Threat scenario","vulnerability":"Exploitable vulnerability","weakness":"System or design weakness","risk":"General risk scenario","incident":"Potential incident scenario","opportunity":"Positive risk (opportunity)","hazard":"Safety hazard scenario"}},"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected by this scenario"},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to affected assets"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations that address this scenario"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"compliance":{"type":"array","items":{"type":"object","required":["framework","controlId"],"additionalProperties":false,"properties":{"framework":{"type":"string","description":"Name of the compliance program or framework"},"controlId":{"type":"string","description":"Identifier of the control within the framework"},"reference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference","description":"Link or citation to the requirement or control documentation"},"description":{"type":"string","description":"Optional notes describing the mapping"}}},"description":"Compliance frameworks and control references this mitigation supports"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"risk":{"type":"object","required":["bom-ref","name","statement"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier for the risk"},"statement":{"type":"string","description":"Structured risk statement describing source, event, and impact"},"description":{"type":"string","description":"Additional narrative about the risk"},"domains":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"description":"Risk domains impacted"},"scenarios":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this risk addresses"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"}},"responses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskResponse"},"description":"Risk responses or mitigation plans applied to this risk"},"relatedThreats":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatScenario"},"description":"Related threat scenarios informing this risk"},"status":{"type":"string","enum":["identified","assessed","mitigated","accepted","transferred","retired"],"meta:enum":{"identified":"Risk has been identified but not yet evaluated","assessed":"Risk has been assessed and prioritized","mitigated":"Mitigations are in place reducing this risk","accepted":"Risk has been formally accepted","transferred":"Risk has been transferred to another party","retired":"Risk no longer applies"}},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Owner or accountable party for this risk"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"Almost certain to occur (> 90% probability).","high":"Likely to occur (60-90% probability).","low":"Unlikely to occur (10-30% probability).","medium":"Possible to occur (30-60% probability).","veryHigh":"Very likely to occur (75-90% probability).","veryLow":"Very unlikely to occur (< 10% probability)."}},"score":{"type":"number","minimum":0,"maximum":5,"description":"Numeric likelihood score"},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal (0-1)"},"factors":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor"},"description":"Factors considered when determining the likelihood level"},"rationale":{"type":"string","description":"Justification for the likelihood rating"}}},"likelihoodFactor":{"type":"object","title":"Likelihood Factor","description":"An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.","minLength":1},"type":{"title":"Type","description":"The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","oneOf":[{"title":"Predefined Likelihood Factor Type","description":"A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.","type":"string","additionalProperties":false,"enum":["attackVector","controlEffectiveness","exploitMaturity","exposure","motivation","opportunity","other","threatCapability","vulnerability"],"meta:enum":{"attackVector":"Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.","controlEffectiveness":"Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.","exploitMaturity":"Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.","exposure":"Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.","motivation":"Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.","opportunity":"Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.","other":"A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.","threatCapability":"Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.","vulnerability":"Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor."}},{"title":"Custom Likelihood Factor Type","description":"A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the custom likelihood factor type.","minLength":1},"description":{"type":"string","title":"Description","description":"A description of the custom likelihood factor type and how it contributes to likelihood assessment."}}}]},"level":{"type":"string","title":"Level","description":"The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"This factor almost certainly contributes to risk realization (> 90% influence).","high":"This factor strongly contributes to risk realization (60-90% influence).","low":"This factor has limited contribution to risk realization (10-30% influence).","medium":"This factor moderately contributes to risk realization (30-60% influence).","veryHigh":"This factor very strongly contributes to risk realization (75-90% influence).","veryLow":"This factor has minimal contribution to risk realization (< 10% influence)."}},"score":{"type":"number","title":"Score","description":"A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.","minimum":0,"maximum":5},"weight":{"type":"number","title":"Weight","description":"The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.","minimum":0,"maximum":1},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","major","catastrophic"],"description":"Impact severity level","meta:enum":{"negligible":"Minimal impact with no significant consequences","low":"Minor impact with limited consequences","moderate":"Moderate impact affecting some operations","major":"Significant impact with serious consequences","catastrophic":"Catastrophic impact with existential consequences"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric impact score"},"categories":{"type":"array","items":{"type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic"],"meta:enum":{"confidentiality":"Impact on data confidentiality","integrity":"Impact on data or system integrity","availability":"Impact on service availability","financial":"Financial loss or impact","reputation":"Reputational damage","regulatory":"Regulatory compliance impact","safety":"Human safety impact","privacy":"Privacy violation impact","operational":"Operational disruption","strategic":"Strategic business impact"}},"description":"Categories of impact"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected"},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"Description of the potential impact"}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"Estimated financial loss in currency units"},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"ISO 4217 currency code"},"affectedUsers":{"type":"integer","description":"Number of affected users"},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Expected downtime as ISO 8601 duration"},"dataRecords":{"type":"integer","description":"Number of data records affected"},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Recovery time as ISO 8601 duration"}}},"riskScore":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Overall risk level","meta:enum":{"info":"Informational - no immediate action required","low":"Low risk - monitor and address in normal cycle","medium":"Medium risk - plan mitigation activities","high":"High risk - prioritize mitigation efforts","critical":"Critical risk - immediate action required"}},"score":{"type":"number","minimum":1,"description":"Numeric risk score"},"vector":{"type":"string","description":"Risk scoring vector (e.g., L:H/I:M)"},"methodology":{"type":"string","description":"Risk scoring methodology used"}}},"riskResponse":{"type":"object","required":["bom-ref","mitigations","mitigationPlan"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Mitigations applied to this risk response"},"mitigationPlan":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigationPlan"}}},"mitigation":{"type":"object","required":["bom-ref","reference"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this mitigation entry so it can be referenced by a plan"},"reference":{"description":"Reference to a mitigation/control implementing the response.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"strategy":{"type":"string","enum":["prevent","detect","respond","recover"],"meta:enum":{"prevent":"Prevents the risk from occurring","detect":"Detects when the risk occurs","respond":"Responds to the risk when detected","recover":"Recovers from the impact"}},"type":{"type":"string","enum":["control","countermeasure","procedure","removal"],"meta:enum":{"control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","procedure":"Documented procedure","removal":"Removing a risky component or asset"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"effectiveness":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/effectiveness"},"cost":{"type":"string","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort","low":"Low cost and effort","medium":"Moderate cost and effort","high":"High cost and significant effort","extreme":"Extreme cost and major effort"}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this plan addresses"},"implementedBy":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets that implement this plan"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"mitigationPlan":{"type":"object","required":["name","type","status","mitigations"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the mitigation plan"},"description":{"type":"string","description":"Description of what the plan covers"},"type":{"type":"string","enum":["avoid","reduce","transfer","accept","control","countermeasure","safeguard","practice","procedure"],"meta:enum":{"avoid":"Avoid the risk entirely","reduce":"Reduce likelihood or impact","transfer":"Transfer risk to another party","accept":"Accept the risk","control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","safeguard":"Safeguards mitigating adverse events","practice":"Operational or governance practice","procedure":"Documented procedure"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"List of mitigation bom-refs chosen for this plan"}}},"effectiveness":{"type":"object","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":1,"description":"Effectiveness as decimal"},"rating":{"type":"string","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk","marginal":"Slightly reduces risk","adequate":"Adequately reduces risk","good":"Significantly reduces risk","excellent":"Nearly eliminates risk"}}}},"assessment":{"type":"object","required":["bom-ref","type","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"type":{"type":"string","enum":["initial","periodic","continuous","triggered"],"meta:enum":{"initial":"Initial risk assessment","periodic":"Scheduled periodic assessment","continuous":"Continuous monitoring assessment","triggered":"Event-triggered assessment"}},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed"},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who performed the assessment"},"summary":{"type":"string","description":"Executive summary of the assessment"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to risk entries evaluated in this assessment"},"overallRisk":{"type":"object","required":["method","score"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["sum","average","custom"],"description":"Aggregation method used to derive the overall risk"},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"description":{"type":"string","description":"Optional explanation for custom aggregation approaches"}},"description":"Aggregated risk result for this assessment"},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment"},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level","meta:enum":{"none":"No priority assigned","low":"Low priority - address when convenient","medium":"Medium priority - address in normal cycle","high":"High priority - address soon","critical":"Critical priority - address immediately"}},"severity":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Severity level","meta:enum":{"info":"Informational finding","low":"Low severity issue","medium":"Medium severity issue","high":"High severity issue","critical":"Critical severity issue"}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level","meta:enum":{"minimal":"Minimal impact on business operations","low":"Low impact with minor inconvenience","moderate":"Moderate impact affecting some operations","high":"High impact affecting critical operations","critical":"Critical impact with severe business consequences"}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threatScenario":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},{"properties":{"threatCategory":{"type":"string","description":"Threat category based on methodology (e.g., STRIDE category)"},"threatActor":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"attackPattern":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference"},"abuseCases":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/abuseCase"},"description":"Abuse or misuse cases that illustrate how this threat can be exercised"},"weakness":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"killChainPhase":{"type":"string","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target","weaponization":"Creating malicious payloads","delivery":"Transmitting weapon to target","exploitation":"Exploiting vulnerabilities","installation":"Installing malware or backdoors","command-and-control":"Establishing C2 channel","actions-on-objectives":"Achieving attack goals"}},"technicalImpact":{"type":"array","items":{"type":"string","enum":["unauthorized-access","data-breach","data-corruption","service-disruption","privilege-escalation","code-execution","information-disclosure","denial-of-service"]}}}}]},"threatActor":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier of the threat actor"},"description":{"type":"string","description":"Description of the threat actor"},"type":{"type":"string","enum":["individual","group","organization","nation-state","unknown"],"meta:enum":{"individual":"Individual threat actor","group":"Organized group or collective","organization":"Corporate or criminal organization","nation-state":"Nation-state sponsored actor","unknown":"Unknown threat actor type"}},"aliases":{"type":"array","items":{"type":"string"},"description":"Known aliases or alternative names"},"profile":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"observedTTPs":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/ttp"},"description":"Observed tactics, techniques, and procedures"},"attributedAttacks":{"type":"array","items":{"type":"string"},"description":"Attacks attributed to this actor"},"targeting":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/targeting"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"threatActorProfile":{"type":"object","additionalProperties":false,"properties":{"sophistication":{"type":"string","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication","minimal":"Script kiddie level","intermediate":"Intermediate technical skills","advanced":"Advanced persistent threat","expert":"Nation-state level capabilities"}},"motivation":{"type":"array","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"]},"description":"Primary motivations"},"intent":{"type":"string","enum":["accidental","opportunistic","targeted","persistent"],"description":"Intent level"},"resources":{"type":"string","enum":["minimal","limited","moderate","substantial","unlimited"],"description":"Resource availability"},"accessLevel":{"type":"string","enum":["none","external","internal","privileged","physical"],"description":"Level of access to target systems"},"skillSet":{"type":"array","items":{"type":"string"},"description":"Specific skills possessed"}}},"attackVector":{"type":"object","additionalProperties":false,"properties":{"type":{"type":"string","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via network","adjacent":"Exploitable from adjacent network","local":"Requires local access","physical":"Requires physical access"}},"complexity":{"type":"string","enum":["low","high"],"description":"Attack complexity"},"privileges":{"type":"string","enum":["none","low","high"],"description":"Privileges required"},"userInteraction":{"type":"string","enum":["none","required"],"description":"User interaction requirement"},"scope":{"type":"string","enum":["unchanged","changed"],"description":"Scope impact"}}},"abuseCase":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the abuse case"},"description":{"type":"string","description":"Narrative describing how the system can be misused or abused"},"abuser":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference (bom-ref) to a threat actor involved in the abuse case"},"targets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References (bom-refs) to assets or flows targeted in this abuse case"},"steps":{"type":"array","items":{"type":"string"},"description":"Ordered steps the abuser follows"}}},"attackPattern":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"capecId":{"type":"integer","description":"CAPEC (Common Attack Pattern Enumeration and Classification) ID"},"name":{"type":"string","description":"Name of the attack pattern"},"description":{"type":"string","description":"Description of the attack pattern"},"prerequisites":{"type":"array","items":{"type":"string"},"description":"Prerequisites for the attack"},"techniques":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"Techniques used in the attack"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations"},"examples":{"type":"array","items":{"type":"string"},"description":"Real-world examples"}}},"attackPatternReference":{"type":"object","additionalProperties":false,"properties":{"patternRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to attack pattern"},"capecId":{"type":"integer","description":"CAPEC ID if not referencing internal pattern"},"customization":{"type":"string","description":"How this pattern is customized for the specific scenario"}}},"technique":{"type":"object","additionalProperties":false,"properties":{"id":{"type":"string","description":"Technique ID (e.g., MITRE ATT&CK ID)"},"name":{"type":"string","description":"Name of the technique"},"tactic":{"type":"string","description":"Associated tactic"},"procedure":{"type":"string","description":"Specific procedure"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools used with this technique"}}},"weakness":{"type":"object","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"cweId":{"type":"integer","description":"CWE (Common Weakness Enumeration) ID"},"name":{"type":"string","description":"Name of the weakness"},"description":{"type":"string","description":"Description of the weakness"},"abstraction":{"type":"string","enum":["pillar","class","base","variant","compound"],"meta:enum":{"pillar":"Most abstract type of weakness","class":"Weakness described in generic terms","base":"Weakness described in abstract terms","variant":"Weakness specific to a resource/technology","compound":"Combination of two or more weaknesses"}},"ordinality":{"type":"string","enum":["primary","resultant","indirect"],"meta:enum":{"primary":"Weakness exists independent of other weaknesses","resultant":"Weakness is caused by another weakness","indirect":"Weakness is indirectly caused by another weakness"}},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this weakness"},"exploitationDifficulty":{"type":"string","enum":["trivial","easy","moderate","difficult","impractical"],"description":"Difficulty of exploiting this weakness"},"detectionMethods":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod"},"description":"Methods for detecting this weakness"}}},"weaknessReference":{"type":"object","additionalProperties":false,"properties":{"weaknessRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to weakness"},"cweId":{"type":"integer","description":"CWE ID if not referencing internal weakness"},"instance":{"type":"string","description":"Specific instance or manifestation of the weakness"}}},"exploitability":{"type":"object","additionalProperties":false,"properties":{"level":{"type":"string","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Theoretically possible but not demonstrated","proof-of-concept":"Proof of concept exists","functional":"Functional exploit exists","weaponized":"Weaponized exploit in the wild"}},"complexity":{"type":"string","enum":["trivial","low","medium","high","very-high"],"description":"Complexity to exploit"},"skillRequired":{"type":"string","enum":["none","basic","intermediate","advanced","expert"],"description":"Skill level required"},"toolsRequired":{"type":"array","items":{"type":"string"},"description":"Tools required for exploitation"},"timeRequired":{"type":"string","description":"Estimated time to develop exploit"},"reliability":{"type":"string","enum":["unreliable","occasional","reliable","highly-reliable"],"description":"Reliability of exploitation"},"automatable":{"type":"boolean","description":"Whether exploitation can be automated"}}},"indicators":{"type":"object","additionalProperties":false,"properties":{"compromise":{"type":"array","items":{"type":"string"},"description":"Indicators of compromise"},"attack":{"type":"array","items":{"type":"string"},"description":"Indicators of attack"},"behavioral":{"type":"array","items":{"type":"string"},"description":"Behavioral indicators"},"signatures":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"Detection signatures"}}},"signature":{"type":"object","required":["type","value"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["yara","snort","regex","hash","behavior"],"description":"Type of signature"},"value":{"type":"string","description":"Signature value or pattern"},"description":{"type":"string","description":"Description of what the signature detects"},"confidence":{"type":"string","enum":["low","medium","high"],"description":"Confidence level of detection"}}},"ttp":{"type":"object","additionalProperties":false,"properties":{"tactic":{"type":"string","description":"High-level tactic"},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"procedure":{"type":"string","description":"Specific implementation"},"tools":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/tool"},"description":"Tools used"},"infrastructure":{"type":"array","items":{"type":"string"},"description":"Infrastructure used"}}},"tool":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Tool name"},"type":{"type":"string","enum":["exploit","scanner","fuzzer","proxy","framework","custom"],"description":"Type of tool"},"version":{"type":"string","description":"Tool version"},"capabilities":{"type":"array","items":{"type":"string"},"description":"Tool capabilities"}}},"targeting":{"type":"object","additionalProperties":false,"properties":{"sectors":{"type":"array","items":{"type":"string"},"description":"Targeted sectors or industries"},"regions":{"type":"array","items":{"type":"string"},"description":"Targeted geographic regions"},"technologies":{"type":"array","items":{"type":"string"},"description":"Targeted technologies or platforms"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Types of data targeted"}}},"detectionMethod":{"type":"object","required":["method"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["static-analysis","dynamic-analysis","penetration-test","code-review","architecture-review","automated-scan"],"description":"Detection method type"},"description":{"type":"string","description":"Description of the detection method"},"effectiveness":{"type":"string","enum":["low","medium","high"],"description":"Effectiveness of the method"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools that implement this method"}}},"securityPolicy":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Policy name"},"type":{"type":"string","enum":["access-control","data-protection","network-security","application-security","operational-security","compliance"],"description":"Type of security policy"},"description":{"type":"string","description":"Policy description"},"requirements":{"type":"array","items":{"type":"string"},"description":"Policy requirements"},"enforcement":{"type":"string","enum":["mandatory","recommended","optional"],"description":"Enforcement level"},"appliesTo":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this policy applies to"},"exceptions":{"type":"array","items":{"type":"string"},"description":"Policy exceptions"}}},"trustBoundary":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},{"properties":{"trustLevel":{"type":"string","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"description":"Trust level differential"},"securityRequirements":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements"},"threatsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Threats that could exploit this boundary"},"controlsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Controls implemented at this boundary"}}}]},"boundarySecurityRequirements":{"type":"object","additionalProperties":false,"properties":{"authenticationStrength":{"type":"string","enum":["none","weak","moderate","strong","very-strong"],"description":"Required authentication strength"},"authorizationGranularity":{"type":"string","enum":["coarse","medium","fine","very-fine"],"description":"Authorization granularity required"},"integrityVerification":{"type":"boolean","description":"Whether integrity verification is required"},"confidentialityProtection":{"type":"boolean","description":"Whether confidentiality protection is required"},"auditingLevel":{"type":"string","enum":["none","basic","detailed","comprehensive"],"description":"Level of auditing required"},"dataValidationRules":{"type":"array","items":{"type":"string"},"description":"Data validation rules at boundary"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","$defs":{"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},"description":"A collection of use cases that describe how actors interact with the system to achieve specific goals."},"useCase":{"type":"object","title":"Use Case","description":"A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')."},"description":{"type":"string","title":"Description","description":"A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases."},"postconditions":{"type":"array","title":"Postconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced."},"mainFlow":{"type":"array","title":"Main Flow","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome."},"alternativeFlows":{"type":"array","title":"Alternative Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"},"description":"Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome."},"exceptions":{"type":"array","title":"Exceptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"},"description":"Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully."},"successCriteria":{"type":"array","title":"Success Criteria","uniqueItems":true,"items":{"type":"string"},"description":"Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off."},"notes":{"type":"array","title":"Notes","uniqueItems":true,"items":{"type":"string"},"description":"Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","title":"Step","description":"A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.","required":["number","description"],"additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","minimum":1,"description":"The sequence number indicating the ordinal position of this step within its flow, starting at 1."},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design."}}},"flow":{"type":"object","title":"Flow","description":"An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')."},"description":{"type":"string","title":"Description","description":"A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path."},"steps":{"type":"array","title":"Steps","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps."}}},"exception":{"type":"object","title":"Exception","description":"An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')."},"description":{"type":"string","title":"Description","description":"A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific error condition, system state, or external event that triggers this exception during the execution of the use case."},"handling":{"type":"string","title":"Handling","description":"The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support."}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file diff --git a/schema/2.0/cyclonedx-2.0-bundled.schema.json b/schema/2.0/cyclonedx-2.0-bundled.schema.json index 8c216fecb..2c8c06987 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.schema.json @@ -76,6 +76,9 @@ "definitions": { "$ref": "#/$defs/cyclonedx-definition-2.0/$defs/definitions" }, + "blueprints": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints" + }, "citations": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations" }, @@ -777,217 +780,1979 @@ } } }, - "cyclonedx-blueprint-2.0": { + "cyclonedx-behavior-2.0": { "type": "null", - "title": "CycloneDX Blueprint Model", - "required": [ - "modelTypes", - "methodologies" - ], - "additionalProperties": false, + "title": "CycloneDX Behavior Model", "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "modelTypes": { - "type": "array", - "minItems": 1, - "description": "The types of models being represented", - "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/modelType" + "behaviors": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviors" + } + }, + "$defs": { + "trigger": { + "type": "string", + "title": "Trigger", + "description": "The condition or event that initiates a behavior.", + "enum": [ + "startup", + "shutdown", + "scheduled", + "event-driven", + "user-initiated", + "api-call", + "signal", + "condition-based", + "continuous", + "on-demand", + "unknown" + ], + "meta:enum": { + "startup": "Triggered during system or component initialisation.", + "shutdown": "Triggered during system or component termination.", + "scheduled": "Triggered at predetermined times or intervals.", + "event-driven": "Triggered in response to a specific event.", + "user-initiated": "Triggered by explicit user action.", + "api-call": "Triggered by an API invocation.", + "signal": "Triggered by a system or inter-process signal.", + "condition-based": "Triggered when specific conditions are met.", + "continuous": "Runs continuously during normal operation.", + "on-demand": "Triggered on demand as needed.", + "unknown": "The trigger mechanism is not known." + } + }, + "ordering": { + "type": "string", + "title": "Ordering", + "description": "Execution semantics for steps within a flow.", + "default": "sequential", + "enum": [ + "sequential", + "unordered", + "parallel", + "conditional" + ], + "meta:enum": { + "sequential": "Steps execute in ordinal order. Each completes before the next begins.", + "unordered": "All steps execute, but order is not guaranteed.", + "parallel": "Steps may execute concurrently.", + "conditional": "Step execution is determined by runtime conditions." } }, - "methodologies": { + "acknowledgment": { "type": "array", - "minItems": 1, - "description": "The modeling methodologies used", + "title": "Acknowledgment", + "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/methodology" + "type": "string", + "enum": [ + "declared", + "observed" + ], + "meta:enum": { + "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", + "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." + } } }, - "perspectives": { - "type": "array", - "description": "Different viewpoints or perspectives used in the model analysis", - "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/perspective" + "behaviors": { + "type": "object", + "title": "Behaviors", + "description": "Behaviors performed by objects within the BOM.", + "additionalProperties": false, + "properties": { + "instances": { + "type": "array", + "title": "Instances", + "description": "Individual behavior instances.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance" + } + }, + "flows": { + "type": "array", + "title": "Flows", + "description": "Behavior flows that organise behaviors into operational patterns.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorFlow" + } + } } }, - "metadata": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata" - }, - "scope": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/scope" - }, - "assets": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/asset" - }, - "description": "The assets (components, services, data, actors) included in the model" - }, - "zones": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/zone" - }, - "description": "Logical, physical, or trust zones that group assets with similar characteristics" - }, - "boundaries": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" - }, - "description": "Boundaries between zones" - }, - "flows": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/flow" - }, - "description": "Data, control, or process flows between assets" - }, - "assumptions": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assumption" - }, - "description": "Assumptions made during the modeling process" + "behaviorInstance": { + "type": "object", + "title": "Behavior Instance", + "description": "A behavior performed by one or more objects within the BOM.", + "additionalProperties": false, + "required": [ + "bom-ref", + "behavior" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "behavior": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behavior", + "title": "Behavior", + "description": "The behavior from the taxonomy." + }, + "acknowledgment": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment" + }, + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References to objects that perform this behavior.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References to objects affected by this behavior.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } + } + } }, - "visualizations": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualization" + "behaviorFlow": { + "type": "object", + "title": "Behavior Flow", + "description": "An organised collection of behaviors forming a coherent process.", + "additionalProperties": false, + "required": [ + "bom-ref", + "steps" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "acknowledgment": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment" + }, + "ordering": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/ordering" + }, + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + }, + "steps": { + "type": "array", + "title": "Steps", + "description": "The steps that comprise this flow.", + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/flowStep" + } + } }, - "description": "Visual representations of the model" - }, - "useCases": { - "type": "array", - "items": { - "type": "object", - "allOf": [ - { - "$ref": "#/$defs/cyclonedx-usecase-2.0" - }, - { - "properties": { - "assets": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "References to assets involved in this use case" - }, - "flows": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "allOf": [ + { + "if": { + "anyOf": [ + { + "properties": { + "ordering": { + "const": "sequential" + } }, - "description": "References to flows that are part of this use case" + "required": [ + "ordering" + ] }, - "requirements": { - "type": "array", + { + "not": { + "required": [ + "ordering" + ] + } + } + ] + }, + "then": { + "properties": { + "steps": { "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "References to requirements implemented by this use case" + "required": [ + "ordinal" + ] + } } } } - ] - }, - "description": "Use cases analyzed as part of the model" - }, - "requirements": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirement" - }, - "description": "Requirements derived from or related to the model" - }, - "externalReferences": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - }, - "description": "External references related to the blueprint" + } + ] }, - "properties": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - }, - "description": "Additional properties and extensions" - } - }, - "$defs": { - "modelType": { + "flowStep": { "type": "object", - "oneOf": [ - { - "required": [ - "type" - ], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "enum": [ - "architecture", - "dataFlow", - "process", - "deployment", - "network", - "threat", - "risk", - "privacy", - "operational", - "conceptual", - "logical", - "physical", - "behavioral", - "structural" - ], - "meta:enum": { - "architecture": "System or software architecture model", - "dataFlow": "Data flow model showing how data moves through the system", - "process": "Business or system process model", - "deployment": "Deployment or infrastructure model", - "network": "Network topology or connectivity model", - "threat": "Security threat model", - "risk": "Risk assessment model", - "privacy": "Privacy impact assessment model", - "operational": "Operational model", - "conceptual": "High-level conceptual model", - "logical": "Logical system model", - "physical": "Physical infrastructure model", - "behavioral": "System behavior model", - "structural": "System structure model" - } - } + "title": "Flow Step", + "description": "A single step within a behavior flow.", + "additionalProperties": false, + "properties": { + "ordinal": { + "type": "integer", + "title": "Ordinal", + "description": "Position within the flow. Required when ordering is 'sequential' or omitted.", + "minimum": 1 + }, + "behavior": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behavior", + "title": "Behavior", + "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'." + }, + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + }, + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Behavior Reference", + "description": "Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'." + }, + "flow": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Flow Reference", + "description": "Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'." + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References to objects that perform this step.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" } }, - { - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "description": "Custom model type name" - }, - "description": { - "type": "string", - "description": "Description of the custom model type" - } + "targets": { + "type": "array", + "title": "Targets", + "description": "References to objects affected by this step.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" } } - ] - }, - "methodology": { - "type": "object", + }, "oneOf": [ { + "required": [ + "behavior" + ] + }, + { + "required": [ + "ref" + ] + }, + { + "required": [ + "flow" + ] + } + ] + }, + "behavior": { + "type": "string", + "title": "Behavior", + "description": "Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.", + "enum": [ + "ai", + "ai:agent", + "ai:agent:actsOnBehalfOfUser", + "ai:agent:coordinatesAgents", + "ai:agent:delegatesTask", + "ai:agent:executesAction", + "ai:agent:invokesTool", + "ai:agent:observesResult", + "ai:agent:plansAction", + "ai:agent:receivesHumanDelegation", + "ai:agent:reflectsOnResult", + "ai:agent:reportsDelegatedAction", + "ai:agent:requestsUserApproval", + "ai:agent:returnsDelegation", + "ai:agent:revisesPlan", + "ai:explainability", + "ai:explainability:attributesFeatures", + "ai:explainability:documentsModel", + "ai:explainability:explainsDecision", + "ai:explainability:tracesPrediction", + "ai:explainability:visualizesModel", + "ai:fairness", + "ai:fairness:auditsModelFairness", + "ai:fairness:calculatesFairnessMetric", + "ai:fairness:detectsBias", + "ai:fairness:handlesProtectedAttribute", + "ai:fairness:mitigatesBias", + "ai:generative", + "ai:generative:citesSource", + "ai:generative:filtersOutput", + "ai:generative:generatesAudio", + "ai:generative:generatesCode", + "ai:generative:generatesEmbedding", + "ai:generative:generatesImage", + "ai:generative:generatesText", + "ai:generative:mitigatesHallucination", + "ai:generative:processesPrompt", + "ai:generative:streamsResponse", + "ai:inference", + "ai:inference:appliesThreshold", + "ai:inference:batchesInference", + "ai:inference:cachesPrediction", + "ai:inference:ensemblesModels", + "ai:inference:generatesPrediction", + "ai:inference:infersInRealTime", + "ai:inference:ranksResults", + "ai:inference:scoresConfidence", + "ai:management", + "ai:management:comparesModels", + "ai:management:deploysModel", + "ai:management:loadsModel", + "ai:management:monitorsModel", + "ai:management:retiresModel", + "ai:management:rollsBackModel", + "ai:management:unloadsModel", + "ai:management:versionsModel", + "ai:quality", + "ai:quality:detectsConceptDrift", + "ai:quality:detectsDataDrift", + "ai:quality:detectsOutlier", + "ai:quality:engineersFeatures", + "ai:quality:selectsFeatures", + "ai:quality:validatesInputData", + "ai:robustness", + "ai:robustness:defendsAgainstAdversarial", + "ai:robustness:detectsAdversarialInput", + "ai:robustness:detectsOutOfDistribution", + "ai:robustness:estimatesUncertainty", + "ai:robustness:validatesRobustness", + "ai:training", + "ai:training:appliesTransferLearning", + "ai:training:checkpointsModel", + "ai:training:fineTunesModel", + "ai:training:ingestsTrainingData", + "ai:training:preprocessesTrainingData", + "ai:training:trainsFederatedly", + "ai:training:trainsModel", + "ai:training:tunesHyperparameters", + "ai:training:validatesModel", + "ai:training:validatesTrainingData", + "application", + "application:codeExecution", + "application:codeExecution:compilesCode", + "application:codeExecution:evaluatesExpression", + "application:codeExecution:executesNativeCommand", + "application:codeExecution:executesScript", + "application:codeExecution:interpretsCode", + "application:codeExecution:invokesViaReflection", + "application:codeExecution:loadsCodeDynamically", + "application:configuration", + "application:configuration:detectsEnvironment", + "application:configuration:evaluatesFeatureFlag", + "application:configuration:loadsConfiguration", + "application:configuration:reloadsConfiguration", + "application:controlFlow", + "application:controlFlow:awaitsAsyncResult", + "application:controlFlow:catchesException", + "application:controlFlow:emitsEvent", + "application:controlFlow:handlesEvent", + "application:controlFlow:invokesCallback", + "application:controlFlow:invokesHandler", + "application:controlFlow:invokesMiddleware", + "application:controlFlow:schedulesAsyncOperation", + "application:controlFlow:throwsException", + "application:dependencyManagement", + "application:dependencyManagement:closesCircuitBreaker", + "application:dependencyManagement:fallsBack", + "application:dependencyManagement:injectsDependency", + "application:dependencyManagement:opensCircuitBreaker", + "application:dependencyManagement:resolvesDependency", + "application:externalIntegration", + "application:externalIntegration:callsExternalService", + "application:externalIntegration:consumesEvent", + "application:externalIntegration:publishesEvent", + "application:externalIntegration:receivesWebhook", + "application:observability", + "application:observability:emitsTelemetry", + "application:observability:logsOperation", + "application:observability:recordsMetric", + "application:observability:reportsHealth", + "application:observability:tracesRequest", + "application:requestHandling", + "application:requestHandling:authenticatesRequest", + "application:requestHandling:authorizesRequest", + "application:requestHandling:bindsParameters", + "application:requestHandling:parsesRequest", + "application:requestHandling:receivesHttpRequest", + "application:requestHandling:rejectsRequest", + "application:requestHandling:routesRequest", + "application:requestHandling:validatesRequest", + "application:responseGeneration", + "application:responseGeneration:generatesResponse", + "application:responseGeneration:readsCookie", + "application:responseGeneration:redirectsRequest", + "application:responseGeneration:returnsError", + "application:responseGeneration:returnsSuccess", + "application:responseGeneration:sendsHttpResponse", + "application:responseGeneration:setsCookie", + "application:responseGeneration:setsHeader", + "application:stateManagement", + "application:stateManagement:acquiresLock", + "application:stateManagement:beginsTransaction", + "application:stateManagement:commitsTransaction", + "application:stateManagement:createsSessionState", + "application:stateManagement:destroysSessionState", + "application:stateManagement:readsSessionState", + "application:stateManagement:releasesLock", + "application:stateManagement:rollsBackTransaction", + "application:stateManagement:synchronizesState", + "application:stateManagement:updatesSessionState", + "data", + "data:encoding", + "data:encoding:appliesXor", + "data:encoding:decodesBaseSixtyFour", + "data:encoding:decodesUrl", + "data:encoding:encodesBaseSixtyFour", + "data:encoding:encodesUrl", + "data:ingestion", + "data:ingestion:pollsSource", + "data:ingestion:readsFile", + "data:ingestion:readsStream", + "data:ingestion:receivesInput", + "data:ingestion:receivesMessage", + "data:ingestion:receivesRequest", + "data:ingestion:subscribesToFeed", + "data:output", + "data:output:formatsResponse", + "data:output:producesOutput", + "data:output:publishesMessage", + "data:output:rendersTemplate", + "data:output:sendsResponse", + "data:output:serializesObject", + "data:output:streamsOutput", + "data:output:writesFile", + "data:parsing", + "data:parsing:decodesData", + "data:parsing:deserializesObject", + "data:parsing:extractsFields", + "data:parsing:parsesData", + "data:parsing:parsesHtml", + "data:parsing:parsesJson", + "data:parsing:parsesXml", + "data:query", + "data:query:executesLdapQuery", + "data:query:executesNoSqlQuery", + "data:query:executesSearch", + "data:query:executesSql", + "data:query:executesXPath", + "data:query:queriesData", + "data:storage", + "data:storage:cachesData", + "data:storage:deletesData", + "data:storage:flushesCache", + "data:storage:invalidatesCache", + "data:storage:retrievesData", + "data:storage:storesData", + "data:storage:updatesData", + "data:transformation", + "data:transformation:aggregatesData", + "data:transformation:compressesData", + "data:transformation:decompressesData", + "data:transformation:encodesData", + "data:transformation:enrichesData", + "data:transformation:filtersData", + "data:transformation:joinsData", + "data:transformation:mapsData", + "data:transformation:normalizesData", + "data:transformation:sortsData", + "data:transformation:transformsData", + "evasion", + "evasion:analysisResistance", + "evasion:analysisResistance:detectsAnalysisTool", + "evasion:analysisResistance:detectsDebugger", + "evasion:analysisResistance:detectsEmulator", + "evasion:analysisResistance:detectsSandbox", + "evasion:analysisResistance:detectsVirtualMachine", + "evasion:analysisResistance:evadesDebugger", + "evasion:analysisResistance:evadesEmulator", + "evasion:analysisResistance:evadesSandbox", + "evasion:analysisResistance:evadesVirtualMachine", + "evasion:analysisResistance:usesTimingEvasion", + "evasion:antiSecurity", + "evasion:antiSecurity:detectsAntivirus", + "evasion:antiSecurity:disablesSecuritySoftware", + "evasion:antiSecurity:evadesAntivirus", + "evasion:antiSecurity:terminatesSecurityProcess", + "evasion:indirection", + "evasion:indirection:resolvesApiDynamically", + "evasion:indirection:usesIndirectCalls", + "evasion:indirection:usesProxyExecution", + "evasion:obfuscation", + "evasion:obfuscation:obfuscatesCode", + "evasion:obfuscation:obfuscatesControlFlow", + "evasion:obfuscation:obfuscatesData", + "evasion:obfuscation:obfuscatesStrings", + "evasion:obfuscation:packsCode", + "evasion:obfuscation:unpacksAtRuntime", + "file", + "file:directory", + "file:directory:changesDirectory", + "file:directory:createsDirectory", + "file:directory:deletesDirectory", + "file:directory:listsDirectory", + "file:directory:traversesDirectory", + "file:disk", + "file:disk:decryptsVolume", + "file:disk:encryptsVolume", + "file:disk:formatsVolume", + "file:disk:mountsVolume", + "file:disk:unmountsVolume", + "file:disk:wipesDisk", + "file:operations", + "file:operations:appendsToFile", + "file:operations:checksFileExistence", + "file:operations:closesFile", + "file:operations:copiesFile", + "file:operations:createsFile", + "file:operations:deletesFile", + "file:operations:getsFileAttributes", + "file:operations:movesFile", + "file:operations:opensFile", + "file:operations:readsFile", + "file:operations:renamesFile", + "file:operations:setsFileAttributes", + "file:operations:setsFilePermissions", + "file:operations:writesFile", + "gui", + "gui:display", + "gui:display:displaysData", + "gui:display:monitorsDisplay", + "gui:display:updatesDisplay", + "gui:session", + "gui:session:displaysLogin", + "gui:session:interactsWithSession", + "gui:session:switchesSession", + "gui:window", + "gui:window:capturesWindow", + "gui:window:createsWindow", + "gui:window:destroysWindow", + "gui:window:enumeratesWindows", + "gui:window:interactsWithTaskbar", + "gui:window:modifiesWindow", + "hardware", + "hardware:actuator", + "hardware:actuator:calibratesActuator", + "hardware:actuator:controlsBattery", + "hardware:actuator:controlsHeating", + "hardware:actuator:controlsLed", + "hardware:actuator:controlsMotor", + "hardware:actuator:controlsPower", + "hardware:actuator:controlsPump", + "hardware:actuator:controlsTemperature", + "hardware:boot", + "hardware:boot:entersRecoveryMode", + "hardware:boot:executesSecureBoot", + "hardware:boot:locksBootConfiguration", + "hardware:boot:modifiesBootConfiguration", + "hardware:boot:readsBootConfiguration", + "hardware:boot:recordsBootMeasurement", + "hardware:boot:verifiesBootLoader", + "hardware:firmware", + "hardware:firmware:monitorsFirmwareIntegrity", + "hardware:firmware:preventsFirmwareRollback", + "hardware:firmware:readsFirmwareVersion", + "hardware:firmware:updatesFirmware", + "hardware:firmware:verifiesFirmwareSignature", + "hardware:memory", + "hardware:memory:encryptsMemory", + "hardware:memory:isolatesMemory", + "hardware:memory:protectsStack", + "hardware:memory:randomizesAddressSpace", + "hardware:memory:readsProtectedMemory", + "hardware:memory:writesProtectedMemory", + "hardware:peripheral", + "hardware:peripheral:accessesCamera", + "hardware:peripheral:accessesDisplay", + "hardware:peripheral:accessesGpio", + "hardware:peripheral:accessesJtag", + "hardware:peripheral:accessesKeyboard", + "hardware:peripheral:accessesStorageDevice", + "hardware:peripheral:accessesUsbDevice", + "hardware:peripheral:configuresDma", + "hardware:peripheral:protectsDma", + "hardware:physicalSecurity", + "hardware:physicalSecurity:detectsPhysicalTamper", + "hardware:physicalSecurity:disablesDebugInterface", + "hardware:physicalSecurity:enablesDebugInterface", + "hardware:physicalSecurity:monitorsEnclosure", + "hardware:physicalSecurity:respondsToTamper", + "hardware:physicalSecurity:zeroizesKeys", + "hardware:security", + "hardware:security:anchorsInHardwareRoot", + "hardware:security:executesInTee", + "hardware:security:generatesPufResponse", + "hardware:security:usesHsm", + "hardware:security:usesSecureElement", + "hardware:sensor", + "hardware:sensor:calibratesSensor", + "hardware:sensor:readsBatteryStatus", + "hardware:sensor:readsBloodOxygen", + "hardware:sensor:readsBloodPressure", + "hardware:sensor:readsCoTwoLevel", + "hardware:sensor:readsEcg", + "hardware:sensor:readsPowerStatus", + "hardware:sensor:readsTemperature", + "hardware:sideChannelDefense", + "hardware:sideChannelDefense:controlsEmEmissions", + "hardware:sideChannelDefense:resistsFaultInjection", + "hardware:sideChannelDefense:resistsPowerAnalysis", + "hardware:sideChannelDefense:resistsTimingAnalysis", + "network", + "network:connection", + "network:connection:acceptsConnection", + "network:connection:detectsConnectionLoss", + "network:connection:establishesConnection", + "network:connection:reconnects", + "network:connection:reusesConnection", + "network:connection:sendsHeartbeat", + "network:connection:terminatesConnection", + "network:discovery", + "network:discovery:advertisesService", + "network:discovery:discoversService", + "network:discovery:enumeratesInterfaces", + "network:discovery:probesPort", + "network:discovery:queriesDns", + "network:discovery:resolvesName", + "network:discovery:scansNetwork", + "network:protocol", + "network:protocol:downgradesProtocol", + "network:protocol:framesMessage", + "network:protocol:negotiatesProtocol", + "network:protocol:parsesMessage", + "network:protocol:retransmitsMessage", + "network:protocol:upgradesProtocol", + "network:protocol:validatesMessage", + "network:remoteInteraction", + "network:remoteInteraction:accessesRemoteDesktop", + "network:remoteInteraction:accessesRemoteShell", + "network:remoteInteraction:executesRemoteCommand", + "network:remoteInteraction:invokesRemoteProcedure", + "network:remoteInteraction:sendsEmail", + "network:remoteInteraction:sendsSms", + "network:remoteInteraction:transfersFile", + "network:routing", + "network:routing:configuresProxy", + "network:routing:forwardsPacket", + "network:routing:redirectsTraffic", + "network:routing:routesTraffic", + "network:routing:tunnelsTraffic", + "network:trafficControl", + "network:trafficControl:balancesLoad", + "network:trafficControl:filtersTraffic", + "network:trafficControl:inspectsTraffic", + "network:trafficControl:interceptsTraffic", + "network:trafficControl:limitsRate", + "network:trafficControl:modifiesTraffic", + "network:trafficControl:shapesTraffic", + "network:transmission", + "network:transmission:broadcastsData", + "network:transmission:multicastsData", + "network:transmission:receivesData", + "network:transmission:sendsData", + "network:transmission:streamsData", + "privacy", + "privacy:collection", + "privacy:collection:capturesAudio", + "privacy:collection:capturesKeystrokes", + "privacy:collection:capturesScreen", + "privacy:collection:capturesVideo", + "privacy:collection:collectsBehavioralData", + "privacy:collection:collectsBiometricData", + "privacy:collection:collectsCommunicationContent", + "privacy:collection:collectsDeviceInformation", + "privacy:collection:collectsFinancialData", + "privacy:collection:collectsHealthData", + "privacy:collection:collectsInBackground", + "privacy:collection:collectsLocationData", + "privacy:collection:collectsPersonalData", + "privacy:collection:collectsSilently", + "privacy:collection:readsBrowserHistory", + "privacy:collection:readsClipboard", + "privacy:deletion", + "privacy:deletion:clearsCache", + "privacy:deletion:deletesPersonalData", + "privacy:deletion:erasesSecurely", + "privacy:deletion:purgesFromBackup", + "privacy:deletion:redactsData", + "privacy:inference", + "privacy:inference:correlatesData", + "privacy:inference:createsProfile", + "privacy:inference:fingerprintsDevice", + "privacy:inference:infersPersonalInformation", + "privacy:inference:linksIdentities", + "privacy:inference:tracksUser", + "privacy:minimization", + "privacy:minimization:aggregatesData", + "privacy:minimization:anonymizesData", + "privacy:minimization:filtersData", + "privacy:minimization:generalizesData", + "privacy:minimization:limitsCollection", + "privacy:minimization:limitsProcessing", + "privacy:minimization:pseudonymizesData", + "privacy:privacyEnhancement", + "privacy:privacyEnhancement:addsDifferentialPrivacy", + "privacy:privacyEnhancement:computesMultiparty", + "privacy:privacyEnhancement:processesHomomorphically", + "privacy:privacyEnhancement:processesLocally", + "privacy:retention", + "privacy:retention:archivesData", + "privacy:retention:backsUpData", + "privacy:retention:enforcesRetentionPeriod", + "privacy:retention:retainsBeyondPurpose", + "privacy:retention:retainsInCache", + "privacy:retention:retainsInLog", + "privacy:retention:storesPersonalData", + "privacy:sharing", + "privacy:sharing:disclosesToThirdParty", + "privacy:sharing:exportsData", + "privacy:sharing:publishesData", + "privacy:sharing:sellsData", + "privacy:sharing:sharesWithAffiliate", + "privacy:sharing:transfersCrossBorder", + "privacy:subjectRights", + "privacy:subjectRights:correctsData", + "privacy:subjectRights:exportsDataPortably", + "privacy:subjectRights:honorsErasureRequest", + "privacy:subjectRights:honorsObjection", + "privacy:subjectRights:providesDataAccess", + "privacy:subjectRights:restrictsProcessing", + "privacy:transparency", + "privacy:transparency:disclosesProcessing", + "privacy:transparency:displaysPrivacyNotice", + "privacy:transparency:explainsAutomatedDecision", + "privacy:transparency:recordsConsent", + "privacy:transparency:requestsConsent", + "privacy:transparency:withdrawsConsent", + "safety", + "safety:autonomousBehavior", + "safety:autonomousBehavior:acceptsOverride", + "safety:autonomousBehavior:enforcesHumanInLoop", + "safety:autonomousBehavior:explainsDecision", + "safety:autonomousBehavior:requestsGuidance", + "safety:autonomousBehavior:respectsDecisionBoundary", + "safety:contentSafety", + "safety:contentSafety:detectsHarmfulContent", + "safety:contentSafety:detectsMisinformation", + "safety:contentSafety:enforcesAgeRestriction", + "safety:contentSafety:filtersContent", + "safety:contentSafety:labelsContent", + "safety:harmPrevention", + "safety:harmPrevention:preventsEnvironmentalHarm", + "safety:harmPrevention:preventsPropertyDamage", + "safety:harmPrevention:preventsUserHarm", + "safety:harmPrevention:protectsBystanders", + "safety:hazardManagement", + "safety:hazardManagement:assessesRisk", + "safety:hazardManagement:identifiesHazard", + "safety:hazardManagement:mitigatesHazard", + "safety:hazardManagement:reportsHazard", + "safety:humanInteraction", + "safety:humanInteraction:adaptsForAccessibility", + "safety:humanInteraction:managesCognitiveLoad", + "safety:humanInteraction:requestsConfirmation", + "safety:humanInteraction:warnsOperator", + "safety:operationalSafety", + "safety:operationalSafety:acceptsManualOverride", + "safety:operationalSafety:enforcesInterlock", + "safety:operationalSafety:enforcesOperatingLimits", + "safety:operationalSafety:executesEmergencyStop", + "safety:operationalSafety:monitorsWatchdog", + "safety:operationalSafety:validatesSafetyCondition", + "security", + "security:auditing", + "security:auditing:logsEvent", + "security:auditing:logsSecurityEvent", + "security:auditing:protectsAuditLog", + "security:auditing:purgesLog", + "security:auditing:rotatesLog", + "security:auditing:signsLogEntry", + "security:auditing:timestampsEvent", + "security:auditing:transmitsLog", + "security:authentication", + "security:authentication:authenticatesDevice", + "security:authentication:authenticatesService", + "security:authentication:authenticatesUser", + "security:authentication:bypassesAuthentication", + "security:authentication:capturesBiometric", + "security:authentication:delegatesAuthentication", + "security:authentication:failsAuthentication", + "security:authentication:locksAccount", + "security:authentication:performsMultiFactorAuthentication", + "security:authentication:promptsForCredentials", + "security:authentication:unlocksAccount", + "security:authentication:validatesBiometric", + "security:authentication:validatesCredentials", + "security:authorization", + "security:authorization:checksPermission", + "security:authorization:delegatesAuthority", + "security:authorization:deniesAccess", + "security:authorization:enforcesRole", + "security:authorization:escalatesPrivilege", + "security:authorization:evaluatesAttributes", + "security:authorization:evaluatesPolicy", + "security:authorization:grantsAccess", + "security:authorization:grantsImpersonation", + "security:authorization:impersonatesUser", + "security:authorization:requestsImpersonation", + "security:authorization:revokesAccess", + "security:authorization:revokesImpersonation", + "security:cryptography", + "security:cryptography:authenticates", + "security:cryptography:checksRevocation", + "security:cryptography:decryptsData", + "security:cryptography:decryptsDataAtRest", + "security:cryptography:decryptsDataInTransit", + "security:cryptography:decryptsDisk", + "security:cryptography:decryptsSecret", + "security:cryptography:destroysKey", + "security:cryptography:encryptsData", + "security:cryptography:encryptsDataAtRest", + "security:cryptography:encryptsDataInTransit", + "security:cryptography:encryptsDisk", + "security:cryptography:encryptsSecret", + "security:cryptography:ensuresAccountability", + "security:cryptography:ensuresConfidentiality", + "security:cryptography:ensuresIntegrity", + "security:cryptography:ensuresNonRepudiation", + "security:cryptography:exchangesKey", + "security:cryptography:generatesKey", + "security:cryptography:generatesRandomValue", + "security:cryptography:hashesData", + "security:cryptography:hashesPassword", + "security:cryptography:identifies", + "security:cryptography:issuesCertificate", + "security:cryptography:preservesPrivacy", + "security:cryptography:presentsClientCertificate", + "security:cryptography:presentsServerCertificate", + "security:cryptography:retrievesKey", + "security:cryptography:revokesCertificate", + "security:cryptography:rotatesKey", + "security:cryptography:signsCode", + "security:cryptography:signsData", + "security:cryptography:signsDocument", + "security:cryptography:storesKey", + "security:cryptography:usesIdentity", + "security:cryptography:validatesCertificate", + "security:cryptography:validatesToken", + "security:cryptography:verifiesCodeSignature", + "security:cryptography:verifiesDataSignature", + "security:cryptography:verifiesDocumentSignature", + "security:cryptography:verifiesHash", + "security:cryptography:verifiesSignature", + "security:cryptography:wrapsKey", + "security:errorHandling", + "security:errorHandling:catchesException", + "security:errorHandling:disclosesErrorDetails", + "security:errorHandling:failsClosed", + "security:errorHandling:failsOpen", + "security:errorHandling:generatesError", + "security:errorHandling:logsError", + "security:errorHandling:propagatesError", + "security:errorHandling:returnsGenericError", + "security:errorHandling:suppressesError", + "security:inputHandling", + "security:inputHandling:escapesInput", + "security:inputHandling:normalizesInput", + "security:inputHandling:rejectsInvalidInput", + "security:inputHandling:sanitizesInput", + "security:inputHandling:truncatesInput", + "security:inputHandling:validatesFormat", + "security:inputHandling:validatesRange", + "security:inputHandling:validatesSchema", + "security:integrity", + "security:integrity:attestsIntegrity", + "security:integrity:detectsTampering", + "security:integrity:respondsToTampering", + "security:integrity:validatesComponent", + "security:integrity:verifiesIntegrity", + "security:integrity:verifiesProvenance", + "security:outputHandling", + "security:outputHandling:encodesOutput", + "security:outputHandling:enforcesContentPolicy", + "security:outputHandling:escapesOutput", + "security:outputHandling:filtersOutput", + "security:outputHandling:masksOutput", + "security:outputHandling:setsSecurityHeader", + "security:session", + "security:session:createsSession", + "security:session:detectsSessionHijacking", + "security:session:invalidatesSession", + "security:session:refreshesSession", + "security:session:regeneratesSessionId", + "security:session:terminatesSession", + "security:session:validatesSession", + "security:threatResponse", + "security:threatResponse:blocksRequest", + "security:threatResponse:blocksSource", + "security:threatResponse:collectsForensicData", + "security:threatResponse:detectsAnomaly", + "security:threatResponse:detectsIntrusion", + "security:threatResponse:initiatesIncidentResponse", + "security:threatResponse:quarantinesElement", + "security:threatResponse:raisesAlert", + "system", + "system:configuration", + "system:configuration:deletesRegistryKey", + "system:configuration:modifiesGroupPolicy", + "system:configuration:readsConfigurationFile", + "system:configuration:readsEnvironmentVariable", + "system:configuration:readsGroupPolicy", + "system:configuration:readsRegistry", + "system:configuration:setsEnvironmentVariable", + "system:configuration:writesConfigurationFile", + "system:configuration:writesRegistry", + "system:informationGathering", + "system:informationGathering:detectsOsVersion", + "system:informationGathering:gathersSystemInformation", + "system:informationGathering:queriesHardwareInformation", + "system:informationGathering:retrievesHostname", + "system:kernelInteraction", + "system:kernelInteraction:hooksKernelFunction", + "system:kernelInteraction:installsDriver", + "system:kernelInteraction:readsKernelMemory", + "system:kernelInteraction:writesKernelMemory", + "system:lifecycle", + "system:lifecycle:appliesUpdate", + "system:lifecycle:decommissions", + "system:lifecycle:initializes", + "system:lifecycle:performsSelfTest", + "system:lifecycle:provisions", + "system:lifecycle:rollsBack", + "system:lifecycle:shutsDown", + "system:operationalState", + "system:operationalState:entersFailSafeState", + "system:operationalState:entersFailSecureState", + "system:operationalState:operatesInDegradedMode", + "system:operationalState:operatesNormally", + "system:operationalState:performsEmergencyShutdown", + "system:persistence", + "system:persistence:createsScheduledTask", + "system:persistence:installsAsService", + "system:persistence:loadsAsKernelModule", + "system:persistence:registersForStartup", + "system:persistence:removesPersistence", + "system:processControl", + "system:processControl:createsProcess", + "system:processControl:dumpsProcessMemory", + "system:processControl:enumeratesProcesses", + "system:processControl:hooksFunction", + "system:processControl:injectsCodeIntoProcess", + "system:processControl:modifiesProcess", + "system:processControl:resumesProcess", + "system:processControl:suspendsProcess", + "system:processControl:terminatesProcess", + "system:resilience", + "system:resilience:activatesRedundancy", + "system:resilience:degradesGracefully", + "system:resilience:detectsFault", + "system:resilience:recoversFromFailure", + "system:resilience:toleratesFault", + "system:resourceManagement", + "system:resourceManagement:allocatesMemory", + "system:resourceManagement:deallocatesMemory", + "system:resourceManagement:handlesResourceExhaustion", + "system:resourceManagement:managesPowerState", + "system:resourceManagement:readsFromStorage", + "system:resourceManagement:resumesThread", + "system:resourceManagement:spawnsThread", + "system:resourceManagement:suspendsThread", + "system:resourceManagement:terminatesThread", + "system:resourceManagement:writesToStorage", + "system:serviceControl", + "system:serviceControl:createsService", + "system:serviceControl:deletesService", + "system:serviceControl:enumeratesServices", + "system:serviceControl:modifiesService", + "system:serviceControl:startsService", + "system:serviceControl:stopsService", + "system:synchronization", + "system:synchronization:acquiresMutex", + "system:synchronization:releasesMutex", + "system:synchronization:signalsEvent", + "system:synchronization:signalsSemaphore", + "system:synchronization:waitsOnEvent", + "system:synchronization:waitsOnSemaphore", + "system:timing", + "system:timing:delaysExecution", + "system:timing:enforcesDeadline", + "system:timing:executesScheduledTask", + "system:timing:resetsWatchdog", + "system:timing:synchronizesClock", + "system:timing:triggersTimeout", + "system:timing:waits", + "system:userManagement", + "system:userManagement:createsUserAccount", + "system:userManagement:deletesUserAccount", + "system:userManagement:elevatesPrivileges", + "system:userManagement:enumeratesUsers", + "system:userManagement:impersonatesUser", + "system:userManagement:modifiesUserAccount" + ], + "meta:enum": { + "ai": "Behaviours relating to artificial intelligence and machine learning operations.", + "ai:agent": "Behaviours that enable autonomous agents to plan and execute tasks.", + "ai:agent:actsOnBehalfOfUser": "The entity performs actions within a delegated user context.", + "ai:agent:coordinatesAgents": "The entity orchestrates multiple agents.", + "ai:agent:delegatesTask": "The entity assigns work to another agent.", + "ai:agent:executesAction": "The entity performs planned step.", + "ai:agent:invokesTool": "The entity calls external capability.", + "ai:agent:observesResult": "The entity captures action outcome.", + "ai:agent:plansAction": "The entity determines steps to achieve goal.", + "ai:agent:receivesHumanDelegation": "The entity accepts authority delegated by a human user.", + "ai:agent:reflectsOnResult": "The entity evaluates action effectiveness.", + "ai:agent:reportsDelegatedAction": "The entity notifies the delegating user of actions taken.", + "ai:agent:requestsUserApproval": "The entity seeks explicit user authorisation before acting.", + "ai:agent:returnsDelegation": "The entity relinquishes delegated authority.", + "ai:agent:revisesPlan": "The entity modifies approach based on results.", + "ai:explainability": "Behaviours that provide interpretable explanations for model decisions.", + "ai:explainability:attributesFeatures": "The entity identifies influential inputs.", + "ai:explainability:documentsModel": "The entity records model design and behaviour.", + "ai:explainability:explainsDecision": "The entity provides human-readable rationale.", + "ai:explainability:tracesPrediction": "The entity records basis for output.", + "ai:explainability:visualizesModel": "The entity renders model behaviour graphically.", + "ai:fairness": "Behaviours that detect and mitigate bias in machine learning models.", + "ai:fairness:auditsModelFairness": "The entity evaluates model for bias.", + "ai:fairness:calculatesFairnessMetric": "The entity measures outcome equality.", + "ai:fairness:detectsBias": "The entity identifies unfair model behaviour.", + "ai:fairness:handlesProtectedAttribute": "The entity manages sensitive attributes.", + "ai:fairness:mitigatesBias": "The entity reduces unfair treatment.", + "ai:generative": "Behaviours that produce content using generative models.", + "ai:generative:citesSource": "The entity attributes generated content.", + "ai:generative:filtersOutput": "The entity screens generated content.", + "ai:generative:generatesAudio": "The entity produces sound content.", + "ai:generative:generatesCode": "The entity produces executable code.", + "ai:generative:generatesEmbedding": "The entity produces vector representation.", + "ai:generative:generatesImage": "The entity produces visual content.", + "ai:generative:generatesText": "The entity produces natural language.", + "ai:generative:mitigatesHallucination": "The entity reduces false content generation.", + "ai:generative:processesPrompt": "The entity interprets user instruction.", + "ai:generative:streamsResponse": "The entity delivers output incrementally.", + "ai:inference": "Behaviours that generate predictions using trained models.", + "ai:inference:appliesThreshold": "The entity uses decision boundary.", + "ai:inference:batchesInference": "The entity processes multiple inputs together.", + "ai:inference:cachesPrediction": "The entity stores prediction for reuse.", + "ai:inference:ensemblesModels": "The entity combines multiple model outputs.", + "ai:inference:generatesPrediction": "The entity produces model output.", + "ai:inference:infersInRealTime": "The entity generates prediction with low latency.", + "ai:inference:ranksResults": "The entity orders predictions by relevance.", + "ai:inference:scoresConfidence": "The entity assigns certainty to prediction.", + "ai:management": "Behaviours that deploy and manage machine learning models throughout their lifecycle.", + "ai:management:comparesModels": "The entity evaluates relative model performance.", + "ai:management:deploysModel": "The entity places model into service.", + "ai:management:loadsModel": "The entity retrieves model for use.", + "ai:management:monitorsModel": "The entity observes model performance.", + "ai:management:retiresModel": "The entity removes model from service.", + "ai:management:rollsBackModel": "The entity reverts to previous version.", + "ai:management:unloadsModel": "The entity removes model from memory.", + "ai:management:versionsModel": "The entity tracks model versions.", + "ai:quality": "Behaviours that monitor and maintain model and data quality.", + "ai:quality:detectsConceptDrift": "The entity identifies input-output relationship change.", + "ai:quality:detectsDataDrift": "The entity identifies input distribution change.", + "ai:quality:detectsOutlier": "The entity identifies anomalous input.", + "ai:quality:engineersFeatures": "The entity transforms raw data for model.", + "ai:quality:selectsFeatures": "The entity chooses relevant input features.", + "ai:quality:validatesInputData": "The entity checks inference input quality.", + "ai:robustness": "Behaviours that defend against adversarial attacks and handle uncertain inputs.", + "ai:robustness:defendsAgainstAdversarial": "The entity resists adversarial manipulation.", + "ai:robustness:detectsAdversarialInput": "The entity identifies crafted malicious input.", + "ai:robustness:detectsOutOfDistribution": "The entity identifies unfamiliar input.", + "ai:robustness:estimatesUncertainty": "The entity quantifies prediction confidence.", + "ai:robustness:validatesRobustness": "The entity tests model resilience.", + "ai:training": "Behaviours that prepare data and train machine learning models.", + "ai:training:appliesTransferLearning": "The entity adapts pre-trained model.", + "ai:training:checkpointsModel": "The entity saves model state during training.", + "ai:training:fineTunesModel": "The entity refines model for specific task.", + "ai:training:ingestsTrainingData": "The entity acquires data for training.", + "ai:training:preprocessesTrainingData": "The entity prepares data for training.", + "ai:training:trainsFederatedly": "The entity trains on distributed data.", + "ai:training:trainsModel": "The entity adjusts model parameters.", + "ai:training:tunesHyperparameters": "The entity optimises configuration parameters.", + "ai:training:validatesModel": "The entity evaluates model during training.", + "ai:training:validatesTrainingData": "The entity checks training data quality.", + "application": "Behaviours relating to application-level request processing and business logic.", + "application:codeExecution": "Behaviours that dynamically load and execute code at runtime.", + "application:codeExecution:compilesCode": "The entity transforms source to executable form.", + "application:codeExecution:evaluatesExpression": "The entity interprets and executes an expression.", + "application:codeExecution:executesNativeCommand": "The entity runs an operating system command.", + "application:codeExecution:executesScript": "The entity runs script code.", + "application:codeExecution:interpretsCode": "The entity executes code without compilation.", + "application:codeExecution:invokesViaReflection": "The entity calls method through reflection.", + "application:codeExecution:loadsCodeDynamically": "The entity loads executable code at runtime.", + "application:configuration": "Behaviours that load and manage application configuration settings.", + "application:configuration:detectsEnvironment": "The entity determines deployment context.", + "application:configuration:evaluatesFeatureFlag": "The entity checks feature toggle state.", + "application:configuration:loadsConfiguration": "The entity reads configuration settings.", + "application:configuration:reloadsConfiguration": "The entity refreshes configuration dynamically.", + "application:controlFlow": "Behaviours that manage the execution sequence and event handling within an application.", + "application:controlFlow:awaitsAsyncResult": "The entity waits for asynchronous completion.", + "application:controlFlow:catchesException": "The entity handles an error condition.", + "application:controlFlow:emitsEvent": "The entity triggers an event.", + "application:controlFlow:handlesEvent": "The entity responds to an event.", + "application:controlFlow:invokesCallback": "The entity executes a callback function.", + "application:controlFlow:invokesHandler": "The entity calls a request handler.", + "application:controlFlow:invokesMiddleware": "The entity executes middleware component.", + "application:controlFlow:schedulesAsyncOperation": "The entity queues work for later execution.", + "application:controlFlow:throwsException": "The entity raises an error condition.", + "application:dependencyManagement": "Behaviours that resolve and manage dependencies on other components.", + "application:dependencyManagement:closesCircuitBreaker": "The entity resumes calls to recovered dependency.", + "application:dependencyManagement:fallsBack": "The entity uses alternative when primary fails.", + "application:dependencyManagement:injectsDependency": "The entity provides component to dependent.", + "application:dependencyManagement:opensCircuitBreaker": "The entity stops calls to failing dependency.", + "application:dependencyManagement:resolvesDependency": "The entity locates required component.", + "application:externalIntegration": "Behaviours that communicate with external services and systems.", + "application:externalIntegration:callsExternalService": "The entity invokes an external API.", + "application:externalIntegration:consumesEvent": "The entity receives event from external system.", + "application:externalIntegration:publishesEvent": "The entity sends event to external system.", + "application:externalIntegration:receivesWebhook": "The entity accepts callback from external service.", + "application:observability": "Behaviours that emit telemetry for monitoring and debugging purposes.", + "application:observability:emitsTelemetry": "The entity transmits operational data.", + "application:observability:logsOperation": "The entity records an operational event.", + "application:observability:recordsMetric": "The entity captures a quantitative measurement.", + "application:observability:reportsHealth": "The entity communicates operational status.", + "application:observability:tracesRequest": "The entity tracks request across services.", + "application:requestHandling": "Behaviours that receive and process incoming requests.", + "application:requestHandling:authenticatesRequest": "The entity verifies requestor identity.", + "application:requestHandling:authorizesRequest": "The entity verifies requestor permissions.", + "application:requestHandling:bindsParameters": "The entity maps request data to parameters.", + "application:requestHandling:parsesRequest": "The entity interprets incoming request.", + "application:requestHandling:receivesHttpRequest": "The entity accepts an HTTP request.", + "application:requestHandling:rejectsRequest": "The entity refuses to process request.", + "application:requestHandling:routesRequest": "The entity directs request to appropriate handler.", + "application:requestHandling:validatesRequest": "The entity verifies request validity.", + "application:responseGeneration": "Behaviours that construct and transmit responses to requests.", + "application:responseGeneration:generatesResponse": "The entity creates a response.", + "application:responseGeneration:readsCookie": "The entity retrieves cookie value.", + "application:responseGeneration:redirectsRequest": "The entity sends client to different location.", + "application:responseGeneration:returnsError": "The entity indicates failure.", + "application:responseGeneration:returnsSuccess": "The entity indicates successful completion.", + "application:responseGeneration:sendsHttpResponse": "The entity transmits an HTTP response.", + "application:responseGeneration:setsCookie": "The entity creates or modifies a cookie.", + "application:responseGeneration:setsHeader": "The entity adds HTTP header to response.", + "application:stateManagement": "Behaviours that maintain and synchronise application state across requests.", + "application:stateManagement:acquiresLock": "The entity obtains exclusive access to resource.", + "application:stateManagement:beginsTransaction": "The entity starts an atomic operation group.", + "application:stateManagement:commitsTransaction": "The entity finalises transaction changes.", + "application:stateManagement:createsSessionState": "The entity initialises session data.", + "application:stateManagement:destroysSessionState": "The entity removes session data.", + "application:stateManagement:readsSessionState": "The entity retrieves session data.", + "application:stateManagement:releasesLock": "The entity relinquishes exclusive access.", + "application:stateManagement:rollsBackTransaction": "The entity undoes transaction changes.", + "application:stateManagement:synchronizesState": "The entity maintains consistency across replicas.", + "application:stateManagement:updatesSessionState": "The entity modifies session data.", + "data": "Behaviours relating to the ingestion and transformation of structured and unstructured data.", + "data:encoding": "Behaviours that apply specific encoding schemes to data.", + "data:encoding:appliesXor": "The entity transforms data using XOR operation.", + "data:encoding:decodesBaseSixtyFour": "The entity converts Base64 to original form.", + "data:encoding:decodesUrl": "The entity converts URL-encoded data.", + "data:encoding:encodesBaseSixtyFour": "The entity converts data to Base64.", + "data:encoding:encodesUrl": "The entity converts data for URL inclusion.", + "data:ingestion": "Behaviours that acquire data from external sources.", + "data:ingestion:pollsSource": "The entity periodically checks for new data.", + "data:ingestion:readsFile": "The entity retrieves data from a file.", + "data:ingestion:readsStream": "The entity consumes data from a continuous source.", + "data:ingestion:receivesInput": "The entity accepts data from an external source.", + "data:ingestion:receivesMessage": "The entity accepts a message from a queue.", + "data:ingestion:receivesRequest": "The entity accepts an incoming request.", + "data:ingestion:subscribesToFeed": "The entity registers to receive updates.", + "data:output": "Behaviours that produce and transmit data to external consumers.", + "data:output:formatsResponse": "The entity structures data for delivery.", + "data:output:producesOutput": "The entity generates data for consumption.", + "data:output:publishesMessage": "The entity sends a message to a queue.", + "data:output:rendersTemplate": "The entity generates output from a template.", + "data:output:sendsResponse": "The entity transmits a reply.", + "data:output:serializesObject": "The entity converts object to transmittable form.", + "data:output:streamsOutput": "The entity continuously produces data.", + "data:output:writesFile": "The entity saves data to a file.", + "data:parsing": "Behaviours that interpret and extract information from structured data formats.", + "data:parsing:decodesData": "The entity converts encoded data to original form.", + "data:parsing:deserializesObject": "The entity reconstructs object from serialised form.", + "data:parsing:extractsFields": "The entity isolates specific data elements.", + "data:parsing:parsesData": "The entity interprets structured data.", + "data:parsing:parsesHtml": "The entity interprets HTML content.", + "data:parsing:parsesJson": "The entity interprets JSON-formatted data.", + "data:parsing:parsesXml": "The entity interprets XML-formatted data.", + "data:query": "Behaviours that retrieve data based on specified criteria.", + "data:query:executesLdapQuery": "The entity queries an LDAP directory.", + "data:query:executesNoSqlQuery": "The entity queries a NoSQL database.", + "data:query:executesSearch": "The entity performs full-text or indexed search.", + "data:query:executesSql": "The entity runs a SQL statement.", + "data:query:executesXPath": "The entity evaluates an XPath expression.", + "data:query:queriesData": "The entity retrieves data matching criteria.", + "data:storage": "Behaviours that persist and retrieve data from storage systems.", + "data:storage:cachesData": "The entity stores data for quick retrieval.", + "data:storage:deletesData": "The entity removes stored data.", + "data:storage:flushesCache": "The entity writes cached data to persistent storage.", + "data:storage:invalidatesCache": "The entity marks cached data as stale.", + "data:storage:retrievesData": "The entity fetches stored data.", + "data:storage:storesData": "The entity saves data persistently.", + "data:storage:updatesData": "The entity modifies stored data.", + "data:transformation": "Behaviours that convert data from one form or structure to another.", + "data:transformation:aggregatesData": "The entity combines multiple values.", + "data:transformation:compressesData": "The entity reduces data size.", + "data:transformation:decompressesData": "The entity restores compressed data.", + "data:transformation:encodesData": "The entity converts data to encoded form.", + "data:transformation:enrichesData": "The entity adds information from external sources.", + "data:transformation:filtersData": "The entity removes unwanted elements.", + "data:transformation:joinsData": "The entity combines data from multiple sources.", + "data:transformation:mapsData": "The entity converts between data structures.", + "data:transformation:normalizesData": "The entity converts to standard form.", + "data:transformation:sortsData": "The entity orders data elements.", + "data:transformation:transformsData": "The entity converts data from one form to another.", + "evasion": "Behaviours relating to techniques that avoid detection and analysis.", + "evasion:analysisResistance": "Behaviours that detect and evade analysis environments.", + "evasion:analysisResistance:detectsAnalysisTool": "The entity identifies analysis software.", + "evasion:analysisResistance:detectsDebugger": "The entity identifies debugger presence.", + "evasion:analysisResistance:detectsEmulator": "The entity identifies emulation environment.", + "evasion:analysisResistance:detectsSandbox": "The entity identifies sandbox environment.", + "evasion:analysisResistance:detectsVirtualMachine": "The entity identifies VM environment.", + "evasion:analysisResistance:evadesDebugger": "The entity modifies behaviour under debugging.", + "evasion:analysisResistance:evadesEmulator": "The entity modifies behaviour under emulation.", + "evasion:analysisResistance:evadesSandbox": "The entity modifies behaviour in sandbox.", + "evasion:analysisResistance:evadesVirtualMachine": "The entity modifies behaviour in VM.", + "evasion:analysisResistance:usesTimingEvasion": "The entity uses delays to evade analysis.", + "evasion:antiSecurity": "Behaviours that detect and disable security software.", + "evasion:antiSecurity:detectsAntivirus": "The entity identifies AV software.", + "evasion:antiSecurity:disablesSecuritySoftware": "The entity deactivates security tools.", + "evasion:antiSecurity:evadesAntivirus": "The entity avoids AV detection.", + "evasion:antiSecurity:terminatesSecurityProcess": "The entity kills security software processes.", + "evasion:indirection": "Behaviours that use indirect methods to execute code.", + "evasion:indirection:resolvesApiDynamically": "The entity finds API addresses at runtime.", + "evasion:indirection:usesIndirectCalls": "The entity invokes functions indirectly.", + "evasion:indirection:usesProxyExecution": "The entity executes through intermediary.", + "evasion:obfuscation": "Behaviours that obscure code and data to hinder analysis.", + "evasion:obfuscation:obfuscatesCode": "The entity makes code difficult to analyse.", + "evasion:obfuscation:obfuscatesControlFlow": "The entity obscures execution paths.", + "evasion:obfuscation:obfuscatesData": "The entity hides data structures.", + "evasion:obfuscation:obfuscatesStrings": "The entity hides string contents.", + "evasion:obfuscation:packsCode": "The entity compresses or encrypts executable.", + "evasion:obfuscation:unpacksAtRuntime": "The entity decompresses code during execution.", + "file": "Behaviours relating to file system operations and disk management.", + "file:directory": "Behaviours that create and navigate directory structures.", + "file:directory:changesDirectory": "The entity sets current working directory.", + "file:directory:createsDirectory": "The entity creates a new directory.", + "file:directory:deletesDirectory": "The entity removes a directory.", + "file:directory:listsDirectory": "The entity enumerates directory contents.", + "file:directory:traversesDirectory": "The entity recursively explores directories.", + "file:disk": "Behaviours that manage storage volumes and disk-level operations.", + "file:disk:decryptsVolume": "The entity decrypts a storage volume.", + "file:disk:encryptsVolume": "The entity encrypts a storage volume.", + "file:disk:formatsVolume": "The entity prepares storage for use.", + "file:disk:mountsVolume": "The entity attaches a storage volume.", + "file:disk:unmountsVolume": "The entity detaches a storage volume.", + "file:disk:wipesDisk": "The entity securely erases disk contents.", + "file:operations": "Behaviours that create and manipulate files.", + "file:operations:appendsToFile": "The entity adds data to end of file.", + "file:operations:checksFileExistence": "The entity verifies whether a file exists.", + "file:operations:closesFile": "The entity releases file access.", + "file:operations:copiesFile": "The entity duplicates a file.", + "file:operations:createsFile": "The entity creates a new file.", + "file:operations:deletesFile": "The entity removes a file.", + "file:operations:getsFileAttributes": "The entity retrieves file metadata.", + "file:operations:movesFile": "The entity relocates a file.", + "file:operations:opensFile": "The entity prepares a file for access.", + "file:operations:readsFile": "The entity retrieves file contents.", + "file:operations:renamesFile": "The entity changes a file name.", + "file:operations:setsFileAttributes": "The entity modifies file metadata.", + "file:operations:setsFilePermissions": "The entity modifies file access permissions.", + "file:operations:writesFile": "The entity modifies file contents.", + "gui": "Behaviours relating to graphical user interface interactions.", + "gui:display": "Behaviours that render and monitor visual output.", + "gui:display:displaysData": "The entity renders information visually.", + "gui:display:monitorsDisplay": "The entity observes displayed content.", + "gui:display:updatesDisplay": "The entity refreshes visual presentation.", + "gui:session": "Behaviours that interact with user login sessions.", + "gui:session:displaysLogin": "The entity presents login interface.", + "gui:session:interactsWithSession": "The entity operates within user session.", + "gui:session:switchesSession": "The entity changes active user session.", + "gui:window": "Behaviours that create and manipulate graphical windows.", + "gui:window:capturesWindow": "The entity captures window contents.", + "gui:window:createsWindow": "The entity creates a graphical window.", + "gui:window:destroysWindow": "The entity closes a window.", + "gui:window:enumeratesWindows": "The entity lists open windows.", + "gui:window:interactsWithTaskbar": "The entity modifies taskbar elements.", + "gui:window:modifiesWindow": "The entity changes window properties.", + "hardware": "Behaviours relating to hardware components and physical device interactions.", + "hardware:actuator": "Behaviours that control physical actuators and output devices.", + "hardware:actuator:calibratesActuator": "The entity adjusts actuator accuracy.", + "hardware:actuator:controlsBattery": "The entity manages battery charging.", + "hardware:actuator:controlsHeating": "The entity manages heating element.", + "hardware:actuator:controlsLed": "The entity manages LED indicator.", + "hardware:actuator:controlsMotor": "The entity manages motor operation.", + "hardware:actuator:controlsPower": "The entity manages power distribution.", + "hardware:actuator:controlsPump": "The entity manages fluid pump.", + "hardware:actuator:controlsTemperature": "The entity regulates temperature.", + "hardware:boot": "Behaviours that verify and configure system startup processes.", + "hardware:boot:entersRecoveryMode": "The entity boots via alternative path.", + "hardware:boot:executesSecureBoot": "The entity verifies code integrity at startup.", + "hardware:boot:locksBootConfiguration": "The entity prevents boot setting changes.", + "hardware:boot:modifiesBootConfiguration": "The entity changes boot settings.", + "hardware:boot:readsBootConfiguration": "The entity retrieves boot settings.", + "hardware:boot:recordsBootMeasurement": "The entity logs boot component hashes.", + "hardware:boot:verifiesBootLoader": "The entity validates boot loader authenticity.", + "hardware:firmware": "Behaviours that manage and verify firmware integrity.", + "hardware:firmware:monitorsFirmwareIntegrity": "The entity checks for firmware tampering.", + "hardware:firmware:preventsFirmwareRollback": "The entity blocks reversion to old firmware.", + "hardware:firmware:readsFirmwareVersion": "The entity retrieves firmware version.", + "hardware:firmware:updatesFirmware": "The entity applies firmware changes.", + "hardware:firmware:verifiesFirmwareSignature": "The entity validates firmware authenticity.", + "hardware:memory": "Behaviours that protect and isolate memory regions.", + "hardware:memory:encryptsMemory": "The entity protects memory contents.", + "hardware:memory:isolatesMemory": "The entity separates memory regions.", + "hardware:memory:protectsStack": "The entity defends against stack attacks.", + "hardware:memory:randomizesAddressSpace": "The entity applies ASLR.", + "hardware:memory:readsProtectedMemory": "The entity accesses protected memory region.", + "hardware:memory:writesProtectedMemory": "The entity modifies protected memory region.", + "hardware:peripheral": "Behaviours that interact with peripheral devices and interfaces.", + "hardware:peripheral:accessesCamera": "The entity interacts with camera hardware.", + "hardware:peripheral:accessesDisplay": "The entity interacts with display hardware.", + "hardware:peripheral:accessesGpio": "The entity reads or writes GPIO pins.", + "hardware:peripheral:accessesJtag": "The entity uses JTAG debug interface.", + "hardware:peripheral:accessesKeyboard": "The entity interacts with keyboard hardware.", + "hardware:peripheral:accessesStorageDevice": "The entity interacts with storage hardware.", + "hardware:peripheral:accessesUsbDevice": "The entity interacts with USB peripheral.", + "hardware:peripheral:configuresDma": "The entity sets up direct memory access.", + "hardware:peripheral:protectsDma": "The entity prevents unauthorised DMA.", + "hardware:physicalSecurity": "Behaviours that detect and respond to physical tampering.", + "hardware:physicalSecurity:detectsPhysicalTamper": "The entity identifies physical interference.", + "hardware:physicalSecurity:disablesDebugInterface": "The entity prevents debug access.", + "hardware:physicalSecurity:enablesDebugInterface": "The entity permits debug access.", + "hardware:physicalSecurity:monitorsEnclosure": "The entity detects housing penetration.", + "hardware:physicalSecurity:respondsToTamper": "The entity reacts to physical attack.", + "hardware:physicalSecurity:zeroizesKeys": "The entity destroys keys on tamper detection.", + "hardware:security": "Behaviours that utilise hardware security features and trusted execution environments.", + "hardware:security:anchorsInHardwareRoot": "The entity uses tamper-resistant hardware for trust.", + "hardware:security:executesInTee": "The entity runs in trusted execution environment.", + "hardware:security:generatesPufResponse": "The entity uses physical unclonable function.", + "hardware:security:usesHsm": "The entity employs hardware security module.", + "hardware:security:usesSecureElement": "The entity employs dedicated security hardware.", + "hardware:sensor": "Behaviours that read measurements from hardware sensors.", + "hardware:sensor:calibratesSensor": "The entity adjusts sensor accuracy.", + "hardware:sensor:readsBatteryStatus": "The entity obtains battery state.", + "hardware:sensor:readsBloodOxygen": "The entity obtains SpO2 measurement.", + "hardware:sensor:readsBloodPressure": "The entity obtains blood pressure measurement.", + "hardware:sensor:readsCoTwoLevel": "The entity obtains CO2 measurement.", + "hardware:sensor:readsEcg": "The entity obtains electrocardiogram data.", + "hardware:sensor:readsPowerStatus": "The entity obtains power state.", + "hardware:sensor:readsTemperature": "The entity obtains temperature measurement.", + "hardware:sideChannelDefense": "Behaviours that protect against side-channel attacks.", + "hardware:sideChannelDefense:controlsEmEmissions": "The entity limits electromagnetic leakage.", + "hardware:sideChannelDefense:resistsFaultInjection": "The entity protects against induced faults.", + "hardware:sideChannelDefense:resistsPowerAnalysis": "The entity protects against power-based attacks.", + "hardware:sideChannelDefense:resistsTimingAnalysis": "The entity protects against timing-based attacks.", + "network": "Behaviours relating to network communication and data transmission between systems.", + "network:connection": "Behaviours that establish and manage network connections.", + "network:connection:acceptsConnection": "The entity receives an incoming connection.", + "network:connection:detectsConnectionLoss": "The entity identifies a dropped connection.", + "network:connection:establishesConnection": "The entity initiates a network connection.", + "network:connection:reconnects": "The entity re-establishes a dropped connection.", + "network:connection:reusesConnection": "The entity uses a pooled connection.", + "network:connection:sendsHeartbeat": "The entity transmits a keep-alive signal.", + "network:connection:terminatesConnection": "The entity closes a network connection.", + "network:discovery": "Behaviours that locate and advertise network services and resources.", + "network:discovery:advertisesService": "The entity announces its availability.", + "network:discovery:discoversService": "The entity locates an available service.", + "network:discovery:enumeratesInterfaces": "The entity lists network interfaces.", + "network:discovery:probesPort": "The entity checks if a port is open.", + "network:discovery:queriesDns": "The entity requests DNS resolution.", + "network:discovery:resolvesName": "The entity translates a name to an address.", + "network:discovery:scansNetwork": "The entity probes for active hosts or services.", + "network:protocol": "Behaviours that negotiate and implement communication protocols.", + "network:protocol:downgradesProtocol": "The entity falls back to a less secure protocol version.", + "network:protocol:framesMessage": "The entity structures data for transmission.", + "network:protocol:negotiatesProtocol": "The entity agrees on communication protocol with peer.", + "network:protocol:parsesMessage": "The entity interprets received network data.", + "network:protocol:retransmitsMessage": "The entity resends data after transmission failure.", + "network:protocol:upgradesProtocol": "The entity transitions to a more secure protocol version.", + "network:protocol:validatesMessage": "The entity verifies message format and integrity.", + "network:remoteInteraction": "Behaviours that execute operations on remote systems.", + "network:remoteInteraction:accessesRemoteDesktop": "The entity controls a remote graphical interface.", + "network:remoteInteraction:accessesRemoteShell": "The entity interacts with a remote command line.", + "network:remoteInteraction:executesRemoteCommand": "The entity runs a command on a remote system.", + "network:remoteInteraction:invokesRemoteProcedure": "The entity calls a function on a remote system.", + "network:remoteInteraction:sendsEmail": "The entity transmits an email message.", + "network:remoteInteraction:sendsSms": "The entity transmits a text message.", + "network:remoteInteraction:transfersFile": "The entity sends or receives a file remotely.", + "network:routing": "Behaviours that direct network traffic to its destination.", + "network:routing:configuresProxy": "The entity sets up traffic to route through a proxy.", + "network:routing:forwardsPacket": "The entity passes a packet toward its destination.", + "network:routing:redirectsTraffic": "The entity diverts traffic to a different destination.", + "network:routing:routesTraffic": "The entity directs network traffic to destinations.", + "network:routing:tunnelsTraffic": "The entity encapsulates traffic within another protocol.", + "network:trafficControl": "Behaviours that manage and manipulate network traffic flow.", + "network:trafficControl:balancesLoad": "The entity distributes requests across destinations.", + "network:trafficControl:filtersTraffic": "The entity blocks or allows traffic based on rules.", + "network:trafficControl:inspectsTraffic": "The entity examines traffic contents.", + "network:trafficControl:interceptsTraffic": "The entity captures traffic in transit.", + "network:trafficControl:limitsRate": "The entity restricts traffic volume.", + "network:trafficControl:modifiesTraffic": "The entity alters traffic in transit.", + "network:trafficControl:shapesTraffic": "The entity manages traffic timing and priority.", + "network:transmission": "Behaviours that send and receive data over network connections.", + "network:transmission:broadcastsData": "The entity sends data to multiple recipients.", + "network:transmission:multicastsData": "The entity sends data to a group of recipients.", + "network:transmission:receivesData": "The entity accepts data from the network.", + "network:transmission:sendsData": "The entity transmits data over the network.", + "network:transmission:streamsData": "The entity continuously transmits or receives data.", + "privacy": "Behaviours relating to the collection and processing of personal and sensitive data.", + "privacy:collection": "Behaviours that gather personal or sensitive information from individuals or systems.", + "privacy:collection:capturesAudio": "The entity records sound via microphone.", + "privacy:collection:capturesKeystrokes": "The entity records keyboard input.", + "privacy:collection:capturesScreen": "The entity records display contents.", + "privacy:collection:capturesVideo": "The entity records images via camera.", + "privacy:collection:collectsBehavioralData": "The entity records user actions and patterns.", + "privacy:collection:collectsBiometricData": "The entity captures biometric information.", + "privacy:collection:collectsCommunicationContent": "The entity captures message or call contents.", + "privacy:collection:collectsDeviceInformation": "The entity gathers device identifiers or characteristics.", + "privacy:collection:collectsFinancialData": "The entity gathers payment or financial information.", + "privacy:collection:collectsHealthData": "The entity gathers protected health information.", + "privacy:collection:collectsInBackground": "The entity gathers data without active user engagement.", + "privacy:collection:collectsLocationData": "The entity gathers geographical position information.", + "privacy:collection:collectsPersonalData": "The entity gathers personally identifiable information.", + "privacy:collection:collectsSilently": "The entity gathers data without user awareness.", + "privacy:collection:readsBrowserHistory": "The entity accesses web browsing history.", + "privacy:collection:readsClipboard": "The entity accesses clipboard contents.", + "privacy:deletion": "Behaviours that remove or destroy personal data.", + "privacy:deletion:clearsCache": "The entity removes data from temporary storage.", + "privacy:deletion:deletesPersonalData": "The entity removes personal data.", + "privacy:deletion:erasesSecurely": "The entity irreversibly destroys data.", + "privacy:deletion:purgesFromBackup": "The entity removes data from backup systems.", + "privacy:deletion:redactsData": "The entity removes specific content from records.", + "privacy:inference": "Behaviours that derive personal information through analysis and correlation of data.", + "privacy:inference:correlatesData": "The entity combines data from multiple sources.", + "privacy:inference:createsProfile": "The entity builds a profile from collected data.", + "privacy:inference:fingerprintsDevice": "The entity identifies device via characteristics.", + "privacy:inference:infersPersonalInformation": "The entity derives personal data from other data.", + "privacy:inference:linksIdentities": "The entity associates data across contexts.", + "privacy:inference:tracksUser": "The entity follows user activity across sessions.", + "privacy:minimization": "Behaviours that reduce the amount or sensitivity of personal data processed.", + "privacy:minimization:aggregatesData": "The entity combines records into summaries.", + "privacy:minimization:anonymizesData": "The entity removes identifying information.", + "privacy:minimization:filtersData": "The entity removes unnecessary data elements.", + "privacy:minimization:generalizesData": "The entity reduces data precision.", + "privacy:minimization:limitsCollection": "The entity gathers only necessary data.", + "privacy:minimization:limitsProcessing": "The entity restricts data use to stated purposes.", + "privacy:minimization:pseudonymizesData": "The entity replaces identifiers with pseudonyms.", + "privacy:privacyEnhancement": "Behaviours that employ technical measures to protect privacy during processing.", + "privacy:privacyEnhancement:addsDifferentialPrivacy": "The entity injects noise to protect individuals.", + "privacy:privacyEnhancement:computesMultiparty": "The entity performs joint computation privately.", + "privacy:privacyEnhancement:processesHomomorphically": "The entity computes on encrypted data.", + "privacy:privacyEnhancement:processesLocally": "The entity handles data on-device.", + "privacy:retention": "Behaviours that store personal data over time.", + "privacy:retention:archivesData": "The entity moves data to long-term storage.", + "privacy:retention:backsUpData": "The entity creates copies for recovery.", + "privacy:retention:enforcesRetentionPeriod": "The entity deletes data after specified time.", + "privacy:retention:retainsBeyondPurpose": "The entity keeps data longer than necessary.", + "privacy:retention:retainsInCache": "The entity keeps data in temporary storage.", + "privacy:retention:retainsInLog": "The entity keeps data in log files.", + "privacy:retention:storesPersonalData": "The entity saves personal data persistently.", + "privacy:sharing": "Behaviours that disclose personal data to third parties or across boundaries.", + "privacy:sharing:disclosesToThirdParty": "The entity transmits personal data externally.", + "privacy:sharing:exportsData": "The entity outputs data in portable format.", + "privacy:sharing:publishesData": "The entity makes data publicly available.", + "privacy:sharing:sellsData": "The entity provides data in exchange for value.", + "privacy:sharing:sharesWithAffiliate": "The entity provides data to related entities.", + "privacy:sharing:transfersCrossBorder": "The entity sends data across jurisdictions.", + "privacy:subjectRights": "Behaviours that fulfil data subject rights under privacy regulations.", + "privacy:subjectRights:correctsData": "The entity modifies inaccurate personal data.", + "privacy:subjectRights:exportsDataPortably": "The entity provides data in portable format.", + "privacy:subjectRights:honorsErasureRequest": "The entity deletes data upon request.", + "privacy:subjectRights:honorsObjection": "The entity ceases processing upon objection.", + "privacy:subjectRights:providesDataAccess": "The entity gives individuals their data.", + "privacy:subjectRights:restrictsProcessing": "The entity limits data use upon request.", + "privacy:transparency": "Behaviours that inform individuals about data processing activities.", + "privacy:transparency:disclosesProcessing": "The entity reveals data processing activities.", + "privacy:transparency:displaysPrivacyNotice": "The entity presents privacy information.", + "privacy:transparency:explainsAutomatedDecision": "The entity describes automated decision logic.", + "privacy:transparency:recordsConsent": "The entity stores consent decisions.", + "privacy:transparency:requestsConsent": "The entity asks for processing permission.", + "privacy:transparency:withdrawsConsent": "The entity processes consent revocation.", + "safety": "Behaviours relating to the prevention of harm to users and the environment.", + "safety:autonomousBehavior": "Behaviours that govern decision-making boundaries and human oversight of autonomous systems.", + "safety:autonomousBehavior:acceptsOverride": "The entity yields to human command.", + "safety:autonomousBehavior:enforcesHumanInLoop": "The entity requires human involvement.", + "safety:autonomousBehavior:explainsDecision": "The entity provides rationale for its action.", + "safety:autonomousBehavior:requestsGuidance": "The entity asks for human direction.", + "safety:autonomousBehavior:respectsDecisionBoundary": "The entity stays within authorised decision scope.", + "safety:contentSafety": "Behaviours that detect and filter harmful or inappropriate content.", + "safety:contentSafety:detectsHarmfulContent": "The entity identifies potentially harmful content.", + "safety:contentSafety:detectsMisinformation": "The entity identifies false or misleading content.", + "safety:contentSafety:enforcesAgeRestriction": "The entity limits access by user age.", + "safety:contentSafety:filtersContent": "The entity blocks or restricts content.", + "safety:contentSafety:labelsContent": "The entity marks content with warnings or ratings.", + "safety:harmPrevention": "Behaviours that actively protect users and bystanders from physical or psychological harm.", + "safety:harmPrevention:preventsEnvironmentalHarm": "The entity acts to protect the environment.", + "safety:harmPrevention:preventsPropertyDamage": "The entity acts to protect physical property.", + "safety:harmPrevention:preventsUserHarm": "The entity acts to protect users from injury.", + "safety:harmPrevention:protectsBystanders": "The entity considers safety of non-users.", + "safety:hazardManagement": "Behaviours that identify and mitigate potentially dangerous conditions.", + "safety:hazardManagement:assessesRisk": "The entity evaluates severity and likelihood of harm.", + "safety:hazardManagement:identifiesHazard": "The entity detects a potentially harmful condition.", + "safety:hazardManagement:mitigatesHazard": "The entity reduces hazard severity or likelihood.", + "safety:hazardManagement:reportsHazard": "The entity communicates a hazardous condition.", + "safety:humanInteraction": "Behaviours that manage communication and interaction with human operators.", + "safety:humanInteraction:adaptsForAccessibility": "The entity adjusts for users with disabilities.", + "safety:humanInteraction:managesCognitiveLoad": "The entity limits information to prevent overwhelm.", + "safety:humanInteraction:requestsConfirmation": "The entity requires human approval for action.", + "safety:humanInteraction:warnsOperator": "The entity alerts human to abnormal condition.", + "safety:operationalSafety": "Behaviours that enforce safe operating limits and conditions.", + "safety:operationalSafety:acceptsManualOverride": "The entity yields control to human operator.", + "safety:operationalSafety:enforcesInterlock": "The entity prevents unsafe operation combinations.", + "safety:operationalSafety:enforcesOperatingLimits": "The entity prevents operation outside safe bounds.", + "safety:operationalSafety:executesEmergencyStop": "The entity immediately halts dangerous operation.", + "safety:operationalSafety:monitorsWatchdog": "The entity checks for uncontrolled operation.", + "safety:operationalSafety:validatesSafetyCondition": "The entity confirms safe operating state.", + "security": "Behaviours relating to the protection of systems and data from unauthorised access and threats.", + "security:auditing": "Behaviours that record security-relevant events for accountability and forensic analysis.", + "security:auditing:logsEvent": "The entity records an occurrence.", + "security:auditing:logsSecurityEvent": "The entity records a security-relevant occurrence.", + "security:auditing:protectsAuditLog": "The entity prevents tampering with log records.", + "security:auditing:purgesLog": "The entity deletes old log records.", + "security:auditing:rotatesLog": "The entity archives and starts new log files.", + "security:auditing:signsLogEntry": "The entity cryptographically signs audit records.", + "security:auditing:timestampsEvent": "The entity records when an event occurred.", + "security:auditing:transmitsLog": "The entity sends log data to a remote destination.", + "security:authentication": "Behaviours that verify the identity of users and entities.", + "security:authentication:authenticatesDevice": "The entity confirms device identity.", + "security:authentication:authenticatesService": "The entity confirms service identity.", + "security:authentication:authenticatesUser": "The entity confirms user identity.", + "security:authentication:bypassesAuthentication": "The entity permits access without authentication.", + "security:authentication:capturesBiometric": "The entity collects biometric data for authentication.", + "security:authentication:delegatesAuthentication": "The entity relies on external identity provider.", + "security:authentication:failsAuthentication": "The entity rejects invalid credentials.", + "security:authentication:locksAccount": "The entity prevents further authentication attempts.", + "security:authentication:performsMultiFactorAuthentication": "The entity requires multiple authentication factors.", + "security:authentication:promptsForCredentials": "The entity requests authentication information.", + "security:authentication:unlocksAccount": "The entity restores authentication capability.", + "security:authentication:validatesBiometric": "The entity verifies biometric data.", + "security:authentication:validatesCredentials": "The entity verifies supplied credentials.", + "security:authorization": "Behaviours that determine and enforce access permissions.", + "security:authorization:checksPermission": "The entity verifies access rights.", + "security:authorization:delegatesAuthority": "The entity transfers access rights to another.", + "security:authorization:deniesAccess": "The entity refuses a requested action.", + "security:authorization:enforcesRole": "The entity restricts actions based on assigned role.", + "security:authorization:escalatesPrivilege": "The entity gains elevated permissions.", + "security:authorization:evaluatesAttributes": "The entity uses attributes for access decisions.", + "security:authorization:evaluatesPolicy": "The entity applies rules to make access decisions.", + "security:authorization:grantsAccess": "The entity permits a requested action.", + "security:authorization:grantsImpersonation": "The entity permits another to act within its security context.", + "security:authorization:impersonatesUser": "The entity performs actions within another user's security context.", + "security:authorization:requestsImpersonation": "The entity initiates a request to act as another user.", + "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", + "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", + "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", + "security:cryptography:authenticates": "The entity verifies the identity of a user, process, or device.", + "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", + "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", + "security:cryptography:decryptsDataAtRest": "The entity restores stored encrypted data to readable form.", + "security:cryptography:decryptsDataInTransit": "The entity restores data received over a network to readable form.", + "security:cryptography:decryptsDisk": "The entity unlocks and decrypts contents of an encrypted disk.", + "security:cryptography:decryptsSecret": "The entity retrieves and decrypts a secured credential or metadata.", + "security:cryptography:destroysKey": "The entity securely erases a key.", + "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", + "security:cryptography:encryptsDataAtRest": "The entity protects stored data by converting it to unreadable form.", + "security:cryptography:encryptsDataInTransit": "The entity protects data moving across a network.", + "security:cryptography:encryptsDisk": "The entity applies full-disk encryption to protect all data on a drive.", + "security:cryptography:encryptsSecret": "The entity secures sensitive credentials or metadata.", + "security:cryptography:ensuresAccountability": "The entity ensures actions can be traced to a specific individual or process.", + "security:cryptography:ensuresConfidentiality": "The entity protects sensitive information from unauthorised access.", + "security:cryptography:ensuresIntegrity": "The entity guarantees that data has not been altered or tampered with.", + "security:cryptography:ensuresNonRepudiation": "The entity provides proof of origin and integrity to prevent denial.", + "security:cryptography:exchangesKey": "The entity shares a key with another party.", + "security:cryptography:generatesKey": "The entity creates a cryptographic key.", + "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", + "security:cryptography:hashesData": "The entity generates a cryptographic hash.", + "security:cryptography:hashesPassword": "The entity applies a cryptographic hash function to a password.", + "security:cryptography:identifies": "The entity establishes a unique identity for an actor within the system.", + "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", + "security:cryptography:preservesPrivacy": "The entity protects personally identifiable information and user data.", + "security:cryptography:presentsClientCertificate": "The entity provides a client certificate for authentication.", + "security:cryptography:presentsServerCertificate": "The entity provides a server certificate for authentication.", + "security:cryptography:retrievesKey": "The entity obtains a stored key.", + "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", + "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", + "security:cryptography:signsCode": "The entity applies a digital signature to executable code.", + "security:cryptography:signsData": "The entity creates a digital signature.", + "security:cryptography:signsDocument": "The entity applies a digital signature to a document.", + "security:cryptography:storesKey": "The entity saves a key securely.", + "security:cryptography:usesIdentity": "The entity utilises established identity credentials for operations.", + "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", + "security:cryptography:validatesToken": "The entity verifies the authenticity and expiration of a security token.", + "security:cryptography:verifiesCodeSignature": "The entity validates a digital signature on executable code.", + "security:cryptography:verifiesDataSignature": "The entity validates a digital signature on data.", + "security:cryptography:verifiesDocumentSignature": "The entity validates a digital signature on a document.", + "security:cryptography:verifiesHash": "The entity validates data against a hash.", + "security:cryptography:verifiesSignature": "The entity validates a digital signature.", + "security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport.", + "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", + "security:errorHandling:catchesException": "The entity intercepts an error condition.", + "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", + "security:errorHandling:failsClosed": "The entity denies access when controls fail.", + "security:errorHandling:failsOpen": "The entity permits access when controls fail.", + "security:errorHandling:generatesError": "The entity produces an error condition.", + "security:errorHandling:logsError": "The entity records an error condition.", + "security:errorHandling:propagatesError": "The entity passes an error to caller.", + "security:errorHandling:returnsGenericError": "The entity provides minimal error information.", + "security:errorHandling:suppressesError": "The entity hides an error condition.", + "security:inputHandling": "Behaviours that validate and sanitise input data to prevent injection attacks.", + "security:inputHandling:escapesInput": "The entity encodes special characters in input.", + "security:inputHandling:normalizesInput": "The entity converts input to standard form.", + "security:inputHandling:rejectsInvalidInput": "The entity refuses malformed or dangerous input.", + "security:inputHandling:sanitizesInput": "The entity removes potentially harmful content from input.", + "security:inputHandling:truncatesInput": "The entity shortens input to acceptable length.", + "security:inputHandling:validatesFormat": "The entity verifies input conforms to expected format.", + "security:inputHandling:validatesRange": "The entity ensures values fall within acceptable bounds.", + "security:inputHandling:validatesSchema": "The entity checks input against a defined schema.", + "security:integrity": "Behaviours that verify and protect the integrity of data and code.", + "security:integrity:attestsIntegrity": "The entity provides evidence of its own integrity.", + "security:integrity:detectsTampering": "The entity identifies modification attempts.", + "security:integrity:respondsToTampering": "The entity reacts to detected tampering.", + "security:integrity:validatesComponent": "The entity verifies authenticity of a dependency.", + "security:integrity:verifiesIntegrity": "The entity confirms data or code has not been altered.", + "security:integrity:verifiesProvenance": "The entity confirms origin and history.", + "security:outputHandling": "Behaviours that encode and filter output data to prevent information leakage.", + "security:outputHandling:encodesOutput": "The entity transforms output to prevent injection.", + "security:outputHandling:enforcesContentPolicy": "The entity restricts content sources.", + "security:outputHandling:escapesOutput": "The entity encodes special characters in output.", + "security:outputHandling:filtersOutput": "The entity removes sensitive content from output.", + "security:outputHandling:masksOutput": "The entity obscures sensitive data in output.", + "security:outputHandling:setsSecurityHeader": "The entity adds security-related HTTP headers.", + "security:session": "Behaviours that manage authenticated user sessions.", + "security:session:createsSession": "The entity establishes an authenticated session.", + "security:session:detectsSessionHijacking": "The entity identifies unauthorised session use.", + "security:session:invalidatesSession": "The entity revokes session validity.", + "security:session:refreshesSession": "The entity extends session lifetime.", + "security:session:regeneratesSessionId": "The entity creates a new session identifier.", + "security:session:terminatesSession": "The entity ends an authenticated session.", + "security:session:validatesSession": "The entity verifies session validity.", + "security:threatResponse": "Behaviours that detect and respond to security threats and incidents.", + "security:threatResponse:blocksRequest": "The entity refuses a suspicious request.", + "security:threatResponse:blocksSource": "The entity prevents further requests from a source.", + "security:threatResponse:collectsForensicData": "The entity gathers evidence for investigation.", + "security:threatResponse:detectsAnomaly": "The entity recognises deviation from normal patterns.", + "security:threatResponse:detectsIntrusion": "The entity identifies a potential security breach.", + "security:threatResponse:initiatesIncidentResponse": "The entity triggers security response procedures.", + "security:threatResponse:quarantinesElement": "The entity isolates a suspicious item.", + "security:threatResponse:raisesAlert": "The entity notifies of a security event.", + "system": "Behaviours relating to operating system interactions and the management of computational resources.", + "system:configuration": "Behaviours that read and modify system configuration settings.", + "system:configuration:deletesRegistryKey": "The entity removes entries from the registry.", + "system:configuration:modifiesGroupPolicy": "The entity changes group policy settings.", + "system:configuration:readsConfigurationFile": "The entity loads settings from a configuration file.", + "system:configuration:readsEnvironmentVariable": "The entity retrieves an environment variable value.", + "system:configuration:readsGroupPolicy": "The entity retrieves group policy settings.", + "system:configuration:readsRegistry": "The entity retrieves values from the system registry.", + "system:configuration:setsEnvironmentVariable": "The entity modifies an environment variable.", + "system:configuration:writesConfigurationFile": "The entity saves settings to a configuration file.", + "system:configuration:writesRegistry": "The entity stores values in the system registry.", + "system:informationGathering": "Behaviours that collect information about the host system and its configuration.", + "system:informationGathering:detectsOsVersion": "The entity determines the operating system version.", + "system:informationGathering:gathersSystemInformation": "The entity collects system configuration details.", + "system:informationGathering:queriesHardwareInformation": "The entity retrieves hardware specifications.", + "system:informationGathering:retrievesHostname": "The entity obtains the system hostname.", + "system:kernelInteraction": "Behaviours that interact directly with the operating system kernel.", + "system:kernelInteraction:hooksKernelFunction": "The entity intercepts kernel-level calls.", + "system:kernelInteraction:installsDriver": "The entity loads a kernel-mode driver.", + "system:kernelInteraction:readsKernelMemory": "The entity accesses kernel memory space.", + "system:kernelInteraction:writesKernelMemory": "The entity modifies kernel memory space.", + "system:lifecycle": "Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.", + "system:lifecycle:appliesUpdate": "The entity installs software or firmware updates.", + "system:lifecycle:decommissions": "The entity securely retires from service.", + "system:lifecycle:initializes": "The entity performs start-up routines and loads configuration.", + "system:lifecycle:performsSelfTest": "The entity verifies its own operational readiness.", + "system:lifecycle:provisions": "The entity configures itself for deployment.", + "system:lifecycle:rollsBack": "The entity reverts to a previous known-good state.", + "system:lifecycle:shutsDown": "The entity executes orderly cessation of operations.", + "system:operationalState": "Behaviours that govern an entity's functional status and mode of operation.", + "system:operationalState:entersFailSafeState": "The entity transitions to a known safe state upon detecting a fault.", + "system:operationalState:entersFailSecureState": "The entity denies access or ceases sensitive operations upon detecting a security fault.", + "system:operationalState:operatesInDegradedMode": "The entity continues operation with reduced functionality.", + "system:operationalState:operatesNormally": "The entity performs its intended functions within designed parameters.", + "system:operationalState:performsEmergencyShutdown": "The entity immediately halts to prevent harm or damage.", + "system:persistence": "Behaviours that establish mechanisms for an entity to survive system restarts.", + "system:persistence:createsScheduledTask": "The entity schedules itself for recurring execution.", + "system:persistence:installsAsService": "The entity registers itself as a system service.", + "system:persistence:loadsAsKernelModule": "The entity loads itself into the kernel.", + "system:persistence:registersForStartup": "The entity configures itself to execute at system boot.", + "system:persistence:removesPersistence": "The entity removes its persistence mechanism.", + "system:processControl": "Behaviours that create and manipulate operating system processes.", + "system:processControl:createsProcess": "The entity starts a new process.", + "system:processControl:dumpsProcessMemory": "The entity extracts memory contents from a process.", + "system:processControl:enumeratesProcesses": "The entity lists running processes.", + "system:processControl:hooksFunction": "The entity intercepts and redirects function calls.", + "system:processControl:injectsCodeIntoProcess": "The entity inserts executable code into another process.", + "system:processControl:modifiesProcess": "The entity changes attributes of a running process.", + "system:processControl:resumesProcess": "The entity continues paused process execution.", + "system:processControl:suspendsProcess": "The entity pauses process execution.", + "system:processControl:terminatesProcess": "The entity ends a running process.", + "system:resilience": "Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.", + "system:resilience:activatesRedundancy": "The entity activates backup systems or alternative processing paths.", + "system:resilience:degradesGracefully": "The entity progressively reduces functionality rather than failing abruptly.", + "system:resilience:detectsFault": "The entity identifies an internal fault or anomalous condition.", + "system:resilience:recoversFromFailure": "The entity restores normal operation following a failure.", + "system:resilience:toleratesFault": "The entity continues operation despite the presence of a fault.", + "system:resourceManagement": "Behaviours that allocate and deallocate computational resources such as memory and threads.", + "system:resourceManagement:allocatesMemory": "The entity reserves memory for use.", + "system:resourceManagement:deallocatesMemory": "The entity releases previously allocated memory.", + "system:resourceManagement:handlesResourceExhaustion": "The entity responds to depleted resources.", + "system:resourceManagement:managesPowerState": "The entity transitions between power consumption states.", + "system:resourceManagement:readsFromStorage": "The entity retrieves data from persistent storage.", + "system:resourceManagement:resumesThread": "The entity continues paused thread execution.", + "system:resourceManagement:spawnsThread": "The entity creates a new execution thread.", + "system:resourceManagement:suspendsThread": "The entity pauses thread execution.", + "system:resourceManagement:terminatesThread": "The entity ends an execution thread.", + "system:resourceManagement:writesToStorage": "The entity saves data to persistent storage.", + "system:serviceControl": "Behaviours that manage system services and daemons.", + "system:serviceControl:createsService": "The entity installs a system service or daemon.", + "system:serviceControl:deletesService": "The entity removes a system service.", + "system:serviceControl:enumeratesServices": "The entity lists installed services.", + "system:serviceControl:modifiesService": "The entity changes service configuration.", + "system:serviceControl:startsService": "The entity initiates service execution.", + "system:serviceControl:stopsService": "The entity halts service execution.", + "system:synchronization": "Behaviours that coordinate access to shared resources across concurrent execution contexts.", + "system:synchronization:acquiresMutex": "The entity obtains exclusive access via mutex.", + "system:synchronization:releasesMutex": "The entity relinquishes mutex ownership.", + "system:synchronization:signalsEvent": "The entity triggers a synchronisation event.", + "system:synchronization:signalsSemaphore": "The entity releases a semaphore.", + "system:synchronization:waitsOnEvent": "The entity blocks until an event is signalled.", + "system:synchronization:waitsOnSemaphore": "The entity blocks until semaphore is available.", + "system:timing": "Behaviours that govern temporal aspects of execution including scheduling and synchronisation.", + "system:timing:delaysExecution": "The entity postpones an operation.", + "system:timing:enforcesDeadline": "The entity ensures completion within a timing constraint.", + "system:timing:executesScheduledTask": "The entity performs a task at a predetermined time.", + "system:timing:resetsWatchdog": "The entity signals continued operation to a watchdog monitor.", + "system:timing:synchronizesClock": "The entity aligns its internal clock with an external source.", + "system:timing:triggersTimeout": "The entity acts upon detecting an unresponsive condition.", + "system:timing:waits": "The entity pauses execution for a specified duration.", + "system:userManagement": "Behaviours that create and manipulate user accounts and privileges.", + "system:userManagement:createsUserAccount": "The entity adds a new user account.", + "system:userManagement:deletesUserAccount": "The entity removes a user account.", + "system:userManagement:elevatesPrivileges": "The entity gains higher access permissions.", + "system:userManagement:enumeratesUsers": "The entity lists user accounts.", + "system:userManagement:impersonatesUser": "The entity assumes another user's identity.", + "system:userManagement:modifiesUserAccount": "The entity changes user account properties." + } + } + } + }, + "cyclonedx-blueprint-2.0": { + "type": "null", + "title": "CycloneDX Blueprint Model", + "$defs": { + "blueprints": { + "type": "array", + "title": "Blueprints", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint" + }, + "description": "A collection of blueprints representing system models that capture the assets, flows, zones, boundaries, and relationships necessary for architectural, threat, risk, privacy, and other forms of modelling and analysis." + }, + "blueprint": { + "type": "object", + "title": "Blueprint", + "description": "A structured representation of a system model that captures the assets, flows, zones, boundaries, and relationships necessary to support architectural, threat, risk, privacy, and other forms of modelling and analysis.", + "required": [ + "modelTypes", + "methodologies" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "metadata": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata" + }, + "modelTypes": { + "type": "array", + "title": "Model Types", + "minItems": 1, + "uniqueItems": true, + "description": "The types of models being represented", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/modelType" + } + }, + "methodologies": { + "type": "array", + "title": "Methodologies", + "minItems": 1, + "uniqueItems": true, + "description": "The modeling methodologies used", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/methodology" + } + }, + "scope": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/scope" + }, + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/asset" + }, + "description": "The assets (components, services, data, actors) included in the model" + }, + "dataStores": { + "type": "array", + "title": "Data Stores", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore" + }, + "description": "Structured description of data stores used in the model" + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet" + }, + "description": "Datasets handled by the system, including placements and sensitivity" + }, + "zones": { + "type": "array", + "title": "Zones", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics" + }, + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" + }, + "description": "Boundaries between zones" + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/flow" + }, + "description": "Data, control, or process flows between assets" + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/actor" + }, + "description": "Human or system actors involved in the model, distinct from assets" + }, + "assumptions": { + "type": "array", + "title": "Assumptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assumption" + }, + "description": "Assumptions made during the modeling process" + }, + "visualizations": { + "type": "array", + "title": "Visualizations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualization" + }, + "description": "Visual representations of the model" + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "type": "object", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/useCase" + }, + { + "properties": { + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to the blueprint assets that are involved in or exercised by this use case" + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to the blueprint flows that are triggered or traversed during the execution of this use case" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to the requirements that are implemented, validated, or addressed by this use case" + } + } + } + ] + }, + "description": "Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements." + }, + "requirements": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirement" + }, + "description": "Requirements derived from or related to the model" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "modelType": { + "type": "object", + "title": "Model Type", + "description": "The type of model being represented, either a predefined type or a custom named type.", + "oneOf": [ + { + "title": "Predefined Model Type", + "description": "A model type selected from a predefined set of well-known modelling categories.", "required": [ "type" ], @@ -995,64 +2760,146 @@ "properties": { "type": { "type": "string", + "title": "Pre-Defined Model Type", "enum": [ - "C4", - "UML", - "TOGAF", + "architecture", + "behavioral", + "conceptual", + "dataFlow", + "deployment", + "logical", + "network", + "operational", + "physical", + "privacy", + "process", + "risk", + "structural", + "threat" + ], + "meta:enum": { + "architecture": "System or software architecture model", + "behavioral": "System behavior model", + "conceptual": "High-level conceptual model", + "dataFlow": "Data flow model showing how data moves through the system", + "deployment": "Deployment or infrastructure model", + "logical": "Logical system model", + "network": "Network topology or connectivity model", + "operational": "Operational model", + "physical": "Physical infrastructure model", + "privacy": "Privacy impact assessment model", + "process": "Business or system process model", + "risk": "Risk assessment model", + "structural": "System structure model", + "threat": "Security threat model" + } + } + } + }, + { + "title": "Custom Model Type", + "description": "A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Custom model type name" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the custom model type" + } + } + } + ] + }, + "methodology": { + "type": "object", + "title": "Methodology", + "description": "The modelling methodology used, either a predefined type or a custom named methodology.", + "oneOf": [ + { + "title": "Predefined Methodology", + "description": "A modelling methodology selected from a predefined set of well-known frameworks and standards.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Pre-Defined Type", + "enum": [ + "4+1", "Archimate", + "ATFAA", "BPMN", + "C4", "DFD", - "ERD", - "4+1", - "Zachman", - "SABSA", "DODAF", + "ERD", + "IDEF", + "LINDDUN", + "MAESTRO", + "MITRE-ATTACK", "MODAF", "NAF", - "Kruchten", - "IDEF", - "SysML", - "STRIDE", + "OWASP", "PASTA", - "LINDDUN", - "OCTAVE", - "ISO27005", - "NIST", - "FAIR" + "SABSA", + "STRIDE", + "SysML", + "TOGAF", + "TRIKE", + "UML", + "VAST", + "Zachman", + "attackTree" ], "meta:enum": { - "C4": "C4 Model for software architecture", - "UML": "Unified Modeling Language", - "TOGAF": "The Open Group Architecture Framework", + "4+1": "4+1 Architectural View Model", "Archimate": "Enterprise architecture modeling language", + "ATFAA": "Advanced Threat Framework for Autonomous AI Agents", "BPMN": "Business Process Model and Notation", + "C4": "C4 Model for software architecture", "DFD": "Data Flow Diagrams", - "ERD": "Entity Relationship Diagrams", - "4+1": "4+1 Architectural View Model", - "Zachman": "Zachman Framework", - "SABSA": "Sherwood Applied Business Security Architecture", "DODAF": "Department of Defense Architecture Framework", + "ERD": "Entity Relationship Diagrams", + "IDEF": "Integration Definition Methods", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome", + "MITRE-ATTACK": "MITRE ATT&CK adversarial tactics, techniques, and procedures framework", "MODAF": "Ministry of Defence Architecture Framework", "NAF": "NATO Architecture Framework", - "Kruchten": "Kruchten's 4+1 View Model", - "IDEF": "Integration Definition Methods", - "SysML": "Systems Modeling Language", - "STRIDE": "Microsoft's threat modeling methodology", + "OWASP": "OWASP threat modelling methodology", "PASTA": "Process for Attack Simulation and Threat Analysis", - "LINDDUN": "Privacy threat modeling methodology", - "OCTAVE": "Operationally Critical Threat, Asset, and Vulnerability Evaluation", - "ISO27005": "ISO/IEC 27005 Information security risk management", - "NIST": "NIST Risk Management Framework", - "FAIR": "Factor Analysis of Information Risk" + "SABSA": "Sherwood Applied Business Security Architecture", + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege", + "SysML": "Systems Modeling Language", + "TOGAF": "The Open Group Architecture Framework", + "TRIKE": "Risk-based threat modelling methodology", + "UML": "Unified Modeling Language", + "VAST": "Visual, Agile, and Simple Threat modelling", + "Zachman": "Zachman Framework", + "attackTree": "Attack tree methodology for structured threat analysis" } }, "version": { "type": "string", + "title": "Version", "description": "Version of the methodology" } } }, { + "title": "Custom Methodology", + "description": "A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.", "required": [ "name" ], @@ -1060,18 +2907,24 @@ "properties": { "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Custom methodology name" }, "version": { "type": "string", + "title": "Version", "description": "Version of the methodology" }, "description": { "type": "string", + "title": "Description", "description": "Description of the custom methodology" }, "externalReferences": { "type": "array", + "title": "External References", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" } @@ -1080,108 +2933,15 @@ } ] }, - "perspective": { - "type": "object", - "required": [ - "bom-ref", - "type", - "name" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Unique identifier for the perspective" - }, - "type": { - "type": "string", - "enum": [ - "business", - "technical", - "user", - "operational", - "development", - "architectural", - "functional", - "informational", - "contextual", - "conceptual", - "logical", - "physical", - "security", - "compliance", - "risk", - "stakeholder", - "custom" - ], - "meta:enum": { - "business": "Business stakeholder perspective", - "technical": "Technical implementation perspective", - "user": "End user or customer perspective", - "operational": "Operations and maintenance perspective", - "development": "Software development perspective", - "architectural": "System architecture perspective", - "functional": "Functional requirements perspective", - "informational": "Information and data perspective", - "contextual": "Business context perspective", - "conceptual": "High-level conceptual perspective", - "logical": "Logical design perspective", - "physical": "Physical implementation perspective", - "security": "Security perspective", - "compliance": "Regulatory compliance perspective", - "risk": "Risk management perspective", - "stakeholder": "General stakeholder perspective", - "custom": "Custom or other perspective" - } - }, - "name": { - "type": "string", - "description": "Name of the perspective" - }, - "description": { - "type": "string", - "description": "Detailed description of the perspective and its focus" - }, - "role": { - "type": "string", - "description": "The role or persona associated with this perspective" - }, - "objectives": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Primary objectives or goals from this perspective" - }, - "concerns": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Primary concerns from this perspective" - }, - "viewpoint": { - "type": "string", - "description": "The architectural viewpoint this perspective represents" - }, - "scope": { - "type": "string", - "description": "The scope of this perspective" - }, - "properties": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } - } - } - }, "blueprintMetadata": { "type": "object", + "title": "Blueprint Metadata", + "description": "Metadata about the creation, review, and approval of the blueprint.", "additionalProperties": false, "properties": { "timestamp": { "type": "string", + "title": "Timestamp", "format": "date-time", "description": "When the blueprint was created or last updated" }, @@ -1195,6 +2955,7 @@ }, "reviewDate": { "type": "string", + "title": "Review Date", "format": "date-time", "description": "When the blueprint was reviewed" }, @@ -1204,6 +2965,7 @@ }, "approvalDate": { "type": "string", + "title": "Approval Date", "format": "date-time", "description": "When the blueprint was approved" }, @@ -1220,20 +2982,25 @@ }, "validityPeriod": { "type": "object", + "title": "Validity Period", + "description": "The period during which the blueprint is considered valid.", "additionalProperties": false, "properties": { "start": { "type": "string", + "title": "Start", "format": "date-time", "description": "When the blueprint becomes valid" }, "end": { "type": "string", + "title": "End", "format": "date-time", "description": "When the blueprint expires" }, "reviewFrequency": { "type": "string", + "title": "Review Frequency", "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" } @@ -1241,6 +3008,8 @@ }, "scope": { "type": "object", + "title": "Scope", + "description": "Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.", "required": [ "name" ], @@ -1251,21 +3020,29 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the scope" }, "description": { "type": "string", + "title": "Description", "description": "Description of what is included and excluded from the model" }, "boundaries": { "type": "array", + "title": "Boundaries", + "uniqueItems": true, "items": { - "type": "string" + "type": "string", + "minLength": 1 }, "description": "Explicit boundaries of the model" }, "includedComponents": { "type": "array", + "title": "Included Components", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, @@ -1273,6 +3050,8 @@ }, "excludedComponents": { "type": "array", + "title": "Excluded Components", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, @@ -1285,11 +3064,8 @@ }, "asset": { "type": "object", - "required": [ - "bom-ref", - "type", - "name" - ], + "title": "Asset", + "description": "A component, service, data store, or other element included in the blueprint model.", "additionalProperties": false, "properties": { "bom-ref": { @@ -1306,57 +3082,73 @@ }, "type": { "type": "string", + "title": "Asset Type", "enum": [ - "component", - "service", - "dataStore", + "actor", + "agent", + "api", + "broker", + "cache", + "component", + "container", "data", - "actor", - "process", - "infrastructure", + "dataStore", "device", - "network", - "container", + "endpoint", "function", - "api", + "gateway", + "infrastructure", + "interface", + "model", + "module", + "network", + "other", + "process", "queue", + "resource", + "service", "stream", - "system", "subsystem", - "module", - "interface", - "endpoint", - "resource" + "system" ], "meta:enum": { + "actor": "User, system, or external entity", + "agent": "Autonomous AI or software agent", + "api": "API endpoint or interface", + "broker": "Message broker or event bus infrastructure", + "cache": "Caching layer or in-memory data store", "component": "Software component or application", - "service": "Service or microservice", + "container": "Container or orchestration unit", + "data": "Dataset", "dataStore": "Database, file system, or data repository", - "data": "Data asset or dataset", - "actor": "User, system, or external entity", - "process": "Business or system process", - "infrastructure": "Infrastructure component", "device": "Physical or IoT device", - "network": "Network segment or resource", - "container": "Container or orchestration unit", + "endpoint": "Service endpoint or URL", "function": "Serverless function or lambda", - "api": "API endpoint or interface", - "queue": "Message queue or event bus", + "gateway": "API gateway, load balancer, or proxy", + "infrastructure": "Infrastructure component", + "interface": "System interface or contract", + "model": "AI or machine learning model", + "module": "Software module or package", + "network": "Network segment or resource", + "other": "Asset type not covered by predefined values", + "process": "Business or system process", + "queue": "Message queue or task queue", + "resource": "Generic resource or artifact", + "service": "Service or microservice", "stream": "Data stream or event stream", - "system": "Complete system or application", "subsystem": "Part of a larger system", - "module": "Software module or package", - "interface": "System interface or contract", - "endpoint": "Service endpoint or URL", - "resource": "Generic resource or artifact" + "system": "Complete system or application" } }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the asset" }, "description": { "type": "string", + "title": "Description", "description": "Description of the asset's role and purpose" }, "zone": { @@ -1370,22 +3162,23 @@ "classification": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification" }, - "attributes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Generic attributes or tags for the asset" + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags" }, "responsibilities": { "type": "array", + "title": "Responsibilities", + "uniqueItems": true, "items": { - "type": "string" + "type": "string", + "minLength": 1 }, "description": "Responsibilities or functions of this asset" }, "interfaces": { "type": "array", + "title": "Interfaces", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/interface" }, @@ -1393,6 +3186,8 @@ }, "dependencies": { "type": "array", + "title": "Dependencies", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, @@ -1400,24 +3195,30 @@ }, "useCases": { "type": "array", + "title": "Use Cases", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "description": "References to use cases that involve this asset" + "description": "References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." }, "authentication": { "type": "array", + "title": "Authentication", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" }, "description": "Authentication methods supported/required" }, "authorization": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType", - "description": "Authorization model used" - }, - "encryption": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType" + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models supported/required" }, "ownership": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/ownership" @@ -1426,10 +3227,265 @@ "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" }, "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + }, + "oneOf": [ + { + "title": "Component Reference Asset", + "description": "An asset defined by reference to a component declared elsewhere in the BOM.", + "required": [ + "bom-ref", + "componentRef" + ] + }, + { + "title": "Service Reference Asset", + "description": "An asset defined by reference to a service declared elsewhere in the BOM.", + "required": [ + "bom-ref", + "serviceRef" + ] + }, + { + "title": "Inline Asset", + "description": "An asset defined inline within the blueprint with an explicit type and name.", + "required": [ + "bom-ref", + "type", + "name" + ] + } + ] + }, + "dataStore": { + "type": "object", + "title": "Data Store", + "description": "A persistent storage system used within the modelled system to hold, retrieve, or manage data.", + "required": [ + "bom-ref", + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the data store" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Purpose and contents of the store" + }, + "type": { + "type": "string", + "title": "Type", + "enum": [ + "blob", + "blockchain", + "cache", + "columnFamily", + "custom", + "dataLake", + "dataWarehouse", + "document", + "eventLog", + "file", + "graph", + "inMemory", + "keyValue", + "messageQueue", + "object", + "other", + "registry", + "search", + "spatial", + "sql", + "timeSeries", + "vector" + ], + "meta:enum": { + "blob": "Binary/blob storage", + "blockchain": "Distributed ledger or blockchain storage", + "cache": "Caching tier", + "columnFamily": "Wide-column or column-family store (e.g., Cassandra, HBase)", + "custom": "Custom or mixed storage technology", + "dataLake": "Data lake or lakehouse for raw and semi-structured data", + "dataWarehouse": "Analytical data warehouse optimised for OLAP workloads", + "document": "Document database (e.g., MongoDB)", + "eventLog": "Event log or append-only streaming store (e.g., Kafka)", + "file": "File system or NAS", + "graph": "Graph database", + "inMemory": "In-memory data store used as a primary store", + "keyValue": "Key-value store", + "messageQueue": "Message queue or broker with persistent storage", + "object": "Object storage", + "other": "Other storage technology not listed", + "registry": "Configuration or service registry (e.g., etcd, Consul)", + "search": "Search index or full-text search engine (e.g., Elasticsearch)", + "spatial": "Spatial or geospatial database", + "sql": "Relational database", + "timeSeries": "Time-series database", + "vector": "Vector database for embeddings and similarity search" + } + }, + "vendor": { + "type": "string", + "title": "Vendor", + "description": "The vendor or publisher of the data store product" + }, + "product": { + "type": "string", + "title": "Product", + "description": "The name of the data store product" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the data store product" + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "Deployment environment (prod, test, etc.)" + }, + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the zone where the asset resides" + }, + "location": { + "type": "string", + "title": "Location", + "description": "Physical or logical hosting location" + }, + "technologies": { + "type": "array", + "title": "Technologies", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Supporting technologies or services" + }, + "dataSets": { "type": "array", + "title": "Data Sets", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to data sets stored here" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models supported/required" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "dataSet": { + "type": "object", + "title": "Data Set", + "description": "A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.", + "required": [ + "bom-ref", + "name", + "description" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the dataset" + }, + "description": { + "type": "string", + "title": "Description", + "minLength": 1, + "description": "What information is contained and why it exists" + }, + "dataProfile": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + }, + "recordCount": { + "type": "integer", + "title": "Record Count", + "description": "Approximate number of records" + }, + "owners": { + "type": "array", + "title": "Owners", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact" + }, + "description": "Individuals or organizational entities that own the dataset" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models supported/required" + }, + "placements": { + "type": "array", + "title": "Placements", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Placement", + "description": "Describes where a dataset physically or logically resides and the storage characteristics at that location.", + "required": [ + "dataStore" + ], + "additionalProperties": false, + "properties": { + "dataStore": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the store holding this dataset" + }, + "encrypted": { + "type": "boolean", + "title": "Encrypted", + "description": "Whether the dataset is encrypted at this location" + }, + "retention": { + "type": "string", + "title": "Retention", + "description": "Retention policy for this placement" + }, + "replicated": { + "type": "boolean", + "title": "Replicated", + "description": "Indicates if this placement is a replica" + } + } + }, + "description": "Where the dataset resides" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, @@ -1496,6 +3552,8 @@ }, "zone": { "type": "object", + "title": "Zone", + "description": "A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.", "required": [ "bom-ref", "name", @@ -1508,33 +3566,37 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the zone" }, "description": { "type": "string", + "title": "Description", "description": "Description of the zone's characteristics" }, "type": { "type": "string", + "title": "Type", "enum": [ - "trust", - "network", - "physical", - "logical", "deployment", - "organizational", "functional", - "security" + "logical", + "network", + "organizational", + "other", + "physical", + "trust" ], "meta:enum": { - "trust": "Security trust zone", - "network": "Network segmentation zone", - "physical": "Physical location or boundary", - "logical": "Logical grouping or boundary", "deployment": "Deployment environment (e.g., dev, staging, prod)", - "organizational": "Organizational or administrative boundary", "functional": "Functional grouping", - "security": "Security zone or perimeter" + "logical": "Logical grouping or boundary", + "network": "Network segmentation zone", + "organizational": "Organizational or administrative boundary", + "other": "Other zone type not listed", + "physical": "Physical location or boundary", + "trust": "Security trust zone" } }, "parent": { @@ -1543,6 +3605,8 @@ }, "characteristics": { "type": "array", + "title": "Characteristics", + "uniqueItems": true, "items": { "type": "string" }, @@ -1550,6 +3614,8 @@ }, "constraints": { "type": "array", + "title": "Constraints", + "uniqueItems": true, "items": { "type": "string" }, @@ -1562,6 +3628,8 @@ }, "boundary": { "type": "object", + "title": "Boundary", + "description": "Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.", "required": [ "bom-ref", "zones" @@ -1573,31 +3641,38 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name of the boundary" }, "type": { "type": "string", + "title": "Type", "enum": [ - "trust", - "network", - "process", "data", - "physical", + "functional", + "network", "organizational", - "functional" + "other", + "physical", + "process", + "trust" ], "meta:enum": { - "trust": "Trust boundary between different security zones", - "network": "Network boundary or firewall", - "process": "Process or execution boundary", "data": "Data classification boundary", - "physical": "Physical security boundary", + "functional": "Functional boundary", + "network": "Network boundary or firewall", "organizational": "Organizational boundary", - "functional": "Functional boundary" + "other": "A boundary type not covered by the predefined enumeration", + "physical": "Physical security boundary", + "process": "Process or execution boundary", + "trust": "Trust boundary between different security zones" } }, "zones": { "type": "array", + "title": "Zones", + "uniqueItems": true, "minItems": 2, "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" @@ -1614,45 +3689,57 @@ }, "crossingRequirements": { "type": "object", + "title": "Crossing Requirements", + "description": "Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.", "additionalProperties": false, "properties": { "authentication": { "type": "array", + "title": "Authentication", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" }, "description": "Authentication required to cross this boundary" }, "authorization": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType", - "description": "Authorization model at this boundary" + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models enforced at this boundary" }, "dataValidation": { "type": "boolean", + "title": "Data Validation", "description": "Whether data is validated when crossing this boundary" }, "dataTransformation": { "type": "boolean", + "title": "Data Transformation", "description": "Whether data is transformed when crossing this boundary" }, - "encryption": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType", - "description": "Encryption requirements for crossing this boundary" - }, "logging": { "type": "boolean", + "title": "Logging", "description": "Whether crossings are logged" }, "monitoring": { "type": "boolean", + "title": "Monitoring", "description": "Whether crossings are monitored" }, "rateLimit": { "type": "string", + "title": "Rate Limit", "description": "Rate limiting policy" }, "protocols": { "type": "array", + "title": "Protocols", + "uniqueItems": true, "items": { "type": "string" }, @@ -1662,6 +3749,8 @@ }, "flow": { "type": "object", + "title": "Flow", + "description": "Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.", "required": [ "bom-ref", "name", @@ -1676,31 +3765,41 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name or description of the flow" }, "description": { "type": "string", + "title": "Description", "description": "Detailed description of what flows and why" }, "type": { "type": "string", + "title": "Type", "enum": [ - "data", "control", - "process", - "message", - "event", + "data", "dependency", - "interaction" + "event", + "interaction", + "message", + "other", + "physical", + "process", + "signal" ], "meta:enum": { - "data": "Data or information flow", "control": "Control or command flow", - "process": "Business process flow", - "message": "Message or communication flow", - "event": "Event or notification flow", + "data": "Data or information flow", "dependency": "Dependency relationship", - "interaction": "User or system interaction" + "event": "Event or notification flow", + "interaction": "User or system interaction", + "message": "Message or communication flow", + "other": "A flow type not covered by the predefined enumeration", + "physical": "Physical movement of goods or materials", + "process": "Business process flow", + "signal": "Hardware or system signal" } }, "source": { @@ -1713,40 +3812,131 @@ }, "bidirectional": { "type": "boolean", + "title": "Bidirectional", "default": false, "description": "Whether flow occurs in both directions" }, "synchronous": { "type": "boolean", + "title": "Synchronous", "description": "Whether the flow is synchronous or asynchronous" }, "volume": { "type": "string", + "title": "Volume", "description": "Expected volume or frequency of flow" }, "timing": { "type": "string", + "title": "Timing", "description": "Timing characteristics (real-time, batch, scheduled)" }, - "protocol": { - "type": "string", - "description": "Communication protocol used" - }, - "dataFormat": { - "type": "string", - "description": "Format of data in the flow" + "protocols": { + "type": "array", + "title": "Protocols", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Communication protocols used by this flow" }, - "classification": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification" + "dataProfile": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" }, "authentication": { "type": "array", + "title": "Authentication", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication required for this flow" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models enforced on this flow" + }, + "sequence": { + "type": "integer", + "title": "Sequence", + "minimum": 0, + "description": "Ordering hint so flows can be assembled into sequence diagrams" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "actor": { + "type": "object", + "title": "Actor", + "description": "Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.", + "required": [ + "bom-ref", + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name or title of the actor" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Narrative describing the actor's role and context" + }, + "type": { + "type": "string", + "title": "Type", + "enum": [ + "administrator", + "agent", + "engineer", + "external", + "operator", + "other", + "system", + "user" + ], + "meta:enum": { + "administrator": "Administrative or privileged operator", + "agent": "Autonomous AI agent or intelligent software agent", + "engineer": "Developer or platform/DevOps engineer", + "external": "Third-party or external entity", + "operator": "Operational staff running the system", + "other": "An actor type not covered by the predefined enumeration", + "system": "Automated system actor or service account", + "user": "End user of a client application or service" } }, - "encryption": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/encryptionType" + "permissions": { + "type": "array", + "title": "Permissions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Permissions, capabilities, or duties the actor holds" + }, + "delegatedBy": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity" + }, + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the zone where the actor resides" }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -1755,6 +3945,8 @@ }, "assumption": { "type": "object", + "title": "Assumption", + "description": "A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.", "required": [ "description" ], @@ -1765,60 +3957,87 @@ }, "description": { "type": "string", - "description": "The assumption being made" + "title": "Description", + "minLength": 1, + "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies" }, - "category": { + "topic": { "type": "string", + "title": "Topic", "enum": [ - "technical", + "availability", "business", - "operational", - "security", "compliance", + "operational", + "other", "performance", - "availability" + "security", + "technical" ], - "description": "Category of the assumption" + "meta:enum": { + "availability": "Assumption about system uptime, redundancy, or failover capabilities", + "business": "Assumption about business requirements, constraints, or organizational context", + "compliance": "Assumption about regulatory, legal, or policy compliance obligations", + "operational": "Assumption about operational procedures, staffing, or maintenance practices", + "other": "An assumption topic not covered by the predefined enumeration", + "performance": "Assumption about throughput, latency, capacity, or scalability characteristics", + "security": "Assumption about threat landscape, trust boundaries, or security controls", + "technical": "Assumption about technology choices, capabilities, or technical constraints" + } }, "relatedAssets": { "type": "array", + "title": "Related Assets", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "description": "Assets this assumption relates to" + "description": "References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes" }, "validity": { "type": "string", + "title": "Validity", "enum": [ + "invalid", "unknown", - "verified", "unverified", - "invalid" + "verified" ], + "meta:enum": { + "invalid": "The assumption has been disproven or is no longer applicable", + "unknown": "The validity of the assumption has not yet been assessed", + "unverified": "The assumption has been identified but not yet validated", + "verified": "The assumption has been confirmed as true through validation" + }, "default": "unknown", - "description": "Whether the assumption has been validated" + "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound" }, "impact": { "type": "string", - "description": "Impact if this assumption proves false" + "title": "Impact", + "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components" }, "owner": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "Who owns or is responsible for this assumption" + "description": "The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model" }, "validationMethod": { "type": "string", - "description": "How this assumption can be validated" + "title": "Validation Method", + "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement" }, "validationDate": { "type": "string", + "title": "Validation Date", "format": "date-time", - "description": "When the assumption was last validated" + "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation" } } }, "visualization": { "type": "object", + "title": "Visualization", + "description": "A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.", "required": [ "name", "type" @@ -1830,105 +4049,53 @@ }, "name": { "type": "string", + "title": "Name", + "minLength": 1, "description": "Name or title of the visualization" }, "description": { "type": "string", + "title": "Description", "description": "Description of what the visualization shows" }, "type": { - "type": "string", - "enum": [ - "architecture", - "dataFlow", - "sequence", - "state", - "deployment", - "network", - "process", - "useCase", - "component", - "class", - "entity", - "activity", - "collaboration", - "context", - "container", - "code" - ], - "meta:enum": { - "architecture": "System architecture diagram", - "dataFlow": "Data flow diagram (DFD)", - "sequence": "Sequence or interaction diagram", - "state": "State machine diagram", - "deployment": "Deployment or infrastructure diagram", - "network": "Network topology diagram", - "process": "Business process diagram", - "useCase": "Use case diagram", - "component": "Component diagram", - "class": "Class or object diagram", - "entity": "Entity relationship diagram", - "activity": "Activity or workflow diagram", - "collaboration": "Collaboration diagram", - "context": "Context diagram", - "container": "Container diagram (C4)", - "code": "Code structure diagram" - } + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType" }, "format": { - "type": "string", - "enum": [ - "mermaid", - "graphviz", - "plantuml", - "drawio", - "svg", - "png", - "jpeg", - "d3", - "cytoscape", - "visio", - "archimate" - ], - "meta:enum": { - "mermaid": "Mermaid diagram language", - "graphviz": "GraphViz DOT language", - "plantuml": "PlantUML diagram language", - "drawio": "Draw.io/diagrams.net format", - "svg": "Scalable Vector Graphics", - "png": "Portable Network Graphics", - "jpeg": "JPEG image format", - "d3": "D3.js visualization", - "cytoscape": "Cytoscape graph format", - "visio": "Microsoft Visio format", - "archimate": "ArchiMate model format" - } + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationFormat" }, "content": { "type": "string", + "title": "Content", "description": "The diagram content (source code or base64 encoded image)" }, "url": { "type": "string", + "title": "URL", "format": "iri-reference", "description": "URL to the diagram if stored externally" }, "level": { "type": "string", + "title": "Level", "enum": [ - "overview", + "detailed", "high", "medium", - "detailed" + "overview" ], + "meta:enum": { + "detailed": "Fine-grained view showing implementation-level specifics", + "high": "High-level view showing major components and relationships", + "medium": "Intermediate view balancing breadth and depth", + "overview": "Top-level summary providing a broad perspective of the system" + }, "description": "Level of detail in the visualization" }, - "perspective": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the perspective this visualization represents" - }, "elements": { "type": "array", + "title": "Elements", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, @@ -1936,10 +4103,13 @@ }, "interactive": { "type": "boolean", + "title": "Interactive", "description": "Whether the visualization is interactive" }, "layers": { "type": "array", + "title": "Layers", + "uniqueItems": true, "items": { "type": "string" }, @@ -1950,6 +4120,152 @@ } } }, + "visualizationType": { + "type": "object", + "title": "Visualization Type", + "description": "The type of diagram or visual representation.", + "oneOf": [ + { + "title": "Predefined Visualization Type", + "description": "A visualization type selected from a predefined set of well-known diagram types.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "enum": [ + "activity", + "architecture", + "class", + "code", + "collaboration", + "component", + "container", + "context", + "dataFlow", + "deployment", + "entity", + "network", + "process", + "sequence", + "state", + "useCase" + ], + "meta:enum": { + "activity": "Activity or workflow diagram", + "architecture": "System architecture diagram", + "class": "Class or object diagram", + "code": "Code structure diagram", + "collaboration": "Collaboration diagram", + "component": "Component diagram", + "container": "Container diagram (C4)", + "context": "Context diagram", + "dataFlow": "Data flow diagram (DFD)", + "deployment": "Deployment or infrastructure diagram", + "entity": "Entity relationship diagram", + "network": "Network topology diagram", + "process": "Business process diagram", + "sequence": "Sequence or interaction diagram", + "state": "State machine diagram", + "useCase": "Use case diagram" + } + } + } + }, + { + "title": "Custom Visualization Type", + "description": "A custom visualization type not covered by the predefined enumeration.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom visualization type" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom visualization type" + } + } + } + ] + }, + "visualizationFormat": { + "type": "object", + "title": "Visualization Format", + "description": "The rendering format or toolchain used to produce the visualization.", + "oneOf": [ + { + "title": "Predefined Visualization Format", + "description": "A visualization format selected from a predefined set of well-known diagram formats and tools.", + "required": [ + "format" + ], + "additionalProperties": false, + "properties": { + "format": { + "type": "string", + "title": "Format", + "enum": [ + "archimate", + "cytoscape", + "d3", + "drawio", + "graphviz", + "jpeg", + "mermaid", + "plantuml", + "png", + "svg", + "visio" + ], + "meta:enum": { + "archimate": "ArchiMate model format", + "cytoscape": "Cytoscape graph format", + "d3": "D3.js visualization", + "drawio": "Draw.io/diagrams.net format", + "graphviz": "GraphViz DOT language", + "jpeg": "JPEG image format", + "mermaid": "Mermaid diagram language", + "plantuml": "PlantUML diagram language", + "png": "Portable Network Graphics", + "svg": "Scalable Vector Graphics", + "visio": "Microsoft Visio format" + } + } + } + }, + { + "title": "Custom Visualization Format", + "description": "A custom visualization format not covered by the predefined enumeration.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom visualization format" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom visualization format" + } + } + } + ] + }, "assetClassification": { "type": "object", "additionalProperties": false, @@ -1961,7 +4277,7 @@ "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity" }, "dataClassification": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataClassification" + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" }, "tier": { "type": "string", @@ -1996,43 +4312,13 @@ } } }, - "dataClassification": { - "type": "object", - "additionalProperties": false, - "properties": { - "sensitivity": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity" - }, - "dataTypes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific types of data" - }, - "handling": { - "type": "string", - "description": "Data handling requirements" - }, - "retention": { - "type": "string", - "description": "Data retention requirements" - }, - "disposal": { - "type": "string", - "description": "Data disposal requirements" - }, - "regulations": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Applicable regulations" - } - } + "dataProfile": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" }, "ownership": { "type": "object", + "title": "Ownership", + "description": "Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.", "additionalProperties": false, "properties": { "owner": { @@ -2048,89 +4334,92 @@ "description": "Custodian responsible for protecting the asset" }, "users": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "type": "array", + "title": "Users", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact" + }, "description": "Primary users of the asset" } } }, "authenticationType": { "type": "string", + "title": "Authentication Type", + "description": "The authentication method or protocol used to verify identity.", "enum": [ - "none", + "apiKey", "basic", "bearer", - "digest", "certificate", - "apiKey", + "custom", + "digest", + "fido2", + "jwt", + "kerberos", + "ldap", + "mfa", + "mTLS", + "none", + "ntlm", "oauth1", "oauth2", - "openIdConnect", + "oidc", "saml", - "kerberos", - "ntlm", - "jwt", - "custom" + "ssh" ], - "description": "Authentication method", "meta:enum": { - "none": "No authentication required", + "apiKey": "API key authentication", "basic": "Basic authentication (username/password)", "bearer": "Bearer token authentication", - "digest": "Digest authentication", "certificate": "Certificate-based authentication", - "apiKey": "API key authentication", + "custom": "Custom authentication method", + "digest": "Digest authentication", + "fido2": "FIDO2/WebAuthn passwordless authentication", + "jwt": "JSON Web Token authentication", + "kerberos": "Kerberos authentication", + "ldap": "LDAP directory authentication", + "mfa": "Multi-factor authentication", + "mTLS": "Mutual TLS authentication", + "none": "No authentication required", + "ntlm": "NTLM authentication", "oauth1": "OAuth 1.0 authentication", "oauth2": "OAuth 2.0 authentication", - "openIdConnect": "OpenID Connect authentication", + "oidc": "OpenID Connect authentication", "saml": "SAML authentication", - "kerberos": "Kerberos authentication", - "ntlm": "NTLM authentication", - "jwt": "JSON Web Token authentication", - "custom": "Custom authentication method" + "ssh": "SSH key authentication" } }, "authorizationType": { "type": "string", + "title": "Authorization Type", + "description": "The authorization model used to determine and enforce access permissions.", "enum": [ - "none", - "acl", - "rbac", "abac", - "mac", + "acl", + "cbac", + "custom", "dac", + "mac", + "none", + "other", "pbac", - "cbac", - "custom" + "rbac", + "rebac" ], - "description": "Authorization model", "meta:enum": { - "none": "No authorization controls", - "acl": "Access Control Lists", - "rbac": "Role-Based Access Control", "abac": "Attribute-Based Access Control", - "mac": "Mandatory Access Control", + "acl": "Access Control Lists", + "cbac": "Claims-Based Access Control", + "custom": "Custom authorization model", "dac": "Discretionary Access Control", + "mac": "Mandatory Access Control", + "none": "No authorization controls", + "other": "Other authorization model not listed", "pbac": "Policy-Based Access Control", - "cbac": "Claims-Based Access Control", - "custom": "Custom authorization model" - } - }, - "encryptionType": { - "type": "object", - "additionalProperties": false, - "properties": { - "inTransit": { - "type": "boolean", - "description": "Whether data is encrypted in transit" - }, - "atRest": { - "type": "boolean", - "description": "Whether data is encrypted at rest" - }, - "inProcessing": { - "type": "boolean", - "description": "Whether data is encrypted during processing" - } + "rbac": "Role-Based Access Control", + "rebac": "Relationship-Based Access Control" } } } @@ -4978,6 +7267,212 @@ "type": "null", "title": "CycloneDX Data Model", "$defs": { + "dataProfile": { + "type": "object", + "title": "Data Profile", + "description": "Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this data profile" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system." + }, + "sensitivity": { + "type": "string", + "title": "Sensitivity", + "enum": [ + "confidential", + "internal", + "public", + "restricted" + ], + "description": "Data sensitivity classification", + "meta:enum": { + "confidential": "Confidential information requiring protection", + "internal": "Internal use only within the organization", + "public": "Public information that can be freely shared", + "restricted": "Highly restricted information with limited access and special protection measures" + } + }, + "classification": { + "title": "Classification", + "description": "Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.", + "oneOf": [ + { + "title": "Predefined Classification", + "description": "A predefined data classification from the enumeration.", + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "type": { + "type": "string", + "title": "Type", + "enum": [ + "credentials", + "financial", + "intellectualProperty", + "logs", + "operational", + "other", + "pci", + "phi", + "pii", + "safety", + "telemetry" + ], + "meta:enum": { + "credentials": "Secrets, tokens, or credentials", + "financial": "Financial statements or transaction data", + "intellectualProperty": "Intellectual property or trade secrets", + "logs": "Operational or security log data", + "operational": "Operational or process data", + "other": "Other data classification not listed", + "pci": "Payment card industry data", + "phi": "Protected health information", + "pii": "Personally identifiable information", + "safety": "Safety critical data or signals", + "telemetry": "System or product telemetry data" + } + } + } + }, + { + "title": "Custom Classification", + "description": "A custom data classification not covered by the predefined enumeration.", + "type": "object", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of a custom data classification not covered by the predefined enumeration" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom data classification" + } + } + } + ] + }, + "dataFormats": { + "type": "array", + "title": "Data Formats", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Format of data" + }, + "dataTypes": { + "type": "array", + "title": "Data Types", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Specific types of data" + }, + "schema": { + "type": "array", + "title": "Schema", + "uniqueItems": true, + "items": { + "type": "string", + "format": "uri" + }, + "description": "Reference to schema contracts or documents describing the data structure." + }, + "access": { + "type": "array", + "title": "Access", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures." + }, + "collection": { + "type": "array", + "title": "Collection", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations." + }, + "disposal": { + "type": "array", + "title": "Disposal", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction." + }, + "handling": { + "type": "array", + "title": "Handling", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations." + }, + "processing": { + "type": "array", + "title": "Processing", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions." + }, + "retention": { + "type": "array", + "title": "Retention", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation." + }, + "sharing": { + "type": "array", + "title": "Sharing", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, "dataClassification": { "type": "string", "title": "Data Classification", @@ -4985,20 +7480,19 @@ }, "dataSensitivity": { "type": "string", + "title": "Data Sensitivity", + "description": "Classifies the sensitivity of data to indicate the level of protection required.", "enum": [ - "public", - "internal", "confidential", - "restricted", - "secret" + "internal", + "public", + "restricted" ], - "description": "Data sensitivity classification", "meta:enum": { - "public": "Public information that can be freely shared", - "internal": "Internal use only within the organization", "confidential": "Confidential information requiring protection", - "restricted": "Highly restricted information with limited access", - "secret": "Secret information requiring special handling" + "internal": "Internal use only within the organization", + "public": "Public information that can be freely shared", + "restricted": "Highly restricted information with limited access" } }, "dataGovernance": { @@ -5010,6 +7504,7 @@ "custodians": { "type": "array", "title": "Data Custodians", + "uniqueItems": true, "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", "items": { "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" @@ -5018,6 +7513,7 @@ "stewards": { "type": "array", "title": "Data Stewards", + "uniqueItems": true, "description": "Data stewards are responsible for data content, context, and associated business rules.", "items": { "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" @@ -5026,6 +7522,7 @@ "owners": { "type": "array", "title": "Data Owners", + "uniqueItems": true, "description": "Data owners are concerned with risk and appropriate access to data.", "items": { "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" @@ -5035,6 +7532,8 @@ }, "dataGovernanceResponsibleParty": { "type": "object", + "title": "Data Governance Responsible Party", + "description": "An organizational entity or individual responsible for a specific data governance role.", "additionalProperties": false, "properties": { "organization": { @@ -5063,20 +7562,20 @@ }, "dataFlowDirection": { "type": "string", + "title": "Data Flow Direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service.", "enum": [ + "bi-directional", "inbound", "outbound", - "bi-directional", "unknown" ], "meta:enum": { + "bi-directional": "Data flows in and out of the service.", "inbound": "Data that enters a service.", "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", "unknown": "The directional flow of data is not known." - }, - "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." + } } } }, @@ -7707,6 +10206,13 @@ }, "description": "Risk scenarios identified" }, + "risks": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/risk" + }, + "description": "Documented risks derived from scenarios" + }, "mitigations": { "type": "array", "items": { @@ -7849,7 +10355,7 @@ "hazard" ], "meta:enum": { - "threat": "Security threat scenario", + "threat": "Threat scenario", "vulnerability": "Exploitable vulnerability", "weakness": "System or design weakness", "risk": "General risk scenario", @@ -7861,10 +10367,6 @@ "domain": { "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" }, - "category": { - "type": "string", - "description": "Category or classification of the scenario" - }, "likelihood": { "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" }, @@ -7901,6 +10403,132 @@ "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" } }, + "compliance": { + "type": "array", + "items": { + "type": "object", + "required": [ + "framework", + "controlId" + ], + "additionalProperties": false, + "properties": { + "framework": { + "type": "string", + "description": "Name of the compliance program or framework" + }, + "controlId": { + "type": "string", + "description": "Identifier of the control within the framework" + }, + "reference": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference", + "description": "Link or citation to the requirement or control documentation" + }, + "description": { + "type": "string", + "description": "Optional notes describing the mapping" + } + } + }, + "description": "Compliance frameworks and control references this mitigation supports" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "risk": { + "type": "object", + "required": [ + "bom-ref", + "name", + "statement" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or identifier for the risk" + }, + "statement": { + "type": "string", + "description": "Structured risk statement describing source, event, and impact" + }, + "description": { + "type": "string", + "description": "Additional narrative about the risk" + }, + "domains": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" + }, + "description": "Risk domains impacted" + }, + "scenarios": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to scenarios this risk addresses" + }, + "likelihood": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + } + }, + "responses": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskResponse" + }, + "description": "Risk responses or mitigation plans applied to this risk" + }, + "relatedThreats": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatScenario" + }, + "description": "Related threat scenarios informing this risk" + }, + "status": { + "type": "string", + "enum": [ + "identified", + "assessed", + "mitigated", + "accepted", + "transferred", + "retired" + ], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated", + "assessed": "Risk has been assessed and prioritized", + "mitigated": "Mitigations are in place reducing this risk", + "accepted": "Risk has been formally accepted", + "transferred": "Risk has been transferred to another party", + "retired": "Risk no longer applies" + } + }, + "owner": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Owner or accountable party for this risk" + }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } @@ -7915,28 +10543,29 @@ "properties": { "level": { "type": "string", + "title": "Level", + "description": "The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.", "enum": [ - "veryLow", + "certain", + "high", "low", "medium", - "high", "veryHigh", - "certain" + "veryLow" ], - "description": "Likelihood level", "meta:enum": { - "veryLow": "Very unlikely to occur (< 10%)", - "low": "Unlikely to occur (10-30%)", - "medium": "Possible to occur (30-60%)", - "high": "Likely to occur (60-90%)", - "veryHigh": "Very likely to occur (> 90%)", - "certain": "Will certainly occur (100%)" + "certain": "Almost certain to occur (> 90% probability).", + "high": "Likely to occur (60-90% probability).", + "low": "Unlikely to occur (10-30% probability).", + "medium": "Possible to occur (30-60% probability).", + "veryHigh": "Very likely to occur (75-90% probability).", + "veryLow": "Very unlikely to occur (< 10% probability)." } }, "score": { "type": "number", "minimum": 0, - "maximum": 10, + "maximum": 5, "description": "Numeric likelihood score" }, "probability": { @@ -7945,12 +10574,136 @@ "maximum": 1, "description": "Probability as a decimal (0-1)" }, + "factors": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor" + }, + "description": "Factors considered when determining the likelihood level" + }, "rationale": { "type": "string", "description": "Justification for the likelihood rating" } } }, + "likelihoodFactor": { + "type": "object", + "title": "Likelihood Factor", + "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", + "required": [ + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.", + "minLength": 1 + }, + "type": { + "title": "Type", + "description": "The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", + "oneOf": [ + { + "title": "Predefined Likelihood Factor Type", + "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.", + "type": "string", + "additionalProperties": false, + "enum": [ + "attackVector", + "controlEffectiveness", + "exploitMaturity", + "exposure", + "motivation", + "opportunity", + "other", + "threatCapability", + "vulnerability" + ], + "meta:enum": { + "attackVector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", + "controlEffectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.", + "exploitMaturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", + "exposure": "Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.", + "motivation": "Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.", + "opportunity": "Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.", + "other": "A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.", + "threatCapability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", + "vulnerability": "Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor." + } + }, + { + "title": "Custom Likelihood Factor Type", + "description": "A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the custom likelihood factor type.", + "minLength": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom likelihood factor type and how it contributes to likelihood assessment." + } + } + } + ] + }, + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.", + "enum": [ + "certain", + "high", + "low", + "medium", + "veryHigh", + "veryLow" + ], + "meta:enum": { + "certain": "This factor almost certainly contributes to risk realization (> 90% influence).", + "high": "This factor strongly contributes to risk realization (60-90% influence).", + "low": "This factor has limited contribution to risk realization (10-30% influence).", + "medium": "This factor moderately contributes to risk realization (30-60% influence).", + "veryHigh": "This factor very strongly contributes to risk realization (75-90% influence).", + "veryLow": "This factor has minimal contribution to risk realization (< 10% influence)." + } + }, + "score": { + "type": "number", + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.", + "minimum": 0, + "maximum": 5 + }, + "weight": { + "type": "number", + "title": "Weight", + "description": "The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.", + "minimum": 0, + "maximum": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, "impact": { "type": "object", "required": [ @@ -7964,8 +10717,7 @@ "negligible", "low", "moderate", - "high", - "severe", + "major", "catastrophic" ], "description": "Impact severity level", @@ -7973,8 +10725,7 @@ "negligible": "Minimal impact with no significant consequences", "low": "Minor impact with limited consequences", "moderate": "Moderate impact affecting some operations", - "high": "Significant impact with serious consequences", - "severe": "Severe impact with critical consequences", + "major": "Significant impact with serious consequences", "catastrophic": "Catastrophic impact with existential consequences" } }, @@ -8091,7 +10842,7 @@ }, "score": { "type": "number", - "minimum": 0, + "minimum": 1, "description": "Numeric risk score" }, "vector": { @@ -8104,50 +10855,46 @@ } } }, - "mitigation": { + "riskResponse": { "type": "object", "required": [ "bom-ref", - "name", - "type" + "mitigations", + "mitigationPlan" ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "name": { - "type": "string", - "description": "Name of the mitigation" + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigation" + }, + "description": "Mitigations applied to this risk response" }, - "description": { - "type": "string", - "description": "Description of what the mitigation does" + "mitigationPlan": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigationPlan" + } + } + }, + "mitigation": { + "type": "object", + "required": [ + "bom-ref", + "reference" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this mitigation entry so it can be referenced by a plan" }, - "type": { - "type": "string", - "enum": [ - "avoid", - "reduce", - "transfer", - "accept", - "control", - "countermeasure", - "safeguard", - "practice", - "procedure" - ], - "meta:enum": { - "avoid": "Avoid the risk entirely", - "reduce": "Reduce likelihood or impact", - "transfer": "Transfer risk to another party", - "accept": "Accept the risk", - "control": "Preventive or detective control", - "countermeasure": "Reactive measure to counter risks", - "safeguard": "Protective measure", - "practice": "Risk management practice", - "procedure": "Documented procedure" - } + "reference": { + "description": "Reference to a mitigation/control implementing the response.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "strategy": { "type": "string", @@ -8164,6 +10911,21 @@ "recover": "Recovers from the impact" } }, + "type": { + "type": "string", + "enum": [ + "control", + "countermeasure", + "procedure", + "removal" + ], + "meta:enum": { + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "procedure": "Documented procedure", + "removal": "Removing a risky component or asset" + } + }, "status": { "type": "string", "enum": [ @@ -8211,14 +10973,87 @@ "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "description": "References to scenarios this mitigation addresses" + "description": "References to scenarios this plan addresses" }, "implementedBy": { "type": "array", "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "description": "References to assets that implement this mitigation" + "description": "References to assets that implement this plan" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "mitigationPlan": { + "type": "object", + "required": [ + "name", + "type", + "status", + "mitigations" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the mitigation plan" + }, + "description": { + "type": "string", + "description": "Description of what the plan covers" + }, + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Safeguards mitigating adverse events", + "practice": "Operational or governance practice", + "procedure": "Documented procedure" + } + }, + "status": { + "type": "string", + "enum": [ + "proposed", + "approved", + "planned", + "inProgress", + "implemented", + "verified" + ], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } }, "externalReferences": { "type": "array", @@ -8228,6 +11063,14 @@ }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "List of mitigation bom-refs chosen for this plan" } } }, @@ -8238,8 +11081,8 @@ "percentage": { "type": "number", "minimum": 0, - "maximum": 100, - "description": "Effectiveness as percentage" + "maximum": 1, + "description": "Effectiveness as decimal" }, "rating": { "type": "string", @@ -8282,106 +11125,72 @@ ], "meta:enum": { "initial": "Initial risk assessment", - "periodic": "Scheduled periodic assessment", - "continuous": "Continuous monitoring assessment", - "triggered": "Event-triggered assessment" - } - }, - "timestamp": { - "type": "string", - "format": "date-time", - "description": "When the assessment was performed" - }, - "assessor": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "Who performed the assessment" - }, - "summary": { - "type": "string", - "description": "Executive summary of the assessment" - }, - "findings": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/finding" - }, - "description": "Specific findings from the assessment" - }, - "overallRisk": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore", - "description": "Overall risk score/level" - }, - "recommendations": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Recommendations from the assessment" - }, - "nextReview": { - "type": "string", - "format": "date-time", - "description": "When the next review should occur" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "finding": { - "type": "object", - "required": [ - "title", - "severity" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "periodic": "Scheduled periodic assessment", + "continuous": "Continuous monitoring assessment", + "triggered": "Event-triggered assessment" + } }, - "title": { + "timestamp": { "type": "string", - "description": "Title of the finding" + "format": "date-time", + "description": "When the assessment was performed" }, - "description": { - "type": "string", - "description": "Detailed description of the finding" + "assessor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Who performed the assessment" }, - "severity": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/severity" + "summary": { + "type": "string", + "description": "Executive summary of the assessment" }, - "relatedScenarios": { + "risks": { "type": "array", "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "description": "Scenarios related to this finding" + "description": "References to risk entries evaluated in this assessment" }, - "relatedAssets": { + "overallRisk": { + "type": "object", + "required": [ + "method", + "score" + ], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": [ + "sum", + "average", + "custom" + ], + "description": "Aggregation method used to derive the overall risk" + }, + "score": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "description": { + "type": "string", + "description": "Optional explanation for custom aggregation approaches" + } + }, + "description": "Aggregated risk result for this assessment" + }, + "recommendations": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "type": "string" }, - "description": "Assets affected by this finding" + "description": "Recommendations from the assessment" }, - "remediation": { + "nextReview": { "type": "string", - "description": "Recommended remediation" + "format": "date-time", + "description": "When the next review should occur" }, - "status": { - "type": "string", - "enum": [ - "open", - "inProgress", - "resolved", - "accepted" - ], - "meta:enum": { - "open": "Finding is open and unaddressed", - "inProgress": "Remediation is in progress", - "resolved": "Finding has been resolved", - "accepted": "Risk has been accepted" - } + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, @@ -8843,6 +11652,13 @@ "attackPattern": { "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference" }, + "abuseCases": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that illustrate how this threat can be exercised" + }, "weakness": { "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference" }, @@ -9007,17 +11823,6 @@ }, "description": "Primary motivations" }, - "capability": { - "type": "string", - "enum": [ - "minimal", - "limited", - "moderate", - "significant", - "advanced" - ], - "description": "Overall capability level" - }, "intent": { "type": "string", "enum": [ @@ -9113,6 +11918,45 @@ } } }, + "abuseCase": { + "type": "object", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the abuse case" + }, + "description": { + "type": "string", + "description": "Narrative describing how the system can be misused or abused" + }, + "abuser": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference (bom-ref) to a threat actor involved in the abuse case" + }, + "targets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References (bom-refs) to assets or flows targeted in this abuse case" + }, + "steps": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered steps the abuser follows" + } + } + }, "attackPattern": { "type": "object", "required": [ @@ -9136,18 +11980,6 @@ "type": "string", "description": "Description of the attack pattern" }, - "severity": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/severity" - }, - "likelihood": { - "type": "string", - "enum": [ - "low", - "medium", - "high" - ], - "description": "Likelihood of this pattern being used" - }, "prerequisites": { "type": "array", "items": { @@ -9764,197 +12596,211 @@ "cyclonedx-usecase-2.0": { "type": "null", "title": "CycloneDX Use Case Model", - "properties": { - "bom-ref": { - "type": "string", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the use case elsewhere in the BOM. Every bom-ref must be unique within the BOM." - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name or title of the use case." - }, - "description": { - "type": "string", - "title": "Description", - "description": "A detailed description of the use case." - }, - "actors": { - "type": "array", - "title": "Actors", - "description": "The stakeholders or users who interact with the system in this use case.", - "items": { - "type": "string" - } - }, - "preconditions": { - "type": "array", - "title": "Preconditions", - "description": "Conditions that must be true before the use case can be executed.", - "items": { - "type": "string" - } - }, - "postconditions": { - "type": "array", - "title": "Postconditions", - "description": "Conditions that will be true after the use case has been successfully executed.", - "items": { - "type": "string" - } - }, - "mainFlow": { - "type": "array", - "title": "Main Flow", - "description": "The primary sequence of steps that describe the use case.", - "items": { - "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" - } - }, - "alternativeFlows": { - "type": "array", - "title": "Alternative Flows", - "description": "Alternative sequences of steps that may occur in the use case.", - "items": { - "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/flow" - } - }, - "exceptions": { - "type": "array", - "title": "Exceptions", - "description": "Error scenarios that may occur during the execution of the use case.", - "items": { - "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/exception" - } - }, - "successCriteria": { + "$defs": { + "useCases": { "type": "array", - "title": "Success Criteria", - "description": "Criteria that determine whether the use case has been successfully executed.", + "title": "Use Cases", + "uniqueItems": true, "items": { - "type": "string" - } + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/useCase" + }, + "description": "A collection of use cases that describe how actors interact with the system to achieve specific goals." }, - "notes": { - "type": "array", - "title": "Notes", - "description": "Additional information or comments about the use case.", - "items": { - "type": "string" + "useCase": { + "type": "object", + "title": "Use Case", + "description": "A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution." + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases." + }, + "postconditions": { + "type": "array", + "title": "Postconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced." + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" + }, + "description": "The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome." + }, + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/flow" + }, + "description": "Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome." + }, + "exceptions": { + "type": "array", + "title": "Exceptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/exception" + }, + "description": "Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully." + }, + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off." + }, + "notes": { + "type": "array", + "title": "Notes", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } } }, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", - "items": { - "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/property" - } - } - }, - "$defs": { "step": { "type": "object", "title": "Step", - "description": "A single step in a use case flow.", + "description": "A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.", + "required": [ + "number", + "description" + ], "additionalProperties": false, "properties": { "number": { "type": "integer", "title": "Number", - "description": "The sequence number of the step." + "minimum": 1, + "description": "The sequence number indicating the ordinal position of this step within its flow, starting at 1." }, "description": { "type": "string", "title": "Description", - "description": "A description of the step." + "minLength": 1, + "description": "A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'." }, "actor": { - "type": "string", - "title": "Actor", - "description": "The actor who performs this step." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." } } }, "flow": { "type": "object", "title": "Flow", - "description": "A sequence of steps in a use case.", + "description": "An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.", + "required": [ + "name", + "condition" + ], "additionalProperties": false, "properties": { "name": { "type": "string", "title": "Name", - "description": "The name of the flow." + "minLength": 1, + "description": "A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')." }, "description": { "type": "string", "title": "Description", - "description": "A description of the flow." + "description": "A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies." }, "condition": { "type": "string", "title": "Condition", - "description": "The condition under which this alternative flow is executed." + "minLength": 1, + "description": "The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path." }, "steps": { "type": "array", "title": "Steps", - "description": "The sequence of steps in the flow.", "items": { "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" - } + }, + "description": "The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps." } } }, "exception": { "type": "object", "title": "Exception", - "description": "An error scenario in a use case.", + "description": "An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.", + "required": [ + "name", + "condition" + ], "additionalProperties": false, "properties": { "name": { "type": "string", "title": "Name", - "description": "The name of the exception." + "minLength": 1, + "description": "A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')." }, "description": { "type": "string", "title": "Description", - "description": "A description of the exception." + "description": "A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved." }, "condition": { "type": "string", "title": "Condition", - "description": "The condition under which this exception occurs." + "minLength": 1, + "description": "The specific error condition, system state, or external event that triggers this exception during the execution of the use case." }, "handling": { "type": "string", "title": "Handling", - "description": "How the exception is handled." - } - } - }, - "property": { - "type": "object", - "title": "Property", - "description": "A name-value property.", - "additionalProperties": false, - "required": [ - "name", - "value" - ], - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the property." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The value of the property." + "description": "The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support." } } } @@ -10574,6 +13420,9 @@ "definitions": { "$ref": "#/$defs/cyclonedx-definition-2.0/$defs/definitions" }, + "blueprints": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints" + }, "citations": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations" }, From 38a2a23912111367738fb0ab7287b89646bbff49 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 26 Mar 2026 19:44:36 -0500 Subject: [PATCH 18/44] Behavior and blueprint updates. Minor changes to data schema Signed-off-by: Steve Springett --- .../model/cyclonedx-behavior-2.0.schema.json | 1630 +---------------- .../model/cyclonedx-blueprint-2.0.schema.json | 25 +- .../2.0/model/cyclonedx-data-2.0.schema.json | 167 +- schema/behavior-taxonomy.schema.json | 1492 +++++++++++++++ tools/src/main/js/bundler/bundle-schemas.js | 1 + 5 files changed, 1740 insertions(+), 1575 deletions(-) create mode 100644 schema/behavior-taxonomy.schema.json diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json index 25814a61d..c9ac42d7a 100644 --- a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -4,78 +4,7 @@ "type": "null", "title": "CycloneDX Behavior Model", "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", - "properties": { - "behaviors": { - "$ref": "#/$defs/behaviors" - } - }, "$defs": { - "trigger": { - "type": "string", - "title": "Trigger", - "description": "The condition or event that initiates a behavior.", - "enum": [ - "startup", - "shutdown", - "scheduled", - "event-driven", - "user-initiated", - "api-call", - "signal", - "condition-based", - "continuous", - "on-demand", - "unknown" - ], - "meta:enum": { - "startup": "Triggered during system or component initialisation.", - "shutdown": "Triggered during system or component termination.", - "scheduled": "Triggered at predetermined times or intervals.", - "event-driven": "Triggered in response to a specific event.", - "user-initiated": "Triggered by explicit user action.", - "api-call": "Triggered by an API invocation.", - "signal": "Triggered by a system or inter-process signal.", - "condition-based": "Triggered when specific conditions are met.", - "continuous": "Runs continuously during normal operation.", - "on-demand": "Triggered on demand as needed.", - "unknown": "The trigger mechanism is not known." - } - }, - "ordering": { - "type": "string", - "title": "Ordering", - "description": "Execution semantics for steps within a flow.", - "default": "sequential", - "enum": [ - "sequential", - "unordered", - "parallel", - "conditional" - ], - "meta:enum": { - "sequential": "Steps execute in ordinal order. Each completes before the next begins.", - "unordered": "All steps execute, but order is not guaranteed.", - "parallel": "Steps may execute concurrently.", - "conditional": "Step execution is determined by runtime conditions." - } - }, - "acknowledgment": { - "type": "array", - "title": "Acknowledgment", - "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", - "uniqueItems": true, - "items": { - "type": "string", - "enum": [ - "declared", - "observed" - ], - "meta:enum": { - "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", - "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." - } - } - }, "behaviors": { "type": "object", "title": "Behaviors", @@ -113,7 +42,7 @@ "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, "behavior": { - "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behavior", + "$ref": "../behavior-taxonomy.schema.json", "title": "Behavior", "description": "The behavior from the taxonomy." }, @@ -143,6 +72,72 @@ } } }, + "trigger": { + "type": "string", + "title": "Trigger", + "description": "The condition or event that initiates a behavior.", + "enum": [ + "startup", + "shutdown", + "scheduled", + "event-driven", + "user-initiated", + "api-call", + "signal", + "condition-based", + "continuous", + "on-demand", + "unknown" + ], + "meta:enum": { + "startup": "Triggered during system or component initialisation.", + "shutdown": "Triggered during system or component termination.", + "scheduled": "Triggered at predetermined times or intervals.", + "event-driven": "Triggered in response to a specific event.", + "user-initiated": "Triggered by explicit user action.", + "api-call": "Triggered by an API invocation.", + "signal": "Triggered by a system or inter-process signal.", + "condition-based": "Triggered when specific conditions are met.", + "continuous": "Runs continuously during normal operation.", + "on-demand": "Triggered on demand as needed.", + "unknown": "The trigger mechanism is not known." + } + }, + "ordering": { + "type": "string", + "title": "Ordering", + "description": "Execution semantics for steps within a flow.", + "default": "sequential", + "enum": [ + "sequential", + "unordered", + "parallel", + "conditional" + ], + "meta:enum": { + "sequential": "Steps execute in ordinal order. Each completes before the next begins.", + "unordered": "All steps execute, but order is not guaranteed.", + "parallel": "Steps may execute concurrently.", + "conditional": "Step execution is determined by runtime conditions." + } + }, + "acknowledgment": { + "type": "array", + "title": "Acknowledgment", + "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", + "uniqueItems": true, + "items": { + "type": "string", + "enum": [ + "declared", + "observed" + ], + "meta:enum": { + "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", + "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." + } + } + }, "behaviorFlow": { "type": "object", "title": "Behavior Flow", @@ -205,7 +200,7 @@ "minimum": 1 }, "behavior": { - "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behavior", + "$ref": "../behavior-taxonomy.schema.json", "title": "Behavior", "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'." }, @@ -246,1495 +241,6 @@ { "required": ["ref"] }, { "required": ["flow"] } ] - }, - "behavior": { - "type": "string", - "title": "Behavior", - "description": "Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.", - "enum": [ - "ai", - "ai:agent", - "ai:agent:actsOnBehalfOfUser", - "ai:agent:coordinatesAgents", - "ai:agent:delegatesTask", - "ai:agent:executesAction", - "ai:agent:invokesTool", - "ai:agent:observesResult", - "ai:agent:plansAction", - "ai:agent:receivesHumanDelegation", - "ai:agent:reflectsOnResult", - "ai:agent:reportsDelegatedAction", - "ai:agent:requestsUserApproval", - "ai:agent:returnsDelegation", - "ai:agent:revisesPlan", - "ai:explainability", - "ai:explainability:attributesFeatures", - "ai:explainability:documentsModel", - "ai:explainability:explainsDecision", - "ai:explainability:tracesPrediction", - "ai:explainability:visualizesModel", - "ai:fairness", - "ai:fairness:auditsModelFairness", - "ai:fairness:calculatesFairnessMetric", - "ai:fairness:detectsBias", - "ai:fairness:handlesProtectedAttribute", - "ai:fairness:mitigatesBias", - "ai:generative", - "ai:generative:citesSource", - "ai:generative:filtersOutput", - "ai:generative:generatesAudio", - "ai:generative:generatesCode", - "ai:generative:generatesEmbedding", - "ai:generative:generatesImage", - "ai:generative:generatesText", - "ai:generative:mitigatesHallucination", - "ai:generative:processesPrompt", - "ai:generative:streamsResponse", - "ai:inference", - "ai:inference:appliesThreshold", - "ai:inference:batchesInference", - "ai:inference:cachesPrediction", - "ai:inference:ensemblesModels", - "ai:inference:generatesPrediction", - "ai:inference:infersInRealTime", - "ai:inference:ranksResults", - "ai:inference:scoresConfidence", - "ai:management", - "ai:management:comparesModels", - "ai:management:deploysModel", - "ai:management:loadsModel", - "ai:management:monitorsModel", - "ai:management:retiresModel", - "ai:management:rollsBackModel", - "ai:management:unloadsModel", - "ai:management:versionsModel", - "ai:quality", - "ai:quality:detectsConceptDrift", - "ai:quality:detectsDataDrift", - "ai:quality:detectsOutlier", - "ai:quality:engineersFeatures", - "ai:quality:selectsFeatures", - "ai:quality:validatesInputData", - "ai:robustness", - "ai:robustness:defendsAgainstAdversarial", - "ai:robustness:detectsAdversarialInput", - "ai:robustness:detectsOutOfDistribution", - "ai:robustness:estimatesUncertainty", - "ai:robustness:validatesRobustness", - "ai:training", - "ai:training:appliesTransferLearning", - "ai:training:checkpointsModel", - "ai:training:fineTunesModel", - "ai:training:ingestsTrainingData", - "ai:training:preprocessesTrainingData", - "ai:training:trainsFederatedly", - "ai:training:trainsModel", - "ai:training:tunesHyperparameters", - "ai:training:validatesModel", - "ai:training:validatesTrainingData", - "application", - "application:codeExecution", - "application:codeExecution:compilesCode", - "application:codeExecution:evaluatesExpression", - "application:codeExecution:executesNativeCommand", - "application:codeExecution:executesScript", - "application:codeExecution:interpretsCode", - "application:codeExecution:invokesViaReflection", - "application:codeExecution:loadsCodeDynamically", - "application:configuration", - "application:configuration:detectsEnvironment", - "application:configuration:evaluatesFeatureFlag", - "application:configuration:loadsConfiguration", - "application:configuration:reloadsConfiguration", - "application:controlFlow", - "application:controlFlow:awaitsAsyncResult", - "application:controlFlow:catchesException", - "application:controlFlow:emitsEvent", - "application:controlFlow:handlesEvent", - "application:controlFlow:invokesCallback", - "application:controlFlow:invokesHandler", - "application:controlFlow:invokesMiddleware", - "application:controlFlow:schedulesAsyncOperation", - "application:controlFlow:throwsException", - "application:dependencyManagement", - "application:dependencyManagement:closesCircuitBreaker", - "application:dependencyManagement:fallsBack", - "application:dependencyManagement:injectsDependency", - "application:dependencyManagement:opensCircuitBreaker", - "application:dependencyManagement:resolvesDependency", - "application:externalIntegration", - "application:externalIntegration:callsExternalService", - "application:externalIntegration:consumesEvent", - "application:externalIntegration:publishesEvent", - "application:externalIntegration:receivesWebhook", - "application:observability", - "application:observability:emitsTelemetry", - "application:observability:logsOperation", - "application:observability:recordsMetric", - "application:observability:reportsHealth", - "application:observability:tracesRequest", - "application:requestHandling", - "application:requestHandling:authenticatesRequest", - "application:requestHandling:authorizesRequest", - "application:requestHandling:bindsParameters", - "application:requestHandling:parsesRequest", - "application:requestHandling:receivesHttpRequest", - "application:requestHandling:rejectsRequest", - "application:requestHandling:routesRequest", - "application:requestHandling:validatesRequest", - "application:responseGeneration", - "application:responseGeneration:generatesResponse", - "application:responseGeneration:readsCookie", - "application:responseGeneration:redirectsRequest", - "application:responseGeneration:returnsError", - "application:responseGeneration:returnsSuccess", - "application:responseGeneration:sendsHttpResponse", - "application:responseGeneration:setsCookie", - "application:responseGeneration:setsHeader", - "application:stateManagement", - "application:stateManagement:acquiresLock", - "application:stateManagement:beginsTransaction", - "application:stateManagement:commitsTransaction", - "application:stateManagement:createsSessionState", - "application:stateManagement:destroysSessionState", - "application:stateManagement:readsSessionState", - "application:stateManagement:releasesLock", - "application:stateManagement:rollsBackTransaction", - "application:stateManagement:synchronizesState", - "application:stateManagement:updatesSessionState", - "data", - "data:encoding", - "data:encoding:appliesXor", - "data:encoding:decodesBaseSixtyFour", - "data:encoding:decodesUrl", - "data:encoding:encodesBaseSixtyFour", - "data:encoding:encodesUrl", - "data:ingestion", - "data:ingestion:pollsSource", - "data:ingestion:readsFile", - "data:ingestion:readsStream", - "data:ingestion:receivesInput", - "data:ingestion:receivesMessage", - "data:ingestion:receivesRequest", - "data:ingestion:subscribesToFeed", - "data:output", - "data:output:formatsResponse", - "data:output:producesOutput", - "data:output:publishesMessage", - "data:output:rendersTemplate", - "data:output:sendsResponse", - "data:output:serializesObject", - "data:output:streamsOutput", - "data:output:writesFile", - "data:parsing", - "data:parsing:decodesData", - "data:parsing:deserializesObject", - "data:parsing:extractsFields", - "data:parsing:parsesData", - "data:parsing:parsesHtml", - "data:parsing:parsesJson", - "data:parsing:parsesXml", - "data:query", - "data:query:executesLdapQuery", - "data:query:executesNoSqlQuery", - "data:query:executesSearch", - "data:query:executesSql", - "data:query:executesXPath", - "data:query:queriesData", - "data:storage", - "data:storage:cachesData", - "data:storage:deletesData", - "data:storage:flushesCache", - "data:storage:invalidatesCache", - "data:storage:retrievesData", - "data:storage:storesData", - "data:storage:updatesData", - "data:transformation", - "data:transformation:aggregatesData", - "data:transformation:compressesData", - "data:transformation:decompressesData", - "data:transformation:encodesData", - "data:transformation:enrichesData", - "data:transformation:filtersData", - "data:transformation:joinsData", - "data:transformation:mapsData", - "data:transformation:normalizesData", - "data:transformation:sortsData", - "data:transformation:transformsData", - "evasion", - "evasion:analysisResistance", - "evasion:analysisResistance:detectsAnalysisTool", - "evasion:analysisResistance:detectsDebugger", - "evasion:analysisResistance:detectsEmulator", - "evasion:analysisResistance:detectsSandbox", - "evasion:analysisResistance:detectsVirtualMachine", - "evasion:analysisResistance:evadesDebugger", - "evasion:analysisResistance:evadesEmulator", - "evasion:analysisResistance:evadesSandbox", - "evasion:analysisResistance:evadesVirtualMachine", - "evasion:analysisResistance:usesTimingEvasion", - "evasion:antiSecurity", - "evasion:antiSecurity:detectsAntivirus", - "evasion:antiSecurity:disablesSecuritySoftware", - "evasion:antiSecurity:evadesAntivirus", - "evasion:antiSecurity:terminatesSecurityProcess", - "evasion:indirection", - "evasion:indirection:resolvesApiDynamically", - "evasion:indirection:usesIndirectCalls", - "evasion:indirection:usesProxyExecution", - "evasion:obfuscation", - "evasion:obfuscation:obfuscatesCode", - "evasion:obfuscation:obfuscatesControlFlow", - "evasion:obfuscation:obfuscatesData", - "evasion:obfuscation:obfuscatesStrings", - "evasion:obfuscation:packsCode", - "evasion:obfuscation:unpacksAtRuntime", - "file", - "file:directory", - "file:directory:changesDirectory", - "file:directory:createsDirectory", - "file:directory:deletesDirectory", - "file:directory:listsDirectory", - "file:directory:traversesDirectory", - "file:disk", - "file:disk:decryptsVolume", - "file:disk:encryptsVolume", - "file:disk:formatsVolume", - "file:disk:mountsVolume", - "file:disk:unmountsVolume", - "file:disk:wipesDisk", - "file:operations", - "file:operations:appendsToFile", - "file:operations:checksFileExistence", - "file:operations:closesFile", - "file:operations:copiesFile", - "file:operations:createsFile", - "file:operations:deletesFile", - "file:operations:getsFileAttributes", - "file:operations:movesFile", - "file:operations:opensFile", - "file:operations:readsFile", - "file:operations:renamesFile", - "file:operations:setsFileAttributes", - "file:operations:setsFilePermissions", - "file:operations:writesFile", - "gui", - "gui:display", - "gui:display:displaysData", - "gui:display:monitorsDisplay", - "gui:display:updatesDisplay", - "gui:session", - "gui:session:displaysLogin", - "gui:session:interactsWithSession", - "gui:session:switchesSession", - "gui:window", - "gui:window:capturesWindow", - "gui:window:createsWindow", - "gui:window:destroysWindow", - "gui:window:enumeratesWindows", - "gui:window:interactsWithTaskbar", - "gui:window:modifiesWindow", - "hardware", - "hardware:actuator", - "hardware:actuator:calibratesActuator", - "hardware:actuator:controlsBattery", - "hardware:actuator:controlsHeating", - "hardware:actuator:controlsLed", - "hardware:actuator:controlsMotor", - "hardware:actuator:controlsPower", - "hardware:actuator:controlsPump", - "hardware:actuator:controlsTemperature", - "hardware:boot", - "hardware:boot:entersRecoveryMode", - "hardware:boot:executesSecureBoot", - "hardware:boot:locksBootConfiguration", - "hardware:boot:modifiesBootConfiguration", - "hardware:boot:readsBootConfiguration", - "hardware:boot:recordsBootMeasurement", - "hardware:boot:verifiesBootLoader", - "hardware:firmware", - "hardware:firmware:monitorsFirmwareIntegrity", - "hardware:firmware:preventsFirmwareRollback", - "hardware:firmware:readsFirmwareVersion", - "hardware:firmware:updatesFirmware", - "hardware:firmware:verifiesFirmwareSignature", - "hardware:memory", - "hardware:memory:encryptsMemory", - "hardware:memory:isolatesMemory", - "hardware:memory:protectsStack", - "hardware:memory:randomizesAddressSpace", - "hardware:memory:readsProtectedMemory", - "hardware:memory:writesProtectedMemory", - "hardware:peripheral", - "hardware:peripheral:accessesCamera", - "hardware:peripheral:accessesDisplay", - "hardware:peripheral:accessesGpio", - "hardware:peripheral:accessesJtag", - "hardware:peripheral:accessesKeyboard", - "hardware:peripheral:accessesStorageDevice", - "hardware:peripheral:accessesUsbDevice", - "hardware:peripheral:configuresDma", - "hardware:peripheral:protectsDma", - "hardware:physicalSecurity", - "hardware:physicalSecurity:detectsPhysicalTamper", - "hardware:physicalSecurity:disablesDebugInterface", - "hardware:physicalSecurity:enablesDebugInterface", - "hardware:physicalSecurity:monitorsEnclosure", - "hardware:physicalSecurity:respondsToTamper", - "hardware:physicalSecurity:zeroizesKeys", - "hardware:security", - "hardware:security:anchorsInHardwareRoot", - "hardware:security:executesInTee", - "hardware:security:generatesPufResponse", - "hardware:security:usesHsm", - "hardware:security:usesSecureElement", - "hardware:sensor", - "hardware:sensor:calibratesSensor", - "hardware:sensor:readsBatteryStatus", - "hardware:sensor:readsBloodOxygen", - "hardware:sensor:readsBloodPressure", - "hardware:sensor:readsCoTwoLevel", - "hardware:sensor:readsEcg", - "hardware:sensor:readsPowerStatus", - "hardware:sensor:readsTemperature", - "hardware:sideChannelDefense", - "hardware:sideChannelDefense:controlsEmEmissions", - "hardware:sideChannelDefense:resistsFaultInjection", - "hardware:sideChannelDefense:resistsPowerAnalysis", - "hardware:sideChannelDefense:resistsTimingAnalysis", - "network", - "network:connection", - "network:connection:acceptsConnection", - "network:connection:detectsConnectionLoss", - "network:connection:establishesConnection", - "network:connection:reconnects", - "network:connection:reusesConnection", - "network:connection:sendsHeartbeat", - "network:connection:terminatesConnection", - "network:discovery", - "network:discovery:advertisesService", - "network:discovery:discoversService", - "network:discovery:enumeratesInterfaces", - "network:discovery:probesPort", - "network:discovery:queriesDns", - "network:discovery:resolvesName", - "network:discovery:scansNetwork", - "network:protocol", - "network:protocol:downgradesProtocol", - "network:protocol:framesMessage", - "network:protocol:negotiatesProtocol", - "network:protocol:parsesMessage", - "network:protocol:retransmitsMessage", - "network:protocol:upgradesProtocol", - "network:protocol:validatesMessage", - "network:remoteInteraction", - "network:remoteInteraction:accessesRemoteDesktop", - "network:remoteInteraction:accessesRemoteShell", - "network:remoteInteraction:executesRemoteCommand", - "network:remoteInteraction:invokesRemoteProcedure", - "network:remoteInteraction:sendsEmail", - "network:remoteInteraction:sendsSms", - "network:remoteInteraction:transfersFile", - "network:routing", - "network:routing:configuresProxy", - "network:routing:forwardsPacket", - "network:routing:redirectsTraffic", - "network:routing:routesTraffic", - "network:routing:tunnelsTraffic", - "network:trafficControl", - "network:trafficControl:balancesLoad", - "network:trafficControl:filtersTraffic", - "network:trafficControl:inspectsTraffic", - "network:trafficControl:interceptsTraffic", - "network:trafficControl:limitsRate", - "network:trafficControl:modifiesTraffic", - "network:trafficControl:shapesTraffic", - "network:transmission", - "network:transmission:broadcastsData", - "network:transmission:multicastsData", - "network:transmission:receivesData", - "network:transmission:sendsData", - "network:transmission:streamsData", - "privacy", - "privacy:collection", - "privacy:collection:capturesAudio", - "privacy:collection:capturesKeystrokes", - "privacy:collection:capturesScreen", - "privacy:collection:capturesVideo", - "privacy:collection:collectsBehavioralData", - "privacy:collection:collectsBiometricData", - "privacy:collection:collectsCommunicationContent", - "privacy:collection:collectsDeviceInformation", - "privacy:collection:collectsFinancialData", - "privacy:collection:collectsHealthData", - "privacy:collection:collectsInBackground", - "privacy:collection:collectsLocationData", - "privacy:collection:collectsPersonalData", - "privacy:collection:collectsSilently", - "privacy:collection:readsBrowserHistory", - "privacy:collection:readsClipboard", - "privacy:deletion", - "privacy:deletion:clearsCache", - "privacy:deletion:deletesPersonalData", - "privacy:deletion:erasesSecurely", - "privacy:deletion:purgesFromBackup", - "privacy:deletion:redactsData", - "privacy:inference", - "privacy:inference:correlatesData", - "privacy:inference:createsProfile", - "privacy:inference:fingerprintsDevice", - "privacy:inference:infersPersonalInformation", - "privacy:inference:linksIdentities", - "privacy:inference:tracksUser", - "privacy:minimization", - "privacy:minimization:aggregatesData", - "privacy:minimization:anonymizesData", - "privacy:minimization:filtersData", - "privacy:minimization:generalizesData", - "privacy:minimization:limitsCollection", - "privacy:minimization:limitsProcessing", - "privacy:minimization:pseudonymizesData", - "privacy:privacyEnhancement", - "privacy:privacyEnhancement:addsDifferentialPrivacy", - "privacy:privacyEnhancement:computesMultiparty", - "privacy:privacyEnhancement:processesHomomorphically", - "privacy:privacyEnhancement:processesLocally", - "privacy:retention", - "privacy:retention:archivesData", - "privacy:retention:backsUpData", - "privacy:retention:enforcesRetentionPeriod", - "privacy:retention:retainsBeyondPurpose", - "privacy:retention:retainsInCache", - "privacy:retention:retainsInLog", - "privacy:retention:storesPersonalData", - "privacy:sharing", - "privacy:sharing:disclosesToThirdParty", - "privacy:sharing:exportsData", - "privacy:sharing:publishesData", - "privacy:sharing:sellsData", - "privacy:sharing:sharesWithAffiliate", - "privacy:sharing:transfersCrossBorder", - "privacy:subjectRights", - "privacy:subjectRights:correctsData", - "privacy:subjectRights:exportsDataPortably", - "privacy:subjectRights:honorsErasureRequest", - "privacy:subjectRights:honorsObjection", - "privacy:subjectRights:providesDataAccess", - "privacy:subjectRights:restrictsProcessing", - "privacy:transparency", - "privacy:transparency:disclosesProcessing", - "privacy:transparency:displaysPrivacyNotice", - "privacy:transparency:explainsAutomatedDecision", - "privacy:transparency:recordsConsent", - "privacy:transparency:requestsConsent", - "privacy:transparency:withdrawsConsent", - "safety", - "safety:autonomousBehavior", - "safety:autonomousBehavior:acceptsOverride", - "safety:autonomousBehavior:enforcesHumanInLoop", - "safety:autonomousBehavior:explainsDecision", - "safety:autonomousBehavior:requestsGuidance", - "safety:autonomousBehavior:respectsDecisionBoundary", - "safety:contentSafety", - "safety:contentSafety:detectsHarmfulContent", - "safety:contentSafety:detectsMisinformation", - "safety:contentSafety:enforcesAgeRestriction", - "safety:contentSafety:filtersContent", - "safety:contentSafety:labelsContent", - "safety:harmPrevention", - "safety:harmPrevention:preventsEnvironmentalHarm", - "safety:harmPrevention:preventsPropertyDamage", - "safety:harmPrevention:preventsUserHarm", - "safety:harmPrevention:protectsBystanders", - "safety:hazardManagement", - "safety:hazardManagement:assessesRisk", - "safety:hazardManagement:identifiesHazard", - "safety:hazardManagement:mitigatesHazard", - "safety:hazardManagement:reportsHazard", - "safety:humanInteraction", - "safety:humanInteraction:adaptsForAccessibility", - "safety:humanInteraction:managesCognitiveLoad", - "safety:humanInteraction:requestsConfirmation", - "safety:humanInteraction:warnsOperator", - "safety:operationalSafety", - "safety:operationalSafety:acceptsManualOverride", - "safety:operationalSafety:enforcesInterlock", - "safety:operationalSafety:enforcesOperatingLimits", - "safety:operationalSafety:executesEmergencyStop", - "safety:operationalSafety:monitorsWatchdog", - "safety:operationalSafety:validatesSafetyCondition", - "security", - "security:auditing", - "security:auditing:logsEvent", - "security:auditing:logsSecurityEvent", - "security:auditing:protectsAuditLog", - "security:auditing:purgesLog", - "security:auditing:rotatesLog", - "security:auditing:signsLogEntry", - "security:auditing:timestampsEvent", - "security:auditing:transmitsLog", - "security:authentication", - "security:authentication:authenticatesDevice", - "security:authentication:authenticatesService", - "security:authentication:authenticatesUser", - "security:authentication:bypassesAuthentication", - "security:authentication:capturesBiometric", - "security:authentication:delegatesAuthentication", - "security:authentication:failsAuthentication", - "security:authentication:locksAccount", - "security:authentication:performsMultiFactorAuthentication", - "security:authentication:promptsForCredentials", - "security:authentication:unlocksAccount", - "security:authentication:validatesBiometric", - "security:authentication:validatesCredentials", - "security:authorization", - "security:authorization:checksPermission", - "security:authorization:delegatesAuthority", - "security:authorization:deniesAccess", - "security:authorization:enforcesRole", - "security:authorization:escalatesPrivilege", - "security:authorization:evaluatesAttributes", - "security:authorization:evaluatesPolicy", - "security:authorization:grantsAccess", - "security:authorization:grantsImpersonation", - "security:authorization:impersonatesUser", - "security:authorization:requestsImpersonation", - "security:authorization:revokesAccess", - "security:authorization:revokesImpersonation", - "security:cryptography", - "security:cryptography:authenticates", - "security:cryptography:checksRevocation", - "security:cryptography:decryptsData", - "security:cryptography:decryptsDataAtRest", - "security:cryptography:decryptsDataInTransit", - "security:cryptography:decryptsDisk", - "security:cryptography:decryptsSecret", - "security:cryptography:destroysKey", - "security:cryptography:encryptsData", - "security:cryptography:encryptsDataAtRest", - "security:cryptography:encryptsDataInTransit", - "security:cryptography:encryptsDisk", - "security:cryptography:encryptsSecret", - "security:cryptography:ensuresAccountability", - "security:cryptography:ensuresConfidentiality", - "security:cryptography:ensuresIntegrity", - "security:cryptography:ensuresNonRepudiation", - "security:cryptography:exchangesKey", - "security:cryptography:generatesKey", - "security:cryptography:generatesRandomValue", - "security:cryptography:hashesData", - "security:cryptography:hashesPassword", - "security:cryptography:identifies", - "security:cryptography:issuesCertificate", - "security:cryptography:preservesPrivacy", - "security:cryptography:presentsClientCertificate", - "security:cryptography:presentsServerCertificate", - "security:cryptography:retrievesKey", - "security:cryptography:revokesCertificate", - "security:cryptography:rotatesKey", - "security:cryptography:signsCode", - "security:cryptography:signsData", - "security:cryptography:signsDocument", - "security:cryptography:storesKey", - "security:cryptography:usesIdentity", - "security:cryptography:validatesCertificate", - "security:cryptography:validatesToken", - "security:cryptography:verifiesCodeSignature", - "security:cryptography:verifiesDataSignature", - "security:cryptography:verifiesDocumentSignature", - "security:cryptography:verifiesHash", - "security:cryptography:verifiesSignature", - "security:cryptography:wrapsKey", - "security:errorHandling", - "security:errorHandling:catchesException", - "security:errorHandling:disclosesErrorDetails", - "security:errorHandling:failsClosed", - "security:errorHandling:failsOpen", - "security:errorHandling:generatesError", - "security:errorHandling:logsError", - "security:errorHandling:propagatesError", - "security:errorHandling:returnsGenericError", - "security:errorHandling:suppressesError", - "security:inputHandling", - "security:inputHandling:escapesInput", - "security:inputHandling:normalizesInput", - "security:inputHandling:rejectsInvalidInput", - "security:inputHandling:sanitizesInput", - "security:inputHandling:truncatesInput", - "security:inputHandling:validatesFormat", - "security:inputHandling:validatesRange", - "security:inputHandling:validatesSchema", - "security:integrity", - "security:integrity:attestsIntegrity", - "security:integrity:detectsTampering", - "security:integrity:respondsToTampering", - "security:integrity:validatesComponent", - "security:integrity:verifiesIntegrity", - "security:integrity:verifiesProvenance", - "security:outputHandling", - "security:outputHandling:encodesOutput", - "security:outputHandling:enforcesContentPolicy", - "security:outputHandling:escapesOutput", - "security:outputHandling:filtersOutput", - "security:outputHandling:masksOutput", - "security:outputHandling:setsSecurityHeader", - "security:session", - "security:session:createsSession", - "security:session:detectsSessionHijacking", - "security:session:invalidatesSession", - "security:session:refreshesSession", - "security:session:regeneratesSessionId", - "security:session:terminatesSession", - "security:session:validatesSession", - "security:threatResponse", - "security:threatResponse:blocksRequest", - "security:threatResponse:blocksSource", - "security:threatResponse:collectsForensicData", - "security:threatResponse:detectsAnomaly", - "security:threatResponse:detectsIntrusion", - "security:threatResponse:initiatesIncidentResponse", - "security:threatResponse:quarantinesElement", - "security:threatResponse:raisesAlert", - "system", - "system:configuration", - "system:configuration:deletesRegistryKey", - "system:configuration:modifiesGroupPolicy", - "system:configuration:readsConfigurationFile", - "system:configuration:readsEnvironmentVariable", - "system:configuration:readsGroupPolicy", - "system:configuration:readsRegistry", - "system:configuration:setsEnvironmentVariable", - "system:configuration:writesConfigurationFile", - "system:configuration:writesRegistry", - "system:informationGathering", - "system:informationGathering:detectsOsVersion", - "system:informationGathering:gathersSystemInformation", - "system:informationGathering:queriesHardwareInformation", - "system:informationGathering:retrievesHostname", - "system:kernelInteraction", - "system:kernelInteraction:hooksKernelFunction", - "system:kernelInteraction:installsDriver", - "system:kernelInteraction:readsKernelMemory", - "system:kernelInteraction:writesKernelMemory", - "system:lifecycle", - "system:lifecycle:appliesUpdate", - "system:lifecycle:decommissions", - "system:lifecycle:initializes", - "system:lifecycle:performsSelfTest", - "system:lifecycle:provisions", - "system:lifecycle:rollsBack", - "system:lifecycle:shutsDown", - "system:operationalState", - "system:operationalState:entersFailSafeState", - "system:operationalState:entersFailSecureState", - "system:operationalState:operatesInDegradedMode", - "system:operationalState:operatesNormally", - "system:operationalState:performsEmergencyShutdown", - "system:persistence", - "system:persistence:createsScheduledTask", - "system:persistence:installsAsService", - "system:persistence:loadsAsKernelModule", - "system:persistence:registersForStartup", - "system:persistence:removesPersistence", - "system:processControl", - "system:processControl:createsProcess", - "system:processControl:dumpsProcessMemory", - "system:processControl:enumeratesProcesses", - "system:processControl:hooksFunction", - "system:processControl:injectsCodeIntoProcess", - "system:processControl:modifiesProcess", - "system:processControl:resumesProcess", - "system:processControl:suspendsProcess", - "system:processControl:terminatesProcess", - "system:resilience", - "system:resilience:activatesRedundancy", - "system:resilience:degradesGracefully", - "system:resilience:detectsFault", - "system:resilience:recoversFromFailure", - "system:resilience:toleratesFault", - "system:resourceManagement", - "system:resourceManagement:allocatesMemory", - "system:resourceManagement:deallocatesMemory", - "system:resourceManagement:handlesResourceExhaustion", - "system:resourceManagement:managesPowerState", - "system:resourceManagement:readsFromStorage", - "system:resourceManagement:resumesThread", - "system:resourceManagement:spawnsThread", - "system:resourceManagement:suspendsThread", - "system:resourceManagement:terminatesThread", - "system:resourceManagement:writesToStorage", - "system:serviceControl", - "system:serviceControl:createsService", - "system:serviceControl:deletesService", - "system:serviceControl:enumeratesServices", - "system:serviceControl:modifiesService", - "system:serviceControl:startsService", - "system:serviceControl:stopsService", - "system:synchronization", - "system:synchronization:acquiresMutex", - "system:synchronization:releasesMutex", - "system:synchronization:signalsEvent", - "system:synchronization:signalsSemaphore", - "system:synchronization:waitsOnEvent", - "system:synchronization:waitsOnSemaphore", - "system:timing", - "system:timing:delaysExecution", - "system:timing:enforcesDeadline", - "system:timing:executesScheduledTask", - "system:timing:resetsWatchdog", - "system:timing:synchronizesClock", - "system:timing:triggersTimeout", - "system:timing:waits", - "system:userManagement", - "system:userManagement:createsUserAccount", - "system:userManagement:deletesUserAccount", - "system:userManagement:elevatesPrivileges", - "system:userManagement:enumeratesUsers", - "system:userManagement:impersonatesUser", - "system:userManagement:modifiesUserAccount" - ], - "meta:enum": { - "ai": "Behaviours relating to artificial intelligence and machine learning operations.", - "ai:agent": "Behaviours that enable autonomous agents to plan and execute tasks.", - "ai:agent:actsOnBehalfOfUser": "The entity performs actions within a delegated user context.", - "ai:agent:coordinatesAgents": "The entity orchestrates multiple agents.", - "ai:agent:delegatesTask": "The entity assigns work to another agent.", - "ai:agent:executesAction": "The entity performs planned step.", - "ai:agent:invokesTool": "The entity calls external capability.", - "ai:agent:observesResult": "The entity captures action outcome.", - "ai:agent:plansAction": "The entity determines steps to achieve goal.", - "ai:agent:receivesHumanDelegation": "The entity accepts authority delegated by a human user.", - "ai:agent:reflectsOnResult": "The entity evaluates action effectiveness.", - "ai:agent:reportsDelegatedAction": "The entity notifies the delegating user of actions taken.", - "ai:agent:requestsUserApproval": "The entity seeks explicit user authorisation before acting.", - "ai:agent:returnsDelegation": "The entity relinquishes delegated authority.", - "ai:agent:revisesPlan": "The entity modifies approach based on results.", - "ai:explainability": "Behaviours that provide interpretable explanations for model decisions.", - "ai:explainability:attributesFeatures": "The entity identifies influential inputs.", - "ai:explainability:documentsModel": "The entity records model design and behaviour.", - "ai:explainability:explainsDecision": "The entity provides human-readable rationale.", - "ai:explainability:tracesPrediction": "The entity records basis for output.", - "ai:explainability:visualizesModel": "The entity renders model behaviour graphically.", - "ai:fairness": "Behaviours that detect and mitigate bias in machine learning models.", - "ai:fairness:auditsModelFairness": "The entity evaluates model for bias.", - "ai:fairness:calculatesFairnessMetric": "The entity measures outcome equality.", - "ai:fairness:detectsBias": "The entity identifies unfair model behaviour.", - "ai:fairness:handlesProtectedAttribute": "The entity manages sensitive attributes.", - "ai:fairness:mitigatesBias": "The entity reduces unfair treatment.", - "ai:generative": "Behaviours that produce content using generative models.", - "ai:generative:citesSource": "The entity attributes generated content.", - "ai:generative:filtersOutput": "The entity screens generated content.", - "ai:generative:generatesAudio": "The entity produces sound content.", - "ai:generative:generatesCode": "The entity produces executable code.", - "ai:generative:generatesEmbedding": "The entity produces vector representation.", - "ai:generative:generatesImage": "The entity produces visual content.", - "ai:generative:generatesText": "The entity produces natural language.", - "ai:generative:mitigatesHallucination": "The entity reduces false content generation.", - "ai:generative:processesPrompt": "The entity interprets user instruction.", - "ai:generative:streamsResponse": "The entity delivers output incrementally.", - "ai:inference": "Behaviours that generate predictions using trained models.", - "ai:inference:appliesThreshold": "The entity uses decision boundary.", - "ai:inference:batchesInference": "The entity processes multiple inputs together.", - "ai:inference:cachesPrediction": "The entity stores prediction for reuse.", - "ai:inference:ensemblesModels": "The entity combines multiple model outputs.", - "ai:inference:generatesPrediction": "The entity produces model output.", - "ai:inference:infersInRealTime": "The entity generates prediction with low latency.", - "ai:inference:ranksResults": "The entity orders predictions by relevance.", - "ai:inference:scoresConfidence": "The entity assigns certainty to prediction.", - "ai:management": "Behaviours that deploy and manage machine learning models throughout their lifecycle.", - "ai:management:comparesModels": "The entity evaluates relative model performance.", - "ai:management:deploysModel": "The entity places model into service.", - "ai:management:loadsModel": "The entity retrieves model for use.", - "ai:management:monitorsModel": "The entity observes model performance.", - "ai:management:retiresModel": "The entity removes model from service.", - "ai:management:rollsBackModel": "The entity reverts to previous version.", - "ai:management:unloadsModel": "The entity removes model from memory.", - "ai:management:versionsModel": "The entity tracks model versions.", - "ai:quality": "Behaviours that monitor and maintain model and data quality.", - "ai:quality:detectsConceptDrift": "The entity identifies input-output relationship change.", - "ai:quality:detectsDataDrift": "The entity identifies input distribution change.", - "ai:quality:detectsOutlier": "The entity identifies anomalous input.", - "ai:quality:engineersFeatures": "The entity transforms raw data for model.", - "ai:quality:selectsFeatures": "The entity chooses relevant input features.", - "ai:quality:validatesInputData": "The entity checks inference input quality.", - "ai:robustness": "Behaviours that defend against adversarial attacks and handle uncertain inputs.", - "ai:robustness:defendsAgainstAdversarial": "The entity resists adversarial manipulation.", - "ai:robustness:detectsAdversarialInput": "The entity identifies crafted malicious input.", - "ai:robustness:detectsOutOfDistribution": "The entity identifies unfamiliar input.", - "ai:robustness:estimatesUncertainty": "The entity quantifies prediction confidence.", - "ai:robustness:validatesRobustness": "The entity tests model resilience.", - "ai:training": "Behaviours that prepare data and train machine learning models.", - "ai:training:appliesTransferLearning": "The entity adapts pre-trained model.", - "ai:training:checkpointsModel": "The entity saves model state during training.", - "ai:training:fineTunesModel": "The entity refines model for specific task.", - "ai:training:ingestsTrainingData": "The entity acquires data for training.", - "ai:training:preprocessesTrainingData": "The entity prepares data for training.", - "ai:training:trainsFederatedly": "The entity trains on distributed data.", - "ai:training:trainsModel": "The entity adjusts model parameters.", - "ai:training:tunesHyperparameters": "The entity optimises configuration parameters.", - "ai:training:validatesModel": "The entity evaluates model during training.", - "ai:training:validatesTrainingData": "The entity checks training data quality.", - "application": "Behaviours relating to application-level request processing and business logic.", - "application:codeExecution": "Behaviours that dynamically load and execute code at runtime.", - "application:codeExecution:compilesCode": "The entity transforms source to executable form.", - "application:codeExecution:evaluatesExpression": "The entity interprets and executes an expression.", - "application:codeExecution:executesNativeCommand": "The entity runs an operating system command.", - "application:codeExecution:executesScript": "The entity runs script code.", - "application:codeExecution:interpretsCode": "The entity executes code without compilation.", - "application:codeExecution:invokesViaReflection": "The entity calls method through reflection.", - "application:codeExecution:loadsCodeDynamically": "The entity loads executable code at runtime.", - "application:configuration": "Behaviours that load and manage application configuration settings.", - "application:configuration:detectsEnvironment": "The entity determines deployment context.", - "application:configuration:evaluatesFeatureFlag": "The entity checks feature toggle state.", - "application:configuration:loadsConfiguration": "The entity reads configuration settings.", - "application:configuration:reloadsConfiguration": "The entity refreshes configuration dynamically.", - "application:controlFlow": "Behaviours that manage the execution sequence and event handling within an application.", - "application:controlFlow:awaitsAsyncResult": "The entity waits for asynchronous completion.", - "application:controlFlow:catchesException": "The entity handles an error condition.", - "application:controlFlow:emitsEvent": "The entity triggers an event.", - "application:controlFlow:handlesEvent": "The entity responds to an event.", - "application:controlFlow:invokesCallback": "The entity executes a callback function.", - "application:controlFlow:invokesHandler": "The entity calls a request handler.", - "application:controlFlow:invokesMiddleware": "The entity executes middleware component.", - "application:controlFlow:schedulesAsyncOperation": "The entity queues work for later execution.", - "application:controlFlow:throwsException": "The entity raises an error condition.", - "application:dependencyManagement": "Behaviours that resolve and manage dependencies on other components.", - "application:dependencyManagement:closesCircuitBreaker": "The entity resumes calls to recovered dependency.", - "application:dependencyManagement:fallsBack": "The entity uses alternative when primary fails.", - "application:dependencyManagement:injectsDependency": "The entity provides component to dependent.", - "application:dependencyManagement:opensCircuitBreaker": "The entity stops calls to failing dependency.", - "application:dependencyManagement:resolvesDependency": "The entity locates required component.", - "application:externalIntegration": "Behaviours that communicate with external services and systems.", - "application:externalIntegration:callsExternalService": "The entity invokes an external API.", - "application:externalIntegration:consumesEvent": "The entity receives event from external system.", - "application:externalIntegration:publishesEvent": "The entity sends event to external system.", - "application:externalIntegration:receivesWebhook": "The entity accepts callback from external service.", - "application:observability": "Behaviours that emit telemetry for monitoring and debugging purposes.", - "application:observability:emitsTelemetry": "The entity transmits operational data.", - "application:observability:logsOperation": "The entity records an operational event.", - "application:observability:recordsMetric": "The entity captures a quantitative measurement.", - "application:observability:reportsHealth": "The entity communicates operational status.", - "application:observability:tracesRequest": "The entity tracks request across services.", - "application:requestHandling": "Behaviours that receive and process incoming requests.", - "application:requestHandling:authenticatesRequest": "The entity verifies requestor identity.", - "application:requestHandling:authorizesRequest": "The entity verifies requestor permissions.", - "application:requestHandling:bindsParameters": "The entity maps request data to parameters.", - "application:requestHandling:parsesRequest": "The entity interprets incoming request.", - "application:requestHandling:receivesHttpRequest": "The entity accepts an HTTP request.", - "application:requestHandling:rejectsRequest": "The entity refuses to process request.", - "application:requestHandling:routesRequest": "The entity directs request to appropriate handler.", - "application:requestHandling:validatesRequest": "The entity verifies request validity.", - "application:responseGeneration": "Behaviours that construct and transmit responses to requests.", - "application:responseGeneration:generatesResponse": "The entity creates a response.", - "application:responseGeneration:readsCookie": "The entity retrieves cookie value.", - "application:responseGeneration:redirectsRequest": "The entity sends client to different location.", - "application:responseGeneration:returnsError": "The entity indicates failure.", - "application:responseGeneration:returnsSuccess": "The entity indicates successful completion.", - "application:responseGeneration:sendsHttpResponse": "The entity transmits an HTTP response.", - "application:responseGeneration:setsCookie": "The entity creates or modifies a cookie.", - "application:responseGeneration:setsHeader": "The entity adds HTTP header to response.", - "application:stateManagement": "Behaviours that maintain and synchronise application state across requests.", - "application:stateManagement:acquiresLock": "The entity obtains exclusive access to resource.", - "application:stateManagement:beginsTransaction": "The entity starts an atomic operation group.", - "application:stateManagement:commitsTransaction": "The entity finalises transaction changes.", - "application:stateManagement:createsSessionState": "The entity initialises session data.", - "application:stateManagement:destroysSessionState": "The entity removes session data.", - "application:stateManagement:readsSessionState": "The entity retrieves session data.", - "application:stateManagement:releasesLock": "The entity relinquishes exclusive access.", - "application:stateManagement:rollsBackTransaction": "The entity undoes transaction changes.", - "application:stateManagement:synchronizesState": "The entity maintains consistency across replicas.", - "application:stateManagement:updatesSessionState": "The entity modifies session data.", - "data": "Behaviours relating to the ingestion and transformation of structured and unstructured data.", - "data:encoding": "Behaviours that apply specific encoding schemes to data.", - "data:encoding:appliesXor": "The entity transforms data using XOR operation.", - "data:encoding:decodesBaseSixtyFour": "The entity converts Base64 to original form.", - "data:encoding:decodesUrl": "The entity converts URL-encoded data.", - "data:encoding:encodesBaseSixtyFour": "The entity converts data to Base64.", - "data:encoding:encodesUrl": "The entity converts data for URL inclusion.", - "data:ingestion": "Behaviours that acquire data from external sources.", - "data:ingestion:pollsSource": "The entity periodically checks for new data.", - "data:ingestion:readsFile": "The entity retrieves data from a file.", - "data:ingestion:readsStream": "The entity consumes data from a continuous source.", - "data:ingestion:receivesInput": "The entity accepts data from an external source.", - "data:ingestion:receivesMessage": "The entity accepts a message from a queue.", - "data:ingestion:receivesRequest": "The entity accepts an incoming request.", - "data:ingestion:subscribesToFeed": "The entity registers to receive updates.", - "data:output": "Behaviours that produce and transmit data to external consumers.", - "data:output:formatsResponse": "The entity structures data for delivery.", - "data:output:producesOutput": "The entity generates data for consumption.", - "data:output:publishesMessage": "The entity sends a message to a queue.", - "data:output:rendersTemplate": "The entity generates output from a template.", - "data:output:sendsResponse": "The entity transmits a reply.", - "data:output:serializesObject": "The entity converts object to transmittable form.", - "data:output:streamsOutput": "The entity continuously produces data.", - "data:output:writesFile": "The entity saves data to a file.", - "data:parsing": "Behaviours that interpret and extract information from structured data formats.", - "data:parsing:decodesData": "The entity converts encoded data to original form.", - "data:parsing:deserializesObject": "The entity reconstructs object from serialised form.", - "data:parsing:extractsFields": "The entity isolates specific data elements.", - "data:parsing:parsesData": "The entity interprets structured data.", - "data:parsing:parsesHtml": "The entity interprets HTML content.", - "data:parsing:parsesJson": "The entity interprets JSON-formatted data.", - "data:parsing:parsesXml": "The entity interprets XML-formatted data.", - "data:query": "Behaviours that retrieve data based on specified criteria.", - "data:query:executesLdapQuery": "The entity queries an LDAP directory.", - "data:query:executesNoSqlQuery": "The entity queries a NoSQL database.", - "data:query:executesSearch": "The entity performs full-text or indexed search.", - "data:query:executesSql": "The entity runs a SQL statement.", - "data:query:executesXPath": "The entity evaluates an XPath expression.", - "data:query:queriesData": "The entity retrieves data matching criteria.", - "data:storage": "Behaviours that persist and retrieve data from storage systems.", - "data:storage:cachesData": "The entity stores data for quick retrieval.", - "data:storage:deletesData": "The entity removes stored data.", - "data:storage:flushesCache": "The entity writes cached data to persistent storage.", - "data:storage:invalidatesCache": "The entity marks cached data as stale.", - "data:storage:retrievesData": "The entity fetches stored data.", - "data:storage:storesData": "The entity saves data persistently.", - "data:storage:updatesData": "The entity modifies stored data.", - "data:transformation": "Behaviours that convert data from one form or structure to another.", - "data:transformation:aggregatesData": "The entity combines multiple values.", - "data:transformation:compressesData": "The entity reduces data size.", - "data:transformation:decompressesData": "The entity restores compressed data.", - "data:transformation:encodesData": "The entity converts data to encoded form.", - "data:transformation:enrichesData": "The entity adds information from external sources.", - "data:transformation:filtersData": "The entity removes unwanted elements.", - "data:transformation:joinsData": "The entity combines data from multiple sources.", - "data:transformation:mapsData": "The entity converts between data structures.", - "data:transformation:normalizesData": "The entity converts to standard form.", - "data:transformation:sortsData": "The entity orders data elements.", - "data:transformation:transformsData": "The entity converts data from one form to another.", - "evasion": "Behaviours relating to techniques that avoid detection and analysis.", - "evasion:analysisResistance": "Behaviours that detect and evade analysis environments.", - "evasion:analysisResistance:detectsAnalysisTool": "The entity identifies analysis software.", - "evasion:analysisResistance:detectsDebugger": "The entity identifies debugger presence.", - "evasion:analysisResistance:detectsEmulator": "The entity identifies emulation environment.", - "evasion:analysisResistance:detectsSandbox": "The entity identifies sandbox environment.", - "evasion:analysisResistance:detectsVirtualMachine": "The entity identifies VM environment.", - "evasion:analysisResistance:evadesDebugger": "The entity modifies behaviour under debugging.", - "evasion:analysisResistance:evadesEmulator": "The entity modifies behaviour under emulation.", - "evasion:analysisResistance:evadesSandbox": "The entity modifies behaviour in sandbox.", - "evasion:analysisResistance:evadesVirtualMachine": "The entity modifies behaviour in VM.", - "evasion:analysisResistance:usesTimingEvasion": "The entity uses delays to evade analysis.", - "evasion:antiSecurity": "Behaviours that detect and disable security software.", - "evasion:antiSecurity:detectsAntivirus": "The entity identifies AV software.", - "evasion:antiSecurity:disablesSecuritySoftware": "The entity deactivates security tools.", - "evasion:antiSecurity:evadesAntivirus": "The entity avoids AV detection.", - "evasion:antiSecurity:terminatesSecurityProcess": "The entity kills security software processes.", - "evasion:indirection": "Behaviours that use indirect methods to execute code.", - "evasion:indirection:resolvesApiDynamically": "The entity finds API addresses at runtime.", - "evasion:indirection:usesIndirectCalls": "The entity invokes functions indirectly.", - "evasion:indirection:usesProxyExecution": "The entity executes through intermediary.", - "evasion:obfuscation": "Behaviours that obscure code and data to hinder analysis.", - "evasion:obfuscation:obfuscatesCode": "The entity makes code difficult to analyse.", - "evasion:obfuscation:obfuscatesControlFlow": "The entity obscures execution paths.", - "evasion:obfuscation:obfuscatesData": "The entity hides data structures.", - "evasion:obfuscation:obfuscatesStrings": "The entity hides string contents.", - "evasion:obfuscation:packsCode": "The entity compresses or encrypts executable.", - "evasion:obfuscation:unpacksAtRuntime": "The entity decompresses code during execution.", - "file": "Behaviours relating to file system operations and disk management.", - "file:directory": "Behaviours that create and navigate directory structures.", - "file:directory:changesDirectory": "The entity sets current working directory.", - "file:directory:createsDirectory": "The entity creates a new directory.", - "file:directory:deletesDirectory": "The entity removes a directory.", - "file:directory:listsDirectory": "The entity enumerates directory contents.", - "file:directory:traversesDirectory": "The entity recursively explores directories.", - "file:disk": "Behaviours that manage storage volumes and disk-level operations.", - "file:disk:decryptsVolume": "The entity decrypts a storage volume.", - "file:disk:encryptsVolume": "The entity encrypts a storage volume.", - "file:disk:formatsVolume": "The entity prepares storage for use.", - "file:disk:mountsVolume": "The entity attaches a storage volume.", - "file:disk:unmountsVolume": "The entity detaches a storage volume.", - "file:disk:wipesDisk": "The entity securely erases disk contents.", - "file:operations": "Behaviours that create and manipulate files.", - "file:operations:appendsToFile": "The entity adds data to end of file.", - "file:operations:checksFileExistence": "The entity verifies whether a file exists.", - "file:operations:closesFile": "The entity releases file access.", - "file:operations:copiesFile": "The entity duplicates a file.", - "file:operations:createsFile": "The entity creates a new file.", - "file:operations:deletesFile": "The entity removes a file.", - "file:operations:getsFileAttributes": "The entity retrieves file metadata.", - "file:operations:movesFile": "The entity relocates a file.", - "file:operations:opensFile": "The entity prepares a file for access.", - "file:operations:readsFile": "The entity retrieves file contents.", - "file:operations:renamesFile": "The entity changes a file name.", - "file:operations:setsFileAttributes": "The entity modifies file metadata.", - "file:operations:setsFilePermissions": "The entity modifies file access permissions.", - "file:operations:writesFile": "The entity modifies file contents.", - "gui": "Behaviours relating to graphical user interface interactions.", - "gui:display": "Behaviours that render and monitor visual output.", - "gui:display:displaysData": "The entity renders information visually.", - "gui:display:monitorsDisplay": "The entity observes displayed content.", - "gui:display:updatesDisplay": "The entity refreshes visual presentation.", - "gui:session": "Behaviours that interact with user login sessions.", - "gui:session:displaysLogin": "The entity presents login interface.", - "gui:session:interactsWithSession": "The entity operates within user session.", - "gui:session:switchesSession": "The entity changes active user session.", - "gui:window": "Behaviours that create and manipulate graphical windows.", - "gui:window:capturesWindow": "The entity captures window contents.", - "gui:window:createsWindow": "The entity creates a graphical window.", - "gui:window:destroysWindow": "The entity closes a window.", - "gui:window:enumeratesWindows": "The entity lists open windows.", - "gui:window:interactsWithTaskbar": "The entity modifies taskbar elements.", - "gui:window:modifiesWindow": "The entity changes window properties.", - "hardware": "Behaviours relating to hardware components and physical device interactions.", - "hardware:actuator": "Behaviours that control physical actuators and output devices.", - "hardware:actuator:calibratesActuator": "The entity adjusts actuator accuracy.", - "hardware:actuator:controlsBattery": "The entity manages battery charging.", - "hardware:actuator:controlsHeating": "The entity manages heating element.", - "hardware:actuator:controlsLed": "The entity manages LED indicator.", - "hardware:actuator:controlsMotor": "The entity manages motor operation.", - "hardware:actuator:controlsPower": "The entity manages power distribution.", - "hardware:actuator:controlsPump": "The entity manages fluid pump.", - "hardware:actuator:controlsTemperature": "The entity regulates temperature.", - "hardware:boot": "Behaviours that verify and configure system startup processes.", - "hardware:boot:entersRecoveryMode": "The entity boots via alternative path.", - "hardware:boot:executesSecureBoot": "The entity verifies code integrity at startup.", - "hardware:boot:locksBootConfiguration": "The entity prevents boot setting changes.", - "hardware:boot:modifiesBootConfiguration": "The entity changes boot settings.", - "hardware:boot:readsBootConfiguration": "The entity retrieves boot settings.", - "hardware:boot:recordsBootMeasurement": "The entity logs boot component hashes.", - "hardware:boot:verifiesBootLoader": "The entity validates boot loader authenticity.", - "hardware:firmware": "Behaviours that manage and verify firmware integrity.", - "hardware:firmware:monitorsFirmwareIntegrity": "The entity checks for firmware tampering.", - "hardware:firmware:preventsFirmwareRollback": "The entity blocks reversion to old firmware.", - "hardware:firmware:readsFirmwareVersion": "The entity retrieves firmware version.", - "hardware:firmware:updatesFirmware": "The entity applies firmware changes.", - "hardware:firmware:verifiesFirmwareSignature": "The entity validates firmware authenticity.", - "hardware:memory": "Behaviours that protect and isolate memory regions.", - "hardware:memory:encryptsMemory": "The entity protects memory contents.", - "hardware:memory:isolatesMemory": "The entity separates memory regions.", - "hardware:memory:protectsStack": "The entity defends against stack attacks.", - "hardware:memory:randomizesAddressSpace": "The entity applies ASLR.", - "hardware:memory:readsProtectedMemory": "The entity accesses protected memory region.", - "hardware:memory:writesProtectedMemory": "The entity modifies protected memory region.", - "hardware:peripheral": "Behaviours that interact with peripheral devices and interfaces.", - "hardware:peripheral:accessesCamera": "The entity interacts with camera hardware.", - "hardware:peripheral:accessesDisplay": "The entity interacts with display hardware.", - "hardware:peripheral:accessesGpio": "The entity reads or writes GPIO pins.", - "hardware:peripheral:accessesJtag": "The entity uses JTAG debug interface.", - "hardware:peripheral:accessesKeyboard": "The entity interacts with keyboard hardware.", - "hardware:peripheral:accessesStorageDevice": "The entity interacts with storage hardware.", - "hardware:peripheral:accessesUsbDevice": "The entity interacts with USB peripheral.", - "hardware:peripheral:configuresDma": "The entity sets up direct memory access.", - "hardware:peripheral:protectsDma": "The entity prevents unauthorised DMA.", - "hardware:physicalSecurity": "Behaviours that detect and respond to physical tampering.", - "hardware:physicalSecurity:detectsPhysicalTamper": "The entity identifies physical interference.", - "hardware:physicalSecurity:disablesDebugInterface": "The entity prevents debug access.", - "hardware:physicalSecurity:enablesDebugInterface": "The entity permits debug access.", - "hardware:physicalSecurity:monitorsEnclosure": "The entity detects housing penetration.", - "hardware:physicalSecurity:respondsToTamper": "The entity reacts to physical attack.", - "hardware:physicalSecurity:zeroizesKeys": "The entity destroys keys on tamper detection.", - "hardware:security": "Behaviours that utilise hardware security features and trusted execution environments.", - "hardware:security:anchorsInHardwareRoot": "The entity uses tamper-resistant hardware for trust.", - "hardware:security:executesInTee": "The entity runs in trusted execution environment.", - "hardware:security:generatesPufResponse": "The entity uses physical unclonable function.", - "hardware:security:usesHsm": "The entity employs hardware security module.", - "hardware:security:usesSecureElement": "The entity employs dedicated security hardware.", - "hardware:sensor": "Behaviours that read measurements from hardware sensors.", - "hardware:sensor:calibratesSensor": "The entity adjusts sensor accuracy.", - "hardware:sensor:readsBatteryStatus": "The entity obtains battery state.", - "hardware:sensor:readsBloodOxygen": "The entity obtains SpO2 measurement.", - "hardware:sensor:readsBloodPressure": "The entity obtains blood pressure measurement.", - "hardware:sensor:readsCoTwoLevel": "The entity obtains CO2 measurement.", - "hardware:sensor:readsEcg": "The entity obtains electrocardiogram data.", - "hardware:sensor:readsPowerStatus": "The entity obtains power state.", - "hardware:sensor:readsTemperature": "The entity obtains temperature measurement.", - "hardware:sideChannelDefense": "Behaviours that protect against side-channel attacks.", - "hardware:sideChannelDefense:controlsEmEmissions": "The entity limits electromagnetic leakage.", - "hardware:sideChannelDefense:resistsFaultInjection": "The entity protects against induced faults.", - "hardware:sideChannelDefense:resistsPowerAnalysis": "The entity protects against power-based attacks.", - "hardware:sideChannelDefense:resistsTimingAnalysis": "The entity protects against timing-based attacks.", - "network": "Behaviours relating to network communication and data transmission between systems.", - "network:connection": "Behaviours that establish and manage network connections.", - "network:connection:acceptsConnection": "The entity receives an incoming connection.", - "network:connection:detectsConnectionLoss": "The entity identifies a dropped connection.", - "network:connection:establishesConnection": "The entity initiates a network connection.", - "network:connection:reconnects": "The entity re-establishes a dropped connection.", - "network:connection:reusesConnection": "The entity uses a pooled connection.", - "network:connection:sendsHeartbeat": "The entity transmits a keep-alive signal.", - "network:connection:terminatesConnection": "The entity closes a network connection.", - "network:discovery": "Behaviours that locate and advertise network services and resources.", - "network:discovery:advertisesService": "The entity announces its availability.", - "network:discovery:discoversService": "The entity locates an available service.", - "network:discovery:enumeratesInterfaces": "The entity lists network interfaces.", - "network:discovery:probesPort": "The entity checks if a port is open.", - "network:discovery:queriesDns": "The entity requests DNS resolution.", - "network:discovery:resolvesName": "The entity translates a name to an address.", - "network:discovery:scansNetwork": "The entity probes for active hosts or services.", - "network:protocol": "Behaviours that negotiate and implement communication protocols.", - "network:protocol:downgradesProtocol": "The entity falls back to a less secure protocol version.", - "network:protocol:framesMessage": "The entity structures data for transmission.", - "network:protocol:negotiatesProtocol": "The entity agrees on communication protocol with peer.", - "network:protocol:parsesMessage": "The entity interprets received network data.", - "network:protocol:retransmitsMessage": "The entity resends data after transmission failure.", - "network:protocol:upgradesProtocol": "The entity transitions to a more secure protocol version.", - "network:protocol:validatesMessage": "The entity verifies message format and integrity.", - "network:remoteInteraction": "Behaviours that execute operations on remote systems.", - "network:remoteInteraction:accessesRemoteDesktop": "The entity controls a remote graphical interface.", - "network:remoteInteraction:accessesRemoteShell": "The entity interacts with a remote command line.", - "network:remoteInteraction:executesRemoteCommand": "The entity runs a command on a remote system.", - "network:remoteInteraction:invokesRemoteProcedure": "The entity calls a function on a remote system.", - "network:remoteInteraction:sendsEmail": "The entity transmits an email message.", - "network:remoteInteraction:sendsSms": "The entity transmits a text message.", - "network:remoteInteraction:transfersFile": "The entity sends or receives a file remotely.", - "network:routing": "Behaviours that direct network traffic to its destination.", - "network:routing:configuresProxy": "The entity sets up traffic to route through a proxy.", - "network:routing:forwardsPacket": "The entity passes a packet toward its destination.", - "network:routing:redirectsTraffic": "The entity diverts traffic to a different destination.", - "network:routing:routesTraffic": "The entity directs network traffic to destinations.", - "network:routing:tunnelsTraffic": "The entity encapsulates traffic within another protocol.", - "network:trafficControl": "Behaviours that manage and manipulate network traffic flow.", - "network:trafficControl:balancesLoad": "The entity distributes requests across destinations.", - "network:trafficControl:filtersTraffic": "The entity blocks or allows traffic based on rules.", - "network:trafficControl:inspectsTraffic": "The entity examines traffic contents.", - "network:trafficControl:interceptsTraffic": "The entity captures traffic in transit.", - "network:trafficControl:limitsRate": "The entity restricts traffic volume.", - "network:trafficControl:modifiesTraffic": "The entity alters traffic in transit.", - "network:trafficControl:shapesTraffic": "The entity manages traffic timing and priority.", - "network:transmission": "Behaviours that send and receive data over network connections.", - "network:transmission:broadcastsData": "The entity sends data to multiple recipients.", - "network:transmission:multicastsData": "The entity sends data to a group of recipients.", - "network:transmission:receivesData": "The entity accepts data from the network.", - "network:transmission:sendsData": "The entity transmits data over the network.", - "network:transmission:streamsData": "The entity continuously transmits or receives data.", - "privacy": "Behaviours relating to the collection and processing of personal and sensitive data.", - "privacy:collection": "Behaviours that gather personal or sensitive information from individuals or systems.", - "privacy:collection:capturesAudio": "The entity records sound via microphone.", - "privacy:collection:capturesKeystrokes": "The entity records keyboard input.", - "privacy:collection:capturesScreen": "The entity records display contents.", - "privacy:collection:capturesVideo": "The entity records images via camera.", - "privacy:collection:collectsBehavioralData": "The entity records user actions and patterns.", - "privacy:collection:collectsBiometricData": "The entity captures biometric information.", - "privacy:collection:collectsCommunicationContent": "The entity captures message or call contents.", - "privacy:collection:collectsDeviceInformation": "The entity gathers device identifiers or characteristics.", - "privacy:collection:collectsFinancialData": "The entity gathers payment or financial information.", - "privacy:collection:collectsHealthData": "The entity gathers protected health information.", - "privacy:collection:collectsInBackground": "The entity gathers data without active user engagement.", - "privacy:collection:collectsLocationData": "The entity gathers geographical position information.", - "privacy:collection:collectsPersonalData": "The entity gathers personally identifiable information.", - "privacy:collection:collectsSilently": "The entity gathers data without user awareness.", - "privacy:collection:readsBrowserHistory": "The entity accesses web browsing history.", - "privacy:collection:readsClipboard": "The entity accesses clipboard contents.", - "privacy:deletion": "Behaviours that remove or destroy personal data.", - "privacy:deletion:clearsCache": "The entity removes data from temporary storage.", - "privacy:deletion:deletesPersonalData": "The entity removes personal data.", - "privacy:deletion:erasesSecurely": "The entity irreversibly destroys data.", - "privacy:deletion:purgesFromBackup": "The entity removes data from backup systems.", - "privacy:deletion:redactsData": "The entity removes specific content from records.", - "privacy:inference": "Behaviours that derive personal information through analysis and correlation of data.", - "privacy:inference:correlatesData": "The entity combines data from multiple sources.", - "privacy:inference:createsProfile": "The entity builds a profile from collected data.", - "privacy:inference:fingerprintsDevice": "The entity identifies device via characteristics.", - "privacy:inference:infersPersonalInformation": "The entity derives personal data from other data.", - "privacy:inference:linksIdentities": "The entity associates data across contexts.", - "privacy:inference:tracksUser": "The entity follows user activity across sessions.", - "privacy:minimization": "Behaviours that reduce the amount or sensitivity of personal data processed.", - "privacy:minimization:aggregatesData": "The entity combines records into summaries.", - "privacy:minimization:anonymizesData": "The entity removes identifying information.", - "privacy:minimization:filtersData": "The entity removes unnecessary data elements.", - "privacy:minimization:generalizesData": "The entity reduces data precision.", - "privacy:minimization:limitsCollection": "The entity gathers only necessary data.", - "privacy:minimization:limitsProcessing": "The entity restricts data use to stated purposes.", - "privacy:minimization:pseudonymizesData": "The entity replaces identifiers with pseudonyms.", - "privacy:privacyEnhancement": "Behaviours that employ technical measures to protect privacy during processing.", - "privacy:privacyEnhancement:addsDifferentialPrivacy": "The entity injects noise to protect individuals.", - "privacy:privacyEnhancement:computesMultiparty": "The entity performs joint computation privately.", - "privacy:privacyEnhancement:processesHomomorphically": "The entity computes on encrypted data.", - "privacy:privacyEnhancement:processesLocally": "The entity handles data on-device.", - "privacy:retention": "Behaviours that store personal data over time.", - "privacy:retention:archivesData": "The entity moves data to long-term storage.", - "privacy:retention:backsUpData": "The entity creates copies for recovery.", - "privacy:retention:enforcesRetentionPeriod": "The entity deletes data after specified time.", - "privacy:retention:retainsBeyondPurpose": "The entity keeps data longer than necessary.", - "privacy:retention:retainsInCache": "The entity keeps data in temporary storage.", - "privacy:retention:retainsInLog": "The entity keeps data in log files.", - "privacy:retention:storesPersonalData": "The entity saves personal data persistently.", - "privacy:sharing": "Behaviours that disclose personal data to third parties or across boundaries.", - "privacy:sharing:disclosesToThirdParty": "The entity transmits personal data externally.", - "privacy:sharing:exportsData": "The entity outputs data in portable format.", - "privacy:sharing:publishesData": "The entity makes data publicly available.", - "privacy:sharing:sellsData": "The entity provides data in exchange for value.", - "privacy:sharing:sharesWithAffiliate": "The entity provides data to related entities.", - "privacy:sharing:transfersCrossBorder": "The entity sends data across jurisdictions.", - "privacy:subjectRights": "Behaviours that fulfil data subject rights under privacy regulations.", - "privacy:subjectRights:correctsData": "The entity modifies inaccurate personal data.", - "privacy:subjectRights:exportsDataPortably": "The entity provides data in portable format.", - "privacy:subjectRights:honorsErasureRequest": "The entity deletes data upon request.", - "privacy:subjectRights:honorsObjection": "The entity ceases processing upon objection.", - "privacy:subjectRights:providesDataAccess": "The entity gives individuals their data.", - "privacy:subjectRights:restrictsProcessing": "The entity limits data use upon request.", - "privacy:transparency": "Behaviours that inform individuals about data processing activities.", - "privacy:transparency:disclosesProcessing": "The entity reveals data processing activities.", - "privacy:transparency:displaysPrivacyNotice": "The entity presents privacy information.", - "privacy:transparency:explainsAutomatedDecision": "The entity describes automated decision logic.", - "privacy:transparency:recordsConsent": "The entity stores consent decisions.", - "privacy:transparency:requestsConsent": "The entity asks for processing permission.", - "privacy:transparency:withdrawsConsent": "The entity processes consent revocation.", - "safety": "Behaviours relating to the prevention of harm to users and the environment.", - "safety:autonomousBehavior": "Behaviours that govern decision-making boundaries and human oversight of autonomous systems.", - "safety:autonomousBehavior:acceptsOverride": "The entity yields to human command.", - "safety:autonomousBehavior:enforcesHumanInLoop": "The entity requires human involvement.", - "safety:autonomousBehavior:explainsDecision": "The entity provides rationale for its action.", - "safety:autonomousBehavior:requestsGuidance": "The entity asks for human direction.", - "safety:autonomousBehavior:respectsDecisionBoundary": "The entity stays within authorised decision scope.", - "safety:contentSafety": "Behaviours that detect and filter harmful or inappropriate content.", - "safety:contentSafety:detectsHarmfulContent": "The entity identifies potentially harmful content.", - "safety:contentSafety:detectsMisinformation": "The entity identifies false or misleading content.", - "safety:contentSafety:enforcesAgeRestriction": "The entity limits access by user age.", - "safety:contentSafety:filtersContent": "The entity blocks or restricts content.", - "safety:contentSafety:labelsContent": "The entity marks content with warnings or ratings.", - "safety:harmPrevention": "Behaviours that actively protect users and bystanders from physical or psychological harm.", - "safety:harmPrevention:preventsEnvironmentalHarm": "The entity acts to protect the environment.", - "safety:harmPrevention:preventsPropertyDamage": "The entity acts to protect physical property.", - "safety:harmPrevention:preventsUserHarm": "The entity acts to protect users from injury.", - "safety:harmPrevention:protectsBystanders": "The entity considers safety of non-users.", - "safety:hazardManagement": "Behaviours that identify and mitigate potentially dangerous conditions.", - "safety:hazardManagement:assessesRisk": "The entity evaluates severity and likelihood of harm.", - "safety:hazardManagement:identifiesHazard": "The entity detects a potentially harmful condition.", - "safety:hazardManagement:mitigatesHazard": "The entity reduces hazard severity or likelihood.", - "safety:hazardManagement:reportsHazard": "The entity communicates a hazardous condition.", - "safety:humanInteraction": "Behaviours that manage communication and interaction with human operators.", - "safety:humanInteraction:adaptsForAccessibility": "The entity adjusts for users with disabilities.", - "safety:humanInteraction:managesCognitiveLoad": "The entity limits information to prevent overwhelm.", - "safety:humanInteraction:requestsConfirmation": "The entity requires human approval for action.", - "safety:humanInteraction:warnsOperator": "The entity alerts human to abnormal condition.", - "safety:operationalSafety": "Behaviours that enforce safe operating limits and conditions.", - "safety:operationalSafety:acceptsManualOverride": "The entity yields control to human operator.", - "safety:operationalSafety:enforcesInterlock": "The entity prevents unsafe operation combinations.", - "safety:operationalSafety:enforcesOperatingLimits": "The entity prevents operation outside safe bounds.", - "safety:operationalSafety:executesEmergencyStop": "The entity immediately halts dangerous operation.", - "safety:operationalSafety:monitorsWatchdog": "The entity checks for uncontrolled operation.", - "safety:operationalSafety:validatesSafetyCondition": "The entity confirms safe operating state.", - "security": "Behaviours relating to the protection of systems and data from unauthorised access and threats.", - "security:auditing": "Behaviours that record security-relevant events for accountability and forensic analysis.", - "security:auditing:logsEvent": "The entity records an occurrence.", - "security:auditing:logsSecurityEvent": "The entity records a security-relevant occurrence.", - "security:auditing:protectsAuditLog": "The entity prevents tampering with log records.", - "security:auditing:purgesLog": "The entity deletes old log records.", - "security:auditing:rotatesLog": "The entity archives and starts new log files.", - "security:auditing:signsLogEntry": "The entity cryptographically signs audit records.", - "security:auditing:timestampsEvent": "The entity records when an event occurred.", - "security:auditing:transmitsLog": "The entity sends log data to a remote destination.", - "security:authentication": "Behaviours that verify the identity of users and entities.", - "security:authentication:authenticatesDevice": "The entity confirms device identity.", - "security:authentication:authenticatesService": "The entity confirms service identity.", - "security:authentication:authenticatesUser": "The entity confirms user identity.", - "security:authentication:bypassesAuthentication": "The entity permits access without authentication.", - "security:authentication:capturesBiometric": "The entity collects biometric data for authentication.", - "security:authentication:delegatesAuthentication": "The entity relies on external identity provider.", - "security:authentication:failsAuthentication": "The entity rejects invalid credentials.", - "security:authentication:locksAccount": "The entity prevents further authentication attempts.", - "security:authentication:performsMultiFactorAuthentication": "The entity requires multiple authentication factors.", - "security:authentication:promptsForCredentials": "The entity requests authentication information.", - "security:authentication:unlocksAccount": "The entity restores authentication capability.", - "security:authentication:validatesBiometric": "The entity verifies biometric data.", - "security:authentication:validatesCredentials": "The entity verifies supplied credentials.", - "security:authorization": "Behaviours that determine and enforce access permissions.", - "security:authorization:checksPermission": "The entity verifies access rights.", - "security:authorization:delegatesAuthority": "The entity transfers access rights to another.", - "security:authorization:deniesAccess": "The entity refuses a requested action.", - "security:authorization:enforcesRole": "The entity restricts actions based on assigned role.", - "security:authorization:escalatesPrivilege": "The entity gains elevated permissions.", - "security:authorization:evaluatesAttributes": "The entity uses attributes for access decisions.", - "security:authorization:evaluatesPolicy": "The entity applies rules to make access decisions.", - "security:authorization:grantsAccess": "The entity permits a requested action.", - "security:authorization:grantsImpersonation": "The entity permits another to act within its security context.", - "security:authorization:impersonatesUser": "The entity performs actions within another user's security context.", - "security:authorization:requestsImpersonation": "The entity initiates a request to act as another user.", - "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", - "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", - "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", - "security:cryptography:authenticates": "The entity verifies the identity of a user, process, or device.", - "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", - "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", - "security:cryptography:decryptsDataAtRest": "The entity restores stored encrypted data to readable form.", - "security:cryptography:decryptsDataInTransit": "The entity restores data received over a network to readable form.", - "security:cryptography:decryptsDisk": "The entity unlocks and decrypts contents of an encrypted disk.", - "security:cryptography:decryptsSecret": "The entity retrieves and decrypts a secured credential or metadata.", - "security:cryptography:destroysKey": "The entity securely erases a key.", - "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", - "security:cryptography:encryptsDataAtRest": "The entity protects stored data by converting it to unreadable form.", - "security:cryptography:encryptsDataInTransit": "The entity protects data moving across a network.", - "security:cryptography:encryptsDisk": "The entity applies full-disk encryption to protect all data on a drive.", - "security:cryptography:encryptsSecret": "The entity secures sensitive credentials or metadata.", - "security:cryptography:ensuresAccountability": "The entity ensures actions can be traced to a specific individual or process.", - "security:cryptography:ensuresConfidentiality": "The entity protects sensitive information from unauthorised access.", - "security:cryptography:ensuresIntegrity": "The entity guarantees that data has not been altered or tampered with.", - "security:cryptography:ensuresNonRepudiation": "The entity provides proof of origin and integrity to prevent denial.", - "security:cryptography:exchangesKey": "The entity shares a key with another party.", - "security:cryptography:generatesKey": "The entity creates a cryptographic key.", - "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", - "security:cryptography:hashesData": "The entity generates a cryptographic hash.", - "security:cryptography:hashesPassword": "The entity applies a cryptographic hash function to a password.", - "security:cryptography:identifies": "The entity establishes a unique identity for an actor within the system.", - "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", - "security:cryptography:preservesPrivacy": "The entity protects personally identifiable information and user data.", - "security:cryptography:presentsClientCertificate": "The entity provides a client certificate for authentication.", - "security:cryptography:presentsServerCertificate": "The entity provides a server certificate for authentication.", - "security:cryptography:retrievesKey": "The entity obtains a stored key.", - "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", - "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", - "security:cryptography:signsCode": "The entity applies a digital signature to executable code.", - "security:cryptography:signsData": "The entity creates a digital signature.", - "security:cryptography:signsDocument": "The entity applies a digital signature to a document.", - "security:cryptography:storesKey": "The entity saves a key securely.", - "security:cryptography:usesIdentity": "The entity utilises established identity credentials for operations.", - "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", - "security:cryptography:validatesToken": "The entity verifies the authenticity and expiration of a security token.", - "security:cryptography:verifiesCodeSignature": "The entity validates a digital signature on executable code.", - "security:cryptography:verifiesDataSignature": "The entity validates a digital signature on data.", - "security:cryptography:verifiesDocumentSignature": "The entity validates a digital signature on a document.", - "security:cryptography:verifiesHash": "The entity validates data against a hash.", - "security:cryptography:verifiesSignature": "The entity validates a digital signature.", - "security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport.", - "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", - "security:errorHandling:catchesException": "The entity intercepts an error condition.", - "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", - "security:errorHandling:failsClosed": "The entity denies access when controls fail.", - "security:errorHandling:failsOpen": "The entity permits access when controls fail.", - "security:errorHandling:generatesError": "The entity produces an error condition.", - "security:errorHandling:logsError": "The entity records an error condition.", - "security:errorHandling:propagatesError": "The entity passes an error to caller.", - "security:errorHandling:returnsGenericError": "The entity provides minimal error information.", - "security:errorHandling:suppressesError": "The entity hides an error condition.", - "security:inputHandling": "Behaviours that validate and sanitise input data to prevent injection attacks.", - "security:inputHandling:escapesInput": "The entity encodes special characters in input.", - "security:inputHandling:normalizesInput": "The entity converts input to standard form.", - "security:inputHandling:rejectsInvalidInput": "The entity refuses malformed or dangerous input.", - "security:inputHandling:sanitizesInput": "The entity removes potentially harmful content from input.", - "security:inputHandling:truncatesInput": "The entity shortens input to acceptable length.", - "security:inputHandling:validatesFormat": "The entity verifies input conforms to expected format.", - "security:inputHandling:validatesRange": "The entity ensures values fall within acceptable bounds.", - "security:inputHandling:validatesSchema": "The entity checks input against a defined schema.", - "security:integrity": "Behaviours that verify and protect the integrity of data and code.", - "security:integrity:attestsIntegrity": "The entity provides evidence of its own integrity.", - "security:integrity:detectsTampering": "The entity identifies modification attempts.", - "security:integrity:respondsToTampering": "The entity reacts to detected tampering.", - "security:integrity:validatesComponent": "The entity verifies authenticity of a dependency.", - "security:integrity:verifiesIntegrity": "The entity confirms data or code has not been altered.", - "security:integrity:verifiesProvenance": "The entity confirms origin and history.", - "security:outputHandling": "Behaviours that encode and filter output data to prevent information leakage.", - "security:outputHandling:encodesOutput": "The entity transforms output to prevent injection.", - "security:outputHandling:enforcesContentPolicy": "The entity restricts content sources.", - "security:outputHandling:escapesOutput": "The entity encodes special characters in output.", - "security:outputHandling:filtersOutput": "The entity removes sensitive content from output.", - "security:outputHandling:masksOutput": "The entity obscures sensitive data in output.", - "security:outputHandling:setsSecurityHeader": "The entity adds security-related HTTP headers.", - "security:session": "Behaviours that manage authenticated user sessions.", - "security:session:createsSession": "The entity establishes an authenticated session.", - "security:session:detectsSessionHijacking": "The entity identifies unauthorised session use.", - "security:session:invalidatesSession": "The entity revokes session validity.", - "security:session:refreshesSession": "The entity extends session lifetime.", - "security:session:regeneratesSessionId": "The entity creates a new session identifier.", - "security:session:terminatesSession": "The entity ends an authenticated session.", - "security:session:validatesSession": "The entity verifies session validity.", - "security:threatResponse": "Behaviours that detect and respond to security threats and incidents.", - "security:threatResponse:blocksRequest": "The entity refuses a suspicious request.", - "security:threatResponse:blocksSource": "The entity prevents further requests from a source.", - "security:threatResponse:collectsForensicData": "The entity gathers evidence for investigation.", - "security:threatResponse:detectsAnomaly": "The entity recognises deviation from normal patterns.", - "security:threatResponse:detectsIntrusion": "The entity identifies a potential security breach.", - "security:threatResponse:initiatesIncidentResponse": "The entity triggers security response procedures.", - "security:threatResponse:quarantinesElement": "The entity isolates a suspicious item.", - "security:threatResponse:raisesAlert": "The entity notifies of a security event.", - "system": "Behaviours relating to operating system interactions and the management of computational resources.", - "system:configuration": "Behaviours that read and modify system configuration settings.", - "system:configuration:deletesRegistryKey": "The entity removes entries from the registry.", - "system:configuration:modifiesGroupPolicy": "The entity changes group policy settings.", - "system:configuration:readsConfigurationFile": "The entity loads settings from a configuration file.", - "system:configuration:readsEnvironmentVariable": "The entity retrieves an environment variable value.", - "system:configuration:readsGroupPolicy": "The entity retrieves group policy settings.", - "system:configuration:readsRegistry": "The entity retrieves values from the system registry.", - "system:configuration:setsEnvironmentVariable": "The entity modifies an environment variable.", - "system:configuration:writesConfigurationFile": "The entity saves settings to a configuration file.", - "system:configuration:writesRegistry": "The entity stores values in the system registry.", - "system:informationGathering": "Behaviours that collect information about the host system and its configuration.", - "system:informationGathering:detectsOsVersion": "The entity determines the operating system version.", - "system:informationGathering:gathersSystemInformation": "The entity collects system configuration details.", - "system:informationGathering:queriesHardwareInformation": "The entity retrieves hardware specifications.", - "system:informationGathering:retrievesHostname": "The entity obtains the system hostname.", - "system:kernelInteraction": "Behaviours that interact directly with the operating system kernel.", - "system:kernelInteraction:hooksKernelFunction": "The entity intercepts kernel-level calls.", - "system:kernelInteraction:installsDriver": "The entity loads a kernel-mode driver.", - "system:kernelInteraction:readsKernelMemory": "The entity accesses kernel memory space.", - "system:kernelInteraction:writesKernelMemory": "The entity modifies kernel memory space.", - "system:lifecycle": "Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.", - "system:lifecycle:appliesUpdate": "The entity installs software or firmware updates.", - "system:lifecycle:decommissions": "The entity securely retires from service.", - "system:lifecycle:initializes": "The entity performs start-up routines and loads configuration.", - "system:lifecycle:performsSelfTest": "The entity verifies its own operational readiness.", - "system:lifecycle:provisions": "The entity configures itself for deployment.", - "system:lifecycle:rollsBack": "The entity reverts to a previous known-good state.", - "system:lifecycle:shutsDown": "The entity executes orderly cessation of operations.", - "system:operationalState": "Behaviours that govern an entity's functional status and mode of operation.", - "system:operationalState:entersFailSafeState": "The entity transitions to a known safe state upon detecting a fault.", - "system:operationalState:entersFailSecureState": "The entity denies access or ceases sensitive operations upon detecting a security fault.", - "system:operationalState:operatesInDegradedMode": "The entity continues operation with reduced functionality.", - "system:operationalState:operatesNormally": "The entity performs its intended functions within designed parameters.", - "system:operationalState:performsEmergencyShutdown": "The entity immediately halts to prevent harm or damage.", - "system:persistence": "Behaviours that establish mechanisms for an entity to survive system restarts.", - "system:persistence:createsScheduledTask": "The entity schedules itself for recurring execution.", - "system:persistence:installsAsService": "The entity registers itself as a system service.", - "system:persistence:loadsAsKernelModule": "The entity loads itself into the kernel.", - "system:persistence:registersForStartup": "The entity configures itself to execute at system boot.", - "system:persistence:removesPersistence": "The entity removes its persistence mechanism.", - "system:processControl": "Behaviours that create and manipulate operating system processes.", - "system:processControl:createsProcess": "The entity starts a new process.", - "system:processControl:dumpsProcessMemory": "The entity extracts memory contents from a process.", - "system:processControl:enumeratesProcesses": "The entity lists running processes.", - "system:processControl:hooksFunction": "The entity intercepts and redirects function calls.", - "system:processControl:injectsCodeIntoProcess": "The entity inserts executable code into another process.", - "system:processControl:modifiesProcess": "The entity changes attributes of a running process.", - "system:processControl:resumesProcess": "The entity continues paused process execution.", - "system:processControl:suspendsProcess": "The entity pauses process execution.", - "system:processControl:terminatesProcess": "The entity ends a running process.", - "system:resilience": "Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.", - "system:resilience:activatesRedundancy": "The entity activates backup systems or alternative processing paths.", - "system:resilience:degradesGracefully": "The entity progressively reduces functionality rather than failing abruptly.", - "system:resilience:detectsFault": "The entity identifies an internal fault or anomalous condition.", - "system:resilience:recoversFromFailure": "The entity restores normal operation following a failure.", - "system:resilience:toleratesFault": "The entity continues operation despite the presence of a fault.", - "system:resourceManagement": "Behaviours that allocate and deallocate computational resources such as memory and threads.", - "system:resourceManagement:allocatesMemory": "The entity reserves memory for use.", - "system:resourceManagement:deallocatesMemory": "The entity releases previously allocated memory.", - "system:resourceManagement:handlesResourceExhaustion": "The entity responds to depleted resources.", - "system:resourceManagement:managesPowerState": "The entity transitions between power consumption states.", - "system:resourceManagement:readsFromStorage": "The entity retrieves data from persistent storage.", - "system:resourceManagement:resumesThread": "The entity continues paused thread execution.", - "system:resourceManagement:spawnsThread": "The entity creates a new execution thread.", - "system:resourceManagement:suspendsThread": "The entity pauses thread execution.", - "system:resourceManagement:terminatesThread": "The entity ends an execution thread.", - "system:resourceManagement:writesToStorage": "The entity saves data to persistent storage.", - "system:serviceControl": "Behaviours that manage system services and daemons.", - "system:serviceControl:createsService": "The entity installs a system service or daemon.", - "system:serviceControl:deletesService": "The entity removes a system service.", - "system:serviceControl:enumeratesServices": "The entity lists installed services.", - "system:serviceControl:modifiesService": "The entity changes service configuration.", - "system:serviceControl:startsService": "The entity initiates service execution.", - "system:serviceControl:stopsService": "The entity halts service execution.", - "system:synchronization": "Behaviours that coordinate access to shared resources across concurrent execution contexts.", - "system:synchronization:acquiresMutex": "The entity obtains exclusive access via mutex.", - "system:synchronization:releasesMutex": "The entity relinquishes mutex ownership.", - "system:synchronization:signalsEvent": "The entity triggers a synchronisation event.", - "system:synchronization:signalsSemaphore": "The entity releases a semaphore.", - "system:synchronization:waitsOnEvent": "The entity blocks until an event is signalled.", - "system:synchronization:waitsOnSemaphore": "The entity blocks until semaphore is available.", - "system:timing": "Behaviours that govern temporal aspects of execution including scheduling and synchronisation.", - "system:timing:delaysExecution": "The entity postpones an operation.", - "system:timing:enforcesDeadline": "The entity ensures completion within a timing constraint.", - "system:timing:executesScheduledTask": "The entity performs a task at a predetermined time.", - "system:timing:resetsWatchdog": "The entity signals continued operation to a watchdog monitor.", - "system:timing:synchronizesClock": "The entity aligns its internal clock with an external source.", - "system:timing:triggersTimeout": "The entity acts upon detecting an unresponsive condition.", - "system:timing:waits": "The entity pauses execution for a specified duration.", - "system:userManagement": "Behaviours that create and manipulate user accounts and privileges.", - "system:userManagement:createsUserAccount": "The entity adds a new user account.", - "system:userManagement:deletesUserAccount": "The entity removes a user account.", - "system:userManagement:elevatesPrivileges": "The entity gains higher access permissions.", - "system:userManagement:enumeratesUsers": "The entity lists user accounts.", - "system:userManagement:impersonatesUser": "The entity assumes another user's identity.", - "system:userManagement:modifiesUserAccount": "The entity changes user account properties." - } } } } diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index 6a2a91815..3292274a9 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -12,20 +12,31 @@ "items": { "$ref": "#/$defs/blueprint" }, - "description": "A collection of blueprints representing system models that capture the assets, flows, zones, boundaries, and relationships necessary for architectural, threat, risk, privacy, and other forms of modelling and analysis." + "description": "A collection of blueprints, each supporting a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling." }, "blueprint": { "type": "object", "title": "Blueprint", - "description": "A structured representation of a system model that captures the assets, flows, zones, boundaries, and relationships necessary to support architectural, threat, risk, privacy, and other forms of modelling and analysis.", - "required": ["modelTypes", "methodologies"], + "description": "A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.", + "required": ["name", "modelTypes", "methodologies"], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the blueprint, used to identify this model within the BOM and distinguish it from other blueprints.", + "minLength": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the blueprint, including its scope, the system or subsystem it represents, and any relevant context about the modelling objectives or intended audience." + }, "metadata": { - "$ref": "#/$defs/blueprintMetadata" + "$ref": "#/$defs/metadata" }, "modelTypes": { "type": "array", @@ -40,7 +51,6 @@ "methodologies": { "type": "array", "title": "Methodologies", - "minItems": 1, "uniqueItems": true, "description": "The modeling methodologies used", "items": { @@ -59,6 +69,9 @@ }, "description": "The assets (components, services, data, actors) included in the model" }, + "behaviors": { + "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behaviors" + }, "dataStores": { "type": "array", "title": "Data Stores", @@ -371,7 +384,7 @@ } ] }, - "blueprintMetadata": { + "metadata": { "type": "object", "title": "Blueprint Metadata", "description": "Metadata about the creation, review, and approval of the blueprint.", diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index 77c80cabf..66f16234a 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -20,7 +20,8 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes." + "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes.", + "examples": ["Customer PII Dataset", "Transaction Logs", "Employee Health Records"] }, "description": { "type": "string", @@ -34,14 +35,16 @@ "confidential", "internal", "public", - "restricted" + "restricted", + "classified" ], - "description": "Data sensitivity classification", + "description": "Data sensitivity classification.", "meta:enum": { "confidential": "Confidential information requiring protection", "internal": "Internal use only within the organization", "public": "Public information that can be freely shared", - "restricted": "Highly restricted information with limited access and special protection measures" + "restricted": "Highly restricted information with limited access and special protection measures", + "classified": "Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations" } }, "classification": { @@ -109,6 +112,44 @@ } ] }, + "subjects": { + "type": "array", + "title": "Subjects", + "description": "The entities, groups, categories, or things that the data is about or pertains to. Identifying data subjects is essential for determining applicable privacy regulations, handling requirements, and protected class obligations.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/subject" + }, + "examples": [ + [ + {"name": "EU Residents", "type": "group", "protectedClass": false, "jurisdictions": ["DE", "FR", "IT"], "regulations": ["GDPR"]}, + {"name": "Pediatric Patients", "type": "group", "protectedClass": true, "jurisdictions": ["US"], "regulations": ["HIPAA", "COPPA"]} + ] + ] + }, + "purposes": { + "type": "array", + "title": "Purposes", + "description": "The stated purposes for which this data is collected, processed, or retained. Under the principle of purpose limitation, data must only be used for purposes compatible with those originally specified. Capturing purposes explicitly enables automated compliance checking and compatibility analysis across the data lifecycle.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/purpose" + }, + "examples": [ + [ + {"name": "Service Delivery", "legalBasis": "contract"}, + {"name": "Fraud Prevention", "legalBasis": "legitimate interest"} + ] + ] + }, + "jurisdictions": { + "$ref": "#/$defs/jurisdictions", + "description": "The jurisdictions whose laws and regulations apply to this data based on its nature, classification, or how it is processed and stored. See also subject.jurisdictions for jurisdictions that apply because of who the data is about." + }, + "regulations": { + "$ref": "#/$defs/regulations", + "description": "The regulations that apply to this data based on its nature, classification, or processing context. See also subject.regulations for regulations that apply because of who the data is about." + }, "dataFormats": { "type": "array", "title": "Data Formats", @@ -116,7 +157,8 @@ "items": { "type": "string" }, - "description": "Format of data" + "description": "The formats in which the data is stored or transmitted.", + "examples": [["JSON", "CSV", "Parquet"]] }, "dataTypes": { "type": "array", @@ -125,7 +167,8 @@ "items": { "type": "string" }, - "description": "Specific types of data" + "description": "The specific types of data elements contained within this dataset.", + "examples": [["email address", "date of birth", "IP address"]] }, "schema": { "type": "array", @@ -135,7 +178,8 @@ "type": "string", "format": "uri" }, - "description": "Reference to schema contracts or documents describing the data structure." + "description": "References to schema contracts or documents describing the data structure.", + "examples": [["https://example.com/schemas/customer-v2.json"]] }, "access": { "type": "array", @@ -205,6 +249,115 @@ } } }, + "subject": { + "type": "object", + "title": "Subject", + "description": "An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. Subjects may include named individuals, organizations, demographic groups, protected classes, technologies, devices, locations, or any other identifiable topic of the data.", + "required": ["name", "type"], + "additionalProperties": false, + "examples": [ + {"name": "EU Residents", "type": "group", "protectedClass": false, "jurisdictions": ["DE", "FR"], "regulations": ["GDPR"]}, + {"name": "Pediatric Patients", "type": "group", "protectedClass": true, "jurisdictions": ["US"], "regulations": ["HIPAA", "COPPA"]}, + {"name": "GPT-4 Model", "type": "technology", "protectedClass": false} + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor.", + "minLength": 1, + "examples": ["EU Residents", "Pediatric Patients", "Fleet Vehicles"] + }, + "type": { + "type": "string", + "title": "Type", + "description": "A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices.", + "minLength": 1, + "examples": ["individual", "group", "technology"] + }, + "protectedClass": { + "type": "boolean", + "title": "Protected Class", + "description": "Indicates whether this subject represents or includes a legally protected class under applicable regulations. Protected classes are groups defined by characteristics such as race, ethnicity, religion, gender, age, disability, sexual orientation, national origin, or genetic information. When true, additional regulatory obligations may apply to the collection, processing, and sharing of data about this subject, including GDPR special category data provisions, US civil rights protections, COPPA requirements for children, and HIPAA protections for health information." + }, + "jurisdictions": { + "$ref": "#/$defs/jurisdictions", + "description": "The jurisdictions whose laws and regulations apply specifically because of this subject. See also dataProfile.jurisdictions for jurisdictions that apply to the data itself." + }, + "regulations": { + "$ref": "#/$defs/regulations", + "description": "The regulations that apply specifically because of this subject. See also dataProfile.regulations for regulations that apply to the data itself." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the subject, its relationship to the data, and any special handling considerations. This may include why the subject is relevant, what aspects of the subject the data captures, and any known sensitivities or regulatory implications." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "jurisdictions": { + "type": "array", + "title": "Jurisdictions", + "description": "The geographic or political jurisdictions whose laws and regulations apply. Values should use ISO 3166-1 alpha-2 country codes or ISO 3166-2 subdivision codes for subnational jurisdictions.", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 2, + "examples": ["US", "GB", "US-CA"] + }, + "examples": [["US", "GB", "DE"]] + }, + "regulations": { + "type": "array", + "title": "Regulations", + "description": "The specific laws, regulations, or compliance frameworks that apply.", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1, + "examples": ["GDPR", "HIPAA", "PCI-DSS"] + }, + "examples": [["GDPR", "CCPA", "PCI-DSS"]] + }, + "purpose": { + "type": "object", + "title": "Purpose", + "description": "The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.", + "required": ["name"], + "additionalProperties": false, + "examples": [ + {"name": "Service Delivery", "legalBasis": "contract"}, + {"name": "Fraud Prevention", "legalBasis": "legitimate interest"}, + {"name": "Marketing Analytics", "legalBasis": "consent"} + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the purpose for which data is collected or processed.", + "minLength": 1, + "examples": ["Service Delivery", "Fraud Prevention", "Marketing Analytics"] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the purpose, how the data serves it, and any constraints on use. This narrative should be specific enough to evaluate whether subsequent processing activities are compatible with the original stated purpose." + }, + "legalBasis": { + "type": "string", + "title": "Legal Basis", + "description": "The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.", + "minLength": 1, + "examples": ["consent", "contract", "legitimate interest"] + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, "dataClassification": { "type": "string", "title": "Data Classification", diff --git a/schema/behavior-taxonomy.schema.json b/schema/behavior-taxonomy.schema.json new file mode 100644 index 000000000..2038cd2ec --- /dev/null +++ b/schema/behavior-taxonomy.schema.json @@ -0,0 +1,1492 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/behavior-taxonomy.schema.json", + "type": "string", + "title": "CycloneDX Behavior Taxonomy", + "description": "An independent taxonomy of behaviours that describe actions performed by entities with security, privacy, safety, or operational implications. This taxonomy is maintained separately from the CycloneDX specification and may evolve at a different rate. The taxonomy uses a hierarchical colon-delimited naming convention with three levels: domain (e.g. security), category (e.g. security:authentication), and specific behaviour (e.g. security:authentication:authenticatesUser). Values at any level of the hierarchy are valid.", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "enum": [ + "ai", + "ai:agent", + "ai:agent:actsOnBehalfOfUser", + "ai:agent:coordinatesAgents", + "ai:agent:delegatesTask", + "ai:agent:executesAction", + "ai:agent:invokesTool", + "ai:agent:observesResult", + "ai:agent:plansAction", + "ai:agent:receivesHumanDelegation", + "ai:agent:reflectsOnResult", + "ai:agent:reportsDelegatedAction", + "ai:agent:requestsUserApproval", + "ai:agent:returnsDelegation", + "ai:agent:revisesPlan", + "ai:explainability", + "ai:explainability:attributesFeatures", + "ai:explainability:documentsModel", + "ai:explainability:explainsDecision", + "ai:explainability:tracesPrediction", + "ai:explainability:visualizesModel", + "ai:fairness", + "ai:fairness:auditsModelFairness", + "ai:fairness:calculatesFairnessMetric", + "ai:fairness:detectsBias", + "ai:fairness:handlesProtectedAttribute", + "ai:fairness:mitigatesBias", + "ai:generative", + "ai:generative:citesSource", + "ai:generative:filtersOutput", + "ai:generative:generatesAudio", + "ai:generative:generatesCode", + "ai:generative:generatesEmbedding", + "ai:generative:generatesImage", + "ai:generative:generatesText", + "ai:generative:mitigatesHallucination", + "ai:generative:processesPrompt", + "ai:generative:streamsResponse", + "ai:inference", + "ai:inference:appliesThreshold", + "ai:inference:batchesInference", + "ai:inference:cachesPrediction", + "ai:inference:ensemblesModels", + "ai:inference:generatesPrediction", + "ai:inference:infersInRealTime", + "ai:inference:ranksResults", + "ai:inference:scoresConfidence", + "ai:management", + "ai:management:comparesModels", + "ai:management:deploysModel", + "ai:management:loadsModel", + "ai:management:monitorsModel", + "ai:management:retiresModel", + "ai:management:rollsBackModel", + "ai:management:unloadsModel", + "ai:management:versionsModel", + "ai:quality", + "ai:quality:detectsConceptDrift", + "ai:quality:detectsDataDrift", + "ai:quality:detectsOutlier", + "ai:quality:engineersFeatures", + "ai:quality:selectsFeatures", + "ai:quality:validatesInputData", + "ai:robustness", + "ai:robustness:defendsAgainstAdversarial", + "ai:robustness:detectsAdversarialInput", + "ai:robustness:detectsOutOfDistribution", + "ai:robustness:estimatesUncertainty", + "ai:robustness:validatesRobustness", + "ai:training", + "ai:training:appliesTransferLearning", + "ai:training:checkpointsModel", + "ai:training:fineTunesModel", + "ai:training:ingestsTrainingData", + "ai:training:preprocessesTrainingData", + "ai:training:trainsFederatedly", + "ai:training:trainsModel", + "ai:training:tunesHyperparameters", + "ai:training:validatesModel", + "ai:training:validatesTrainingData", + "application", + "application:codeExecution", + "application:codeExecution:compilesCode", + "application:codeExecution:evaluatesExpression", + "application:codeExecution:executesNativeCommand", + "application:codeExecution:executesScript", + "application:codeExecution:interpretsCode", + "application:codeExecution:invokesViaReflection", + "application:codeExecution:loadsCodeDynamically", + "application:configuration", + "application:configuration:detectsEnvironment", + "application:configuration:evaluatesFeatureFlag", + "application:configuration:loadsConfiguration", + "application:configuration:reloadsConfiguration", + "application:controlFlow", + "application:controlFlow:awaitsAsyncResult", + "application:controlFlow:catchesException", + "application:controlFlow:emitsEvent", + "application:controlFlow:handlesEvent", + "application:controlFlow:invokesCallback", + "application:controlFlow:invokesHandler", + "application:controlFlow:invokesMiddleware", + "application:controlFlow:schedulesAsyncOperation", + "application:controlFlow:throwsException", + "application:dependencyManagement", + "application:dependencyManagement:closesCircuitBreaker", + "application:dependencyManagement:fallsBack", + "application:dependencyManagement:injectsDependency", + "application:dependencyManagement:opensCircuitBreaker", + "application:dependencyManagement:resolvesDependency", + "application:externalIntegration", + "application:externalIntegration:callsExternalService", + "application:externalIntegration:consumesEvent", + "application:externalIntegration:publishesEvent", + "application:externalIntegration:receivesWebhook", + "application:observability", + "application:observability:emitsTelemetry", + "application:observability:logsOperation", + "application:observability:recordsMetric", + "application:observability:reportsHealth", + "application:observability:tracesRequest", + "application:requestHandling", + "application:requestHandling:authenticatesRequest", + "application:requestHandling:authorizesRequest", + "application:requestHandling:bindsParameters", + "application:requestHandling:parsesRequest", + "application:requestHandling:receivesHttpRequest", + "application:requestHandling:rejectsRequest", + "application:requestHandling:routesRequest", + "application:requestHandling:validatesRequest", + "application:responseGeneration", + "application:responseGeneration:generatesResponse", + "application:responseGeneration:readsCookie", + "application:responseGeneration:redirectsRequest", + "application:responseGeneration:returnsError", + "application:responseGeneration:returnsSuccess", + "application:responseGeneration:sendsHttpResponse", + "application:responseGeneration:setsCookie", + "application:responseGeneration:setsHeader", + "application:stateManagement", + "application:stateManagement:acquiresLock", + "application:stateManagement:beginsTransaction", + "application:stateManagement:commitsTransaction", + "application:stateManagement:createsSessionState", + "application:stateManagement:destroysSessionState", + "application:stateManagement:readsSessionState", + "application:stateManagement:releasesLock", + "application:stateManagement:rollsBackTransaction", + "application:stateManagement:synchronizesState", + "application:stateManagement:updatesSessionState", + "data", + "data:encoding", + "data:encoding:appliesXor", + "data:encoding:decodesBaseSixtyFour", + "data:encoding:decodesUrl", + "data:encoding:encodesBaseSixtyFour", + "data:encoding:encodesUrl", + "data:ingestion", + "data:ingestion:pollsSource", + "data:ingestion:readsFile", + "data:ingestion:readsStream", + "data:ingestion:receivesInput", + "data:ingestion:receivesMessage", + "data:ingestion:receivesRequest", + "data:ingestion:subscribesToFeed", + "data:output", + "data:output:formatsResponse", + "data:output:producesOutput", + "data:output:publishesMessage", + "data:output:rendersTemplate", + "data:output:sendsResponse", + "data:output:serializesObject", + "data:output:streamsOutput", + "data:output:writesFile", + "data:parsing", + "data:parsing:decodesData", + "data:parsing:deserializesObject", + "data:parsing:extractsFields", + "data:parsing:parsesData", + "data:parsing:parsesHtml", + "data:parsing:parsesJson", + "data:parsing:parsesXml", + "data:query", + "data:query:executesLdapQuery", + "data:query:executesNoSqlQuery", + "data:query:executesSearch", + "data:query:executesSql", + "data:query:executesXPath", + "data:query:queriesData", + "data:storage", + "data:storage:cachesData", + "data:storage:deletesData", + "data:storage:flushesCache", + "data:storage:invalidatesCache", + "data:storage:retrievesData", + "data:storage:storesData", + "data:storage:updatesData", + "data:transformation", + "data:transformation:aggregatesData", + "data:transformation:compressesData", + "data:transformation:decompressesData", + "data:transformation:encodesData", + "data:transformation:enrichesData", + "data:transformation:filtersData", + "data:transformation:joinsData", + "data:transformation:mapsData", + "data:transformation:normalizesData", + "data:transformation:sortsData", + "data:transformation:transformsData", + "evasion", + "evasion:analysisResistance", + "evasion:analysisResistance:detectsAnalysisTool", + "evasion:analysisResistance:detectsDebugger", + "evasion:analysisResistance:detectsEmulator", + "evasion:analysisResistance:detectsSandbox", + "evasion:analysisResistance:detectsVirtualMachine", + "evasion:analysisResistance:evadesDebugger", + "evasion:analysisResistance:evadesEmulator", + "evasion:analysisResistance:evadesSandbox", + "evasion:analysisResistance:evadesVirtualMachine", + "evasion:analysisResistance:usesTimingEvasion", + "evasion:antiSecurity", + "evasion:antiSecurity:detectsAntivirus", + "evasion:antiSecurity:disablesSecuritySoftware", + "evasion:antiSecurity:evadesAntivirus", + "evasion:antiSecurity:terminatesSecurityProcess", + "evasion:indirection", + "evasion:indirection:resolvesApiDynamically", + "evasion:indirection:usesIndirectCalls", + "evasion:indirection:usesProxyExecution", + "evasion:obfuscation", + "evasion:obfuscation:obfuscatesCode", + "evasion:obfuscation:obfuscatesControlFlow", + "evasion:obfuscation:obfuscatesData", + "evasion:obfuscation:obfuscatesStrings", + "evasion:obfuscation:packsCode", + "evasion:obfuscation:unpacksAtRuntime", + "file", + "file:directory", + "file:directory:changesDirectory", + "file:directory:createsDirectory", + "file:directory:deletesDirectory", + "file:directory:listsDirectory", + "file:directory:traversesDirectory", + "file:disk", + "file:disk:decryptsVolume", + "file:disk:encryptsVolume", + "file:disk:formatsVolume", + "file:disk:mountsVolume", + "file:disk:unmountsVolume", + "file:disk:wipesDisk", + "file:operations", + "file:operations:appendsToFile", + "file:operations:checksFileExistence", + "file:operations:closesFile", + "file:operations:copiesFile", + "file:operations:createsFile", + "file:operations:deletesFile", + "file:operations:getsFileAttributes", + "file:operations:movesFile", + "file:operations:opensFile", + "file:operations:readsFile", + "file:operations:renamesFile", + "file:operations:setsFileAttributes", + "file:operations:setsFilePermissions", + "file:operations:writesFile", + "gui", + "gui:display", + "gui:display:displaysData", + "gui:display:monitorsDisplay", + "gui:display:updatesDisplay", + "gui:session", + "gui:session:displaysLogin", + "gui:session:interactsWithSession", + "gui:session:switchesSession", + "gui:window", + "gui:window:capturesWindow", + "gui:window:createsWindow", + "gui:window:destroysWindow", + "gui:window:enumeratesWindows", + "gui:window:interactsWithTaskbar", + "gui:window:modifiesWindow", + "hardware", + "hardware:actuator", + "hardware:actuator:calibratesActuator", + "hardware:actuator:controlsBattery", + "hardware:actuator:controlsHeating", + "hardware:actuator:controlsLed", + "hardware:actuator:controlsMotor", + "hardware:actuator:controlsPower", + "hardware:actuator:controlsPump", + "hardware:actuator:controlsTemperature", + "hardware:boot", + "hardware:boot:entersRecoveryMode", + "hardware:boot:executesSecureBoot", + "hardware:boot:locksBootConfiguration", + "hardware:boot:modifiesBootConfiguration", + "hardware:boot:readsBootConfiguration", + "hardware:boot:recordsBootMeasurement", + "hardware:boot:verifiesBootLoader", + "hardware:firmware", + "hardware:firmware:monitorsFirmwareIntegrity", + "hardware:firmware:preventsFirmwareRollback", + "hardware:firmware:readsFirmwareVersion", + "hardware:firmware:updatesFirmware", + "hardware:firmware:verifiesFirmwareSignature", + "hardware:memory", + "hardware:memory:encryptsMemory", + "hardware:memory:isolatesMemory", + "hardware:memory:protectsStack", + "hardware:memory:randomizesAddressSpace", + "hardware:memory:readsProtectedMemory", + "hardware:memory:writesProtectedMemory", + "hardware:peripheral", + "hardware:peripheral:accessesCamera", + "hardware:peripheral:accessesDisplay", + "hardware:peripheral:accessesGpio", + "hardware:peripheral:accessesJtag", + "hardware:peripheral:accessesKeyboard", + "hardware:peripheral:accessesStorageDevice", + "hardware:peripheral:accessesUsbDevice", + "hardware:peripheral:configuresDma", + "hardware:peripheral:protectsDma", + "hardware:physicalSecurity", + "hardware:physicalSecurity:detectsPhysicalTamper", + "hardware:physicalSecurity:disablesDebugInterface", + "hardware:physicalSecurity:enablesDebugInterface", + "hardware:physicalSecurity:monitorsEnclosure", + "hardware:physicalSecurity:respondsToTamper", + "hardware:physicalSecurity:zeroizesKeys", + "hardware:security", + "hardware:security:anchorsInHardwareRoot", + "hardware:security:executesInTee", + "hardware:security:generatesPufResponse", + "hardware:security:usesHsm", + "hardware:security:usesSecureElement", + "hardware:sensor", + "hardware:sensor:calibratesSensor", + "hardware:sensor:readsBatteryStatus", + "hardware:sensor:readsBloodOxygen", + "hardware:sensor:readsBloodPressure", + "hardware:sensor:readsCoTwoLevel", + "hardware:sensor:readsEcg", + "hardware:sensor:readsPowerStatus", + "hardware:sensor:readsTemperature", + "hardware:sideChannelDefense", + "hardware:sideChannelDefense:controlsEmEmissions", + "hardware:sideChannelDefense:resistsFaultInjection", + "hardware:sideChannelDefense:resistsPowerAnalysis", + "hardware:sideChannelDefense:resistsTimingAnalysis", + "network", + "network:connection", + "network:connection:acceptsConnection", + "network:connection:detectsConnectionLoss", + "network:connection:establishesConnection", + "network:connection:reconnects", + "network:connection:reusesConnection", + "network:connection:sendsHeartbeat", + "network:connection:terminatesConnection", + "network:discovery", + "network:discovery:advertisesService", + "network:discovery:discoversService", + "network:discovery:enumeratesInterfaces", + "network:discovery:probesPort", + "network:discovery:queriesDns", + "network:discovery:resolvesName", + "network:discovery:scansNetwork", + "network:protocol", + "network:protocol:downgradesProtocol", + "network:protocol:framesMessage", + "network:protocol:negotiatesProtocol", + "network:protocol:parsesMessage", + "network:protocol:retransmitsMessage", + "network:protocol:upgradesProtocol", + "network:protocol:validatesMessage", + "network:remoteInteraction", + "network:remoteInteraction:accessesRemoteDesktop", + "network:remoteInteraction:accessesRemoteShell", + "network:remoteInteraction:executesRemoteCommand", + "network:remoteInteraction:invokesRemoteProcedure", + "network:remoteInteraction:sendsEmail", + "network:remoteInteraction:sendsSms", + "network:remoteInteraction:transfersFile", + "network:routing", + "network:routing:configuresProxy", + "network:routing:forwardsPacket", + "network:routing:redirectsTraffic", + "network:routing:routesTraffic", + "network:routing:tunnelsTraffic", + "network:trafficControl", + "network:trafficControl:balancesLoad", + "network:trafficControl:filtersTraffic", + "network:trafficControl:inspectsTraffic", + "network:trafficControl:interceptsTraffic", + "network:trafficControl:limitsRate", + "network:trafficControl:modifiesTraffic", + "network:trafficControl:shapesTraffic", + "network:transmission", + "network:transmission:broadcastsData", + "network:transmission:multicastsData", + "network:transmission:receivesData", + "network:transmission:sendsData", + "network:transmission:streamsData", + "privacy", + "privacy:collection", + "privacy:collection:capturesAudio", + "privacy:collection:capturesKeystrokes", + "privacy:collection:capturesScreen", + "privacy:collection:capturesVideo", + "privacy:collection:collectsBehavioralData", + "privacy:collection:collectsBiometricData", + "privacy:collection:collectsCommunicationContent", + "privacy:collection:collectsDeviceInformation", + "privacy:collection:collectsFinancialData", + "privacy:collection:collectsHealthData", + "privacy:collection:collectsInBackground", + "privacy:collection:collectsLocationData", + "privacy:collection:collectsPersonalData", + "privacy:collection:collectsSilently", + "privacy:collection:readsBrowserHistory", + "privacy:collection:readsClipboard", + "privacy:deletion", + "privacy:deletion:clearsCache", + "privacy:deletion:deletesPersonalData", + "privacy:deletion:erasesSecurely", + "privacy:deletion:purgesFromBackup", + "privacy:deletion:redactsData", + "privacy:inference", + "privacy:inference:correlatesData", + "privacy:inference:createsProfile", + "privacy:inference:fingerprintsDevice", + "privacy:inference:infersPersonalInformation", + "privacy:inference:linksIdentities", + "privacy:inference:tracksUser", + "privacy:minimization", + "privacy:minimization:aggregatesData", + "privacy:minimization:anonymizesData", + "privacy:minimization:filtersData", + "privacy:minimization:generalizesData", + "privacy:minimization:limitsCollection", + "privacy:minimization:limitsProcessing", + "privacy:minimization:pseudonymizesData", + "privacy:privacyEnhancement", + "privacy:privacyEnhancement:addsDifferentialPrivacy", + "privacy:privacyEnhancement:computesMultiparty", + "privacy:privacyEnhancement:processesHomomorphically", + "privacy:privacyEnhancement:processesLocally", + "privacy:retention", + "privacy:retention:archivesData", + "privacy:retention:backsUpData", + "privacy:retention:enforcesRetentionPeriod", + "privacy:retention:retainsBeyondPurpose", + "privacy:retention:retainsInCache", + "privacy:retention:retainsInLog", + "privacy:retention:storesPersonalData", + "privacy:sharing", + "privacy:sharing:disclosesToThirdParty", + "privacy:sharing:exportsData", + "privacy:sharing:publishesData", + "privacy:sharing:sellsData", + "privacy:sharing:sharesWithAffiliate", + "privacy:sharing:transfersCrossBorder", + "privacy:subjectRights", + "privacy:subjectRights:correctsData", + "privacy:subjectRights:exportsDataPortably", + "privacy:subjectRights:honorsErasureRequest", + "privacy:subjectRights:honorsObjection", + "privacy:subjectRights:providesDataAccess", + "privacy:subjectRights:restrictsProcessing", + "privacy:transparency", + "privacy:transparency:disclosesProcessing", + "privacy:transparency:displaysPrivacyNotice", + "privacy:transparency:explainsAutomatedDecision", + "privacy:transparency:recordsConsent", + "privacy:transparency:requestsConsent", + "privacy:transparency:withdrawsConsent", + "safety", + "safety:autonomousBehavior", + "safety:autonomousBehavior:acceptsOverride", + "safety:autonomousBehavior:enforcesHumanInLoop", + "safety:autonomousBehavior:explainsDecision", + "safety:autonomousBehavior:requestsGuidance", + "safety:autonomousBehavior:respectsDecisionBoundary", + "safety:contentSafety", + "safety:contentSafety:detectsHarmfulContent", + "safety:contentSafety:detectsMisinformation", + "safety:contentSafety:enforcesAgeRestriction", + "safety:contentSafety:filtersContent", + "safety:contentSafety:labelsContent", + "safety:harmPrevention", + "safety:harmPrevention:preventsEnvironmentalHarm", + "safety:harmPrevention:preventsPropertyDamage", + "safety:harmPrevention:preventsUserHarm", + "safety:harmPrevention:protectsBystanders", + "safety:hazardManagement", + "safety:hazardManagement:assessesRisk", + "safety:hazardManagement:identifiesHazard", + "safety:hazardManagement:mitigatesHazard", + "safety:hazardManagement:reportsHazard", + "safety:humanInteraction", + "safety:humanInteraction:adaptsForAccessibility", + "safety:humanInteraction:managesCognitiveLoad", + "safety:humanInteraction:requestsConfirmation", + "safety:humanInteraction:warnsOperator", + "safety:operationalSafety", + "safety:operationalSafety:acceptsManualOverride", + "safety:operationalSafety:enforcesInterlock", + "safety:operationalSafety:enforcesOperatingLimits", + "safety:operationalSafety:executesEmergencyStop", + "safety:operationalSafety:monitorsWatchdog", + "safety:operationalSafety:validatesSafetyCondition", + "security", + "security:auditing", + "security:auditing:logsEvent", + "security:auditing:logsSecurityEvent", + "security:auditing:protectsAuditLog", + "security:auditing:purgesLog", + "security:auditing:rotatesLog", + "security:auditing:signsLogEntry", + "security:auditing:timestampsEvent", + "security:auditing:transmitsLog", + "security:authentication", + "security:authentication:authenticatesDevice", + "security:authentication:authenticatesService", + "security:authentication:authenticatesUser", + "security:authentication:bypassesAuthentication", + "security:authentication:capturesBiometric", + "security:authentication:delegatesAuthentication", + "security:authentication:failsAuthentication", + "security:authentication:locksAccount", + "security:authentication:performsMultiFactorAuthentication", + "security:authentication:promptsForCredentials", + "security:authentication:unlocksAccount", + "security:authentication:validatesBiometric", + "security:authentication:validatesCredentials", + "security:authorization", + "security:authorization:checksPermission", + "security:authorization:delegatesAuthority", + "security:authorization:deniesAccess", + "security:authorization:enforcesRole", + "security:authorization:escalatesPrivilege", + "security:authorization:evaluatesAttributes", + "security:authorization:evaluatesPolicy", + "security:authorization:grantsAccess", + "security:authorization:grantsImpersonation", + "security:authorization:impersonatesUser", + "security:authorization:requestsImpersonation", + "security:authorization:revokesAccess", + "security:authorization:revokesImpersonation", + "security:cryptography", + "security:cryptography:authenticates", + "security:cryptography:checksRevocation", + "security:cryptography:decryptsData", + "security:cryptography:decryptsDataAtRest", + "security:cryptography:decryptsDataInTransit", + "security:cryptography:decryptsDisk", + "security:cryptography:decryptsSecret", + "security:cryptography:destroysKey", + "security:cryptography:encryptsData", + "security:cryptography:encryptsDataAtRest", + "security:cryptography:encryptsDataInTransit", + "security:cryptography:encryptsDisk", + "security:cryptography:encryptsSecret", + "security:cryptography:ensuresAccountability", + "security:cryptography:ensuresConfidentiality", + "security:cryptography:ensuresIntegrity", + "security:cryptography:ensuresNonRepudiation", + "security:cryptography:exchangesKey", + "security:cryptography:generatesKey", + "security:cryptography:generatesRandomValue", + "security:cryptography:hashesData", + "security:cryptography:hashesPassword", + "security:cryptography:identifies", + "security:cryptography:issuesCertificate", + "security:cryptography:preservesPrivacy", + "security:cryptography:presentsClientCertificate", + "security:cryptography:presentsServerCertificate", + "security:cryptography:retrievesKey", + "security:cryptography:revokesCertificate", + "security:cryptography:rotatesKey", + "security:cryptography:signsCode", + "security:cryptography:signsData", + "security:cryptography:signsDocument", + "security:cryptography:storesKey", + "security:cryptography:usesIdentity", + "security:cryptography:validatesCertificate", + "security:cryptography:validatesToken", + "security:cryptography:verifiesCodeSignature", + "security:cryptography:verifiesDataSignature", + "security:cryptography:verifiesDocumentSignature", + "security:cryptography:verifiesHash", + "security:cryptography:verifiesSignature", + "security:cryptography:wrapsKey", + "security:errorHandling", + "security:errorHandling:catchesException", + "security:errorHandling:disclosesErrorDetails", + "security:errorHandling:failsClosed", + "security:errorHandling:failsOpen", + "security:errorHandling:generatesError", + "security:errorHandling:logsError", + "security:errorHandling:propagatesError", + "security:errorHandling:returnsGenericError", + "security:errorHandling:suppressesError", + "security:inputHandling", + "security:inputHandling:escapesInput", + "security:inputHandling:normalizesInput", + "security:inputHandling:rejectsInvalidInput", + "security:inputHandling:sanitizesInput", + "security:inputHandling:truncatesInput", + "security:inputHandling:validatesFormat", + "security:inputHandling:validatesRange", + "security:inputHandling:validatesSchema", + "security:integrity", + "security:integrity:attestsIntegrity", + "security:integrity:detectsTampering", + "security:integrity:respondsToTampering", + "security:integrity:validatesComponent", + "security:integrity:verifiesIntegrity", + "security:integrity:verifiesProvenance", + "security:outputHandling", + "security:outputHandling:encodesOutput", + "security:outputHandling:enforcesContentPolicy", + "security:outputHandling:escapesOutput", + "security:outputHandling:filtersOutput", + "security:outputHandling:masksOutput", + "security:outputHandling:setsSecurityHeader", + "security:session", + "security:session:createsSession", + "security:session:detectsSessionHijacking", + "security:session:invalidatesSession", + "security:session:refreshesSession", + "security:session:regeneratesSessionId", + "security:session:terminatesSession", + "security:session:validatesSession", + "security:threatResponse", + "security:threatResponse:blocksRequest", + "security:threatResponse:blocksSource", + "security:threatResponse:collectsForensicData", + "security:threatResponse:detectsAnomaly", + "security:threatResponse:detectsIntrusion", + "security:threatResponse:initiatesIncidentResponse", + "security:threatResponse:quarantinesElement", + "security:threatResponse:raisesAlert", + "system", + "system:configuration", + "system:configuration:deletesRegistryKey", + "system:configuration:modifiesGroupPolicy", + "system:configuration:readsConfigurationFile", + "system:configuration:readsEnvironmentVariable", + "system:configuration:readsGroupPolicy", + "system:configuration:readsRegistry", + "system:configuration:setsEnvironmentVariable", + "system:configuration:writesConfigurationFile", + "system:configuration:writesRegistry", + "system:informationGathering", + "system:informationGathering:detectsOsVersion", + "system:informationGathering:gathersSystemInformation", + "system:informationGathering:queriesHardwareInformation", + "system:informationGathering:retrievesHostname", + "system:kernelInteraction", + "system:kernelInteraction:hooksKernelFunction", + "system:kernelInteraction:installsDriver", + "system:kernelInteraction:readsKernelMemory", + "system:kernelInteraction:writesKernelMemory", + "system:lifecycle", + "system:lifecycle:appliesUpdate", + "system:lifecycle:decommissions", + "system:lifecycle:initializes", + "system:lifecycle:performsSelfTest", + "system:lifecycle:provisions", + "system:lifecycle:rollsBack", + "system:lifecycle:shutsDown", + "system:operationalState", + "system:operationalState:entersFailSafeState", + "system:operationalState:entersFailSecureState", + "system:operationalState:operatesInDegradedMode", + "system:operationalState:operatesNormally", + "system:operationalState:performsEmergencyShutdown", + "system:persistence", + "system:persistence:createsScheduledTask", + "system:persistence:installsAsService", + "system:persistence:loadsAsKernelModule", + "system:persistence:registersForStartup", + "system:persistence:removesPersistence", + "system:processControl", + "system:processControl:createsProcess", + "system:processControl:dumpsProcessMemory", + "system:processControl:enumeratesProcesses", + "system:processControl:hooksFunction", + "system:processControl:injectsCodeIntoProcess", + "system:processControl:modifiesProcess", + "system:processControl:resumesProcess", + "system:processControl:suspendsProcess", + "system:processControl:terminatesProcess", + "system:resilience", + "system:resilience:activatesRedundancy", + "system:resilience:degradesGracefully", + "system:resilience:detectsFault", + "system:resilience:recoversFromFailure", + "system:resilience:toleratesFault", + "system:resourceManagement", + "system:resourceManagement:allocatesMemory", + "system:resourceManagement:deallocatesMemory", + "system:resourceManagement:handlesResourceExhaustion", + "system:resourceManagement:managesPowerState", + "system:resourceManagement:readsFromStorage", + "system:resourceManagement:resumesThread", + "system:resourceManagement:spawnsThread", + "system:resourceManagement:suspendsThread", + "system:resourceManagement:terminatesThread", + "system:resourceManagement:writesToStorage", + "system:serviceControl", + "system:serviceControl:createsService", + "system:serviceControl:deletesService", + "system:serviceControl:enumeratesServices", + "system:serviceControl:modifiesService", + "system:serviceControl:startsService", + "system:serviceControl:stopsService", + "system:synchronization", + "system:synchronization:acquiresMutex", + "system:synchronization:releasesMutex", + "system:synchronization:signalsEvent", + "system:synchronization:signalsSemaphore", + "system:synchronization:waitsOnEvent", + "system:synchronization:waitsOnSemaphore", + "system:timing", + "system:timing:delaysExecution", + "system:timing:enforcesDeadline", + "system:timing:executesScheduledTask", + "system:timing:resetsWatchdog", + "system:timing:synchronizesClock", + "system:timing:triggersTimeout", + "system:timing:waits", + "system:userManagement", + "system:userManagement:createsUserAccount", + "system:userManagement:deletesUserAccount", + "system:userManagement:elevatesPrivileges", + "system:userManagement:enumeratesUsers", + "system:userManagement:impersonatesUser", + "system:userManagement:modifiesUserAccount" + ], + "meta:enum": { + "ai": "Behaviours relating to artificial intelligence and machine learning operations.", + "ai:agent": "Behaviours that enable autonomous agents to plan and execute tasks.", + "ai:agent:actsOnBehalfOfUser": "The entity performs actions within a delegated user context.", + "ai:agent:coordinatesAgents": "The entity orchestrates multiple agents.", + "ai:agent:delegatesTask": "The entity assigns work to another agent.", + "ai:agent:executesAction": "The entity performs planned step.", + "ai:agent:invokesTool": "The entity calls external capability.", + "ai:agent:observesResult": "The entity captures action outcome.", + "ai:agent:plansAction": "The entity determines steps to achieve goal.", + "ai:agent:receivesHumanDelegation": "The entity accepts authority delegated by a human user.", + "ai:agent:reflectsOnResult": "The entity evaluates action effectiveness.", + "ai:agent:reportsDelegatedAction": "The entity notifies the delegating user of actions taken.", + "ai:agent:requestsUserApproval": "The entity seeks explicit user authorisation before acting.", + "ai:agent:returnsDelegation": "The entity relinquishes delegated authority.", + "ai:agent:revisesPlan": "The entity modifies approach based on results.", + "ai:explainability": "Behaviours that provide interpretable explanations for model decisions.", + "ai:explainability:attributesFeatures": "The entity identifies influential inputs.", + "ai:explainability:documentsModel": "The entity records model design and behaviour.", + "ai:explainability:explainsDecision": "The entity provides human-readable rationale.", + "ai:explainability:tracesPrediction": "The entity records basis for output.", + "ai:explainability:visualizesModel": "The entity renders model behaviour graphically.", + "ai:fairness": "Behaviours that detect and mitigate bias in machine learning models.", + "ai:fairness:auditsModelFairness": "The entity evaluates model for bias.", + "ai:fairness:calculatesFairnessMetric": "The entity measures outcome equality.", + "ai:fairness:detectsBias": "The entity identifies unfair model behaviour.", + "ai:fairness:handlesProtectedAttribute": "The entity manages sensitive attributes.", + "ai:fairness:mitigatesBias": "The entity reduces unfair treatment.", + "ai:generative": "Behaviours that produce content using generative models.", + "ai:generative:citesSource": "The entity attributes generated content.", + "ai:generative:filtersOutput": "The entity screens generated content.", + "ai:generative:generatesAudio": "The entity produces sound content.", + "ai:generative:generatesCode": "The entity produces executable code.", + "ai:generative:generatesEmbedding": "The entity produces vector representation.", + "ai:generative:generatesImage": "The entity produces visual content.", + "ai:generative:generatesText": "The entity produces natural language.", + "ai:generative:mitigatesHallucination": "The entity reduces false content generation.", + "ai:generative:processesPrompt": "The entity interprets user instruction.", + "ai:generative:streamsResponse": "The entity delivers output incrementally.", + "ai:inference": "Behaviours that generate predictions using trained models.", + "ai:inference:appliesThreshold": "The entity uses decision boundary.", + "ai:inference:batchesInference": "The entity processes multiple inputs together.", + "ai:inference:cachesPrediction": "The entity stores prediction for reuse.", + "ai:inference:ensemblesModels": "The entity combines multiple model outputs.", + "ai:inference:generatesPrediction": "The entity produces model output.", + "ai:inference:infersInRealTime": "The entity generates prediction with low latency.", + "ai:inference:ranksResults": "The entity orders predictions by relevance.", + "ai:inference:scoresConfidence": "The entity assigns certainty to prediction.", + "ai:management": "Behaviours that deploy and manage machine learning models throughout their lifecycle.", + "ai:management:comparesModels": "The entity evaluates relative model performance.", + "ai:management:deploysModel": "The entity places model into service.", + "ai:management:loadsModel": "The entity retrieves model for use.", + "ai:management:monitorsModel": "The entity observes model performance.", + "ai:management:retiresModel": "The entity removes model from service.", + "ai:management:rollsBackModel": "The entity reverts to previous version.", + "ai:management:unloadsModel": "The entity removes model from memory.", + "ai:management:versionsModel": "The entity tracks model versions.", + "ai:quality": "Behaviours that monitor and maintain model and data quality.", + "ai:quality:detectsConceptDrift": "The entity identifies input-output relationship change.", + "ai:quality:detectsDataDrift": "The entity identifies input distribution change.", + "ai:quality:detectsOutlier": "The entity identifies anomalous input.", + "ai:quality:engineersFeatures": "The entity transforms raw data for model.", + "ai:quality:selectsFeatures": "The entity chooses relevant input features.", + "ai:quality:validatesInputData": "The entity checks inference input quality.", + "ai:robustness": "Behaviours that defend against adversarial attacks and handle uncertain inputs.", + "ai:robustness:defendsAgainstAdversarial": "The entity resists adversarial manipulation.", + "ai:robustness:detectsAdversarialInput": "The entity identifies crafted malicious input.", + "ai:robustness:detectsOutOfDistribution": "The entity identifies unfamiliar input.", + "ai:robustness:estimatesUncertainty": "The entity quantifies prediction confidence.", + "ai:robustness:validatesRobustness": "The entity tests model resilience.", + "ai:training": "Behaviours that prepare data and train machine learning models.", + "ai:training:appliesTransferLearning": "The entity adapts pre-trained model.", + "ai:training:checkpointsModel": "The entity saves model state during training.", + "ai:training:fineTunesModel": "The entity refines model for specific task.", + "ai:training:ingestsTrainingData": "The entity acquires data for training.", + "ai:training:preprocessesTrainingData": "The entity prepares data for training.", + "ai:training:trainsFederatedly": "The entity trains on distributed data.", + "ai:training:trainsModel": "The entity adjusts model parameters.", + "ai:training:tunesHyperparameters": "The entity optimises configuration parameters.", + "ai:training:validatesModel": "The entity evaluates model during training.", + "ai:training:validatesTrainingData": "The entity checks training data quality.", + "application": "Behaviours relating to application-level request processing and business logic.", + "application:codeExecution": "Behaviours that dynamically load and execute code at runtime.", + "application:codeExecution:compilesCode": "The entity transforms source to executable form.", + "application:codeExecution:evaluatesExpression": "The entity interprets and executes an expression.", + "application:codeExecution:executesNativeCommand": "The entity runs an operating system command.", + "application:codeExecution:executesScript": "The entity runs script code.", + "application:codeExecution:interpretsCode": "The entity executes code without compilation.", + "application:codeExecution:invokesViaReflection": "The entity calls method through reflection.", + "application:codeExecution:loadsCodeDynamically": "The entity loads executable code at runtime.", + "application:configuration": "Behaviours that load and manage application configuration settings.", + "application:configuration:detectsEnvironment": "The entity determines deployment context.", + "application:configuration:evaluatesFeatureFlag": "The entity checks feature toggle state.", + "application:configuration:loadsConfiguration": "The entity reads configuration settings.", + "application:configuration:reloadsConfiguration": "The entity refreshes configuration dynamically.", + "application:controlFlow": "Behaviours that manage the execution sequence and event handling within an application.", + "application:controlFlow:awaitsAsyncResult": "The entity waits for asynchronous completion.", + "application:controlFlow:catchesException": "The entity handles an error condition.", + "application:controlFlow:emitsEvent": "The entity triggers an event.", + "application:controlFlow:handlesEvent": "The entity responds to an event.", + "application:controlFlow:invokesCallback": "The entity executes a callback function.", + "application:controlFlow:invokesHandler": "The entity calls a request handler.", + "application:controlFlow:invokesMiddleware": "The entity executes middleware component.", + "application:controlFlow:schedulesAsyncOperation": "The entity queues work for later execution.", + "application:controlFlow:throwsException": "The entity raises an error condition.", + "application:dependencyManagement": "Behaviours that resolve and manage dependencies on other components.", + "application:dependencyManagement:closesCircuitBreaker": "The entity resumes calls to recovered dependency.", + "application:dependencyManagement:fallsBack": "The entity uses alternative when primary fails.", + "application:dependencyManagement:injectsDependency": "The entity provides component to dependent.", + "application:dependencyManagement:opensCircuitBreaker": "The entity stops calls to failing dependency.", + "application:dependencyManagement:resolvesDependency": "The entity locates required component.", + "application:externalIntegration": "Behaviours that communicate with external services and systems.", + "application:externalIntegration:callsExternalService": "The entity invokes an external API.", + "application:externalIntegration:consumesEvent": "The entity receives event from external system.", + "application:externalIntegration:publishesEvent": "The entity sends event to external system.", + "application:externalIntegration:receivesWebhook": "The entity accepts callback from external service.", + "application:observability": "Behaviours that emit telemetry for monitoring and debugging purposes.", + "application:observability:emitsTelemetry": "The entity transmits operational data.", + "application:observability:logsOperation": "The entity records an operational event.", + "application:observability:recordsMetric": "The entity captures a quantitative measurement.", + "application:observability:reportsHealth": "The entity communicates operational status.", + "application:observability:tracesRequest": "The entity tracks request across services.", + "application:requestHandling": "Behaviours that receive and process incoming requests.", + "application:requestHandling:authenticatesRequest": "The entity verifies requestor identity.", + "application:requestHandling:authorizesRequest": "The entity verifies requestor permissions.", + "application:requestHandling:bindsParameters": "The entity maps request data to parameters.", + "application:requestHandling:parsesRequest": "The entity interprets incoming request.", + "application:requestHandling:receivesHttpRequest": "The entity accepts an HTTP request.", + "application:requestHandling:rejectsRequest": "The entity refuses to process request.", + "application:requestHandling:routesRequest": "The entity directs request to appropriate handler.", + "application:requestHandling:validatesRequest": "The entity verifies request validity.", + "application:responseGeneration": "Behaviours that construct and transmit responses to requests.", + "application:responseGeneration:generatesResponse": "The entity creates a response.", + "application:responseGeneration:readsCookie": "The entity retrieves cookie value.", + "application:responseGeneration:redirectsRequest": "The entity sends client to different location.", + "application:responseGeneration:returnsError": "The entity indicates failure.", + "application:responseGeneration:returnsSuccess": "The entity indicates successful completion.", + "application:responseGeneration:sendsHttpResponse": "The entity transmits an HTTP response.", + "application:responseGeneration:setsCookie": "The entity creates or modifies a cookie.", + "application:responseGeneration:setsHeader": "The entity adds HTTP header to response.", + "application:stateManagement": "Behaviours that maintain and synchronise application state across requests.", + "application:stateManagement:acquiresLock": "The entity obtains exclusive access to resource.", + "application:stateManagement:beginsTransaction": "The entity starts an atomic operation group.", + "application:stateManagement:commitsTransaction": "The entity finalises transaction changes.", + "application:stateManagement:createsSessionState": "The entity initialises session data.", + "application:stateManagement:destroysSessionState": "The entity removes session data.", + "application:stateManagement:readsSessionState": "The entity retrieves session data.", + "application:stateManagement:releasesLock": "The entity relinquishes exclusive access.", + "application:stateManagement:rollsBackTransaction": "The entity undoes transaction changes.", + "application:stateManagement:synchronizesState": "The entity maintains consistency across replicas.", + "application:stateManagement:updatesSessionState": "The entity modifies session data.", + "data": "Behaviours relating to the ingestion and transformation of structured and unstructured data.", + "data:encoding": "Behaviours that apply specific encoding schemes to data.", + "data:encoding:appliesXor": "The entity transforms data using XOR operation.", + "data:encoding:decodesBaseSixtyFour": "The entity converts Base64 to original form.", + "data:encoding:decodesUrl": "The entity converts URL-encoded data.", + "data:encoding:encodesBaseSixtyFour": "The entity converts data to Base64.", + "data:encoding:encodesUrl": "The entity converts data for URL inclusion.", + "data:ingestion": "Behaviours that acquire data from external sources.", + "data:ingestion:pollsSource": "The entity periodically checks for new data.", + "data:ingestion:readsFile": "The entity retrieves data from a file.", + "data:ingestion:readsStream": "The entity consumes data from a continuous source.", + "data:ingestion:receivesInput": "The entity accepts data from an external source.", + "data:ingestion:receivesMessage": "The entity accepts a message from a queue.", + "data:ingestion:receivesRequest": "The entity accepts an incoming request.", + "data:ingestion:subscribesToFeed": "The entity registers to receive updates.", + "data:output": "Behaviours that produce and transmit data to external consumers.", + "data:output:formatsResponse": "The entity structures data for delivery.", + "data:output:producesOutput": "The entity generates data for consumption.", + "data:output:publishesMessage": "The entity sends a message to a queue.", + "data:output:rendersTemplate": "The entity generates output from a template.", + "data:output:sendsResponse": "The entity transmits a reply.", + "data:output:serializesObject": "The entity converts object to transmittable form.", + "data:output:streamsOutput": "The entity continuously produces data.", + "data:output:writesFile": "The entity saves data to a file.", + "data:parsing": "Behaviours that interpret and extract information from structured data formats.", + "data:parsing:decodesData": "The entity converts encoded data to original form.", + "data:parsing:deserializesObject": "The entity reconstructs object from serialised form.", + "data:parsing:extractsFields": "The entity isolates specific data elements.", + "data:parsing:parsesData": "The entity interprets structured data.", + "data:parsing:parsesHtml": "The entity interprets HTML content.", + "data:parsing:parsesJson": "The entity interprets JSON-formatted data.", + "data:parsing:parsesXml": "The entity interprets XML-formatted data.", + "data:query": "Behaviours that retrieve data based on specified criteria.", + "data:query:executesLdapQuery": "The entity queries an LDAP directory.", + "data:query:executesNoSqlQuery": "The entity queries a NoSQL database.", + "data:query:executesSearch": "The entity performs full-text or indexed search.", + "data:query:executesSql": "The entity runs a SQL statement.", + "data:query:executesXPath": "The entity evaluates an XPath expression.", + "data:query:queriesData": "The entity retrieves data matching criteria.", + "data:storage": "Behaviours that persist and retrieve data from storage systems.", + "data:storage:cachesData": "The entity stores data for quick retrieval.", + "data:storage:deletesData": "The entity removes stored data.", + "data:storage:flushesCache": "The entity writes cached data to persistent storage.", + "data:storage:invalidatesCache": "The entity marks cached data as stale.", + "data:storage:retrievesData": "The entity fetches stored data.", + "data:storage:storesData": "The entity saves data persistently.", + "data:storage:updatesData": "The entity modifies stored data.", + "data:transformation": "Behaviours that convert data from one form or structure to another.", + "data:transformation:aggregatesData": "The entity combines multiple values.", + "data:transformation:compressesData": "The entity reduces data size.", + "data:transformation:decompressesData": "The entity restores compressed data.", + "data:transformation:encodesData": "The entity converts data to encoded form.", + "data:transformation:enrichesData": "The entity adds information from external sources.", + "data:transformation:filtersData": "The entity removes unwanted elements.", + "data:transformation:joinsData": "The entity combines data from multiple sources.", + "data:transformation:mapsData": "The entity converts between data structures.", + "data:transformation:normalizesData": "The entity converts to standard form.", + "data:transformation:sortsData": "The entity orders data elements.", + "data:transformation:transformsData": "The entity converts data from one form to another.", + "evasion": "Behaviours relating to techniques that avoid detection and analysis.", + "evasion:analysisResistance": "Behaviours that detect and evade analysis environments.", + "evasion:analysisResistance:detectsAnalysisTool": "The entity identifies analysis software.", + "evasion:analysisResistance:detectsDebugger": "The entity identifies debugger presence.", + "evasion:analysisResistance:detectsEmulator": "The entity identifies emulation environment.", + "evasion:analysisResistance:detectsSandbox": "The entity identifies sandbox environment.", + "evasion:analysisResistance:detectsVirtualMachine": "The entity identifies VM environment.", + "evasion:analysisResistance:evadesDebugger": "The entity modifies behaviour under debugging.", + "evasion:analysisResistance:evadesEmulator": "The entity modifies behaviour under emulation.", + "evasion:analysisResistance:evadesSandbox": "The entity modifies behaviour in sandbox.", + "evasion:analysisResistance:evadesVirtualMachine": "The entity modifies behaviour in VM.", + "evasion:analysisResistance:usesTimingEvasion": "The entity uses delays to evade analysis.", + "evasion:antiSecurity": "Behaviours that detect and disable security software.", + "evasion:antiSecurity:detectsAntivirus": "The entity identifies AV software.", + "evasion:antiSecurity:disablesSecuritySoftware": "The entity deactivates security tools.", + "evasion:antiSecurity:evadesAntivirus": "The entity avoids AV detection.", + "evasion:antiSecurity:terminatesSecurityProcess": "The entity kills security software processes.", + "evasion:indirection": "Behaviours that use indirect methods to execute code.", + "evasion:indirection:resolvesApiDynamically": "The entity finds API addresses at runtime.", + "evasion:indirection:usesIndirectCalls": "The entity invokes functions indirectly.", + "evasion:indirection:usesProxyExecution": "The entity executes through intermediary.", + "evasion:obfuscation": "Behaviours that obscure code and data to hinder analysis.", + "evasion:obfuscation:obfuscatesCode": "The entity makes code difficult to analyse.", + "evasion:obfuscation:obfuscatesControlFlow": "The entity obscures execution paths.", + "evasion:obfuscation:obfuscatesData": "The entity hides data structures.", + "evasion:obfuscation:obfuscatesStrings": "The entity hides string contents.", + "evasion:obfuscation:packsCode": "The entity compresses or encrypts executable.", + "evasion:obfuscation:unpacksAtRuntime": "The entity decompresses code during execution.", + "file": "Behaviours relating to file system operations and disk management.", + "file:directory": "Behaviours that create and navigate directory structures.", + "file:directory:changesDirectory": "The entity sets current working directory.", + "file:directory:createsDirectory": "The entity creates a new directory.", + "file:directory:deletesDirectory": "The entity removes a directory.", + "file:directory:listsDirectory": "The entity enumerates directory contents.", + "file:directory:traversesDirectory": "The entity recursively explores directories.", + "file:disk": "Behaviours that manage storage volumes and disk-level operations.", + "file:disk:decryptsVolume": "The entity decrypts a storage volume.", + "file:disk:encryptsVolume": "The entity encrypts a storage volume.", + "file:disk:formatsVolume": "The entity prepares storage for use.", + "file:disk:mountsVolume": "The entity attaches a storage volume.", + "file:disk:unmountsVolume": "The entity detaches a storage volume.", + "file:disk:wipesDisk": "The entity securely erases disk contents.", + "file:operations": "Behaviours that create and manipulate files.", + "file:operations:appendsToFile": "The entity adds data to end of file.", + "file:operations:checksFileExistence": "The entity verifies whether a file exists.", + "file:operations:closesFile": "The entity releases file access.", + "file:operations:copiesFile": "The entity duplicates a file.", + "file:operations:createsFile": "The entity creates a new file.", + "file:operations:deletesFile": "The entity removes a file.", + "file:operations:getsFileAttributes": "The entity retrieves file metadata.", + "file:operations:movesFile": "The entity relocates a file.", + "file:operations:opensFile": "The entity prepares a file for access.", + "file:operations:readsFile": "The entity retrieves file contents.", + "file:operations:renamesFile": "The entity changes a file name.", + "file:operations:setsFileAttributes": "The entity modifies file metadata.", + "file:operations:setsFilePermissions": "The entity modifies file access permissions.", + "file:operations:writesFile": "The entity modifies file contents.", + "gui": "Behaviours relating to graphical user interface interactions.", + "gui:display": "Behaviours that render and monitor visual output.", + "gui:display:displaysData": "The entity renders information visually.", + "gui:display:monitorsDisplay": "The entity observes displayed content.", + "gui:display:updatesDisplay": "The entity refreshes visual presentation.", + "gui:session": "Behaviours that interact with user login sessions.", + "gui:session:displaysLogin": "The entity presents login interface.", + "gui:session:interactsWithSession": "The entity operates within user session.", + "gui:session:switchesSession": "The entity changes active user session.", + "gui:window": "Behaviours that create and manipulate graphical windows.", + "gui:window:capturesWindow": "The entity captures window contents.", + "gui:window:createsWindow": "The entity creates a graphical window.", + "gui:window:destroysWindow": "The entity closes a window.", + "gui:window:enumeratesWindows": "The entity lists open windows.", + "gui:window:interactsWithTaskbar": "The entity modifies taskbar elements.", + "gui:window:modifiesWindow": "The entity changes window properties.", + "hardware": "Behaviours relating to hardware components and physical device interactions.", + "hardware:actuator": "Behaviours that control physical actuators and output devices.", + "hardware:actuator:calibratesActuator": "The entity adjusts actuator accuracy.", + "hardware:actuator:controlsBattery": "The entity manages battery charging.", + "hardware:actuator:controlsHeating": "The entity manages heating element.", + "hardware:actuator:controlsLed": "The entity manages LED indicator.", + "hardware:actuator:controlsMotor": "The entity manages motor operation.", + "hardware:actuator:controlsPower": "The entity manages power distribution.", + "hardware:actuator:controlsPump": "The entity manages fluid pump.", + "hardware:actuator:controlsTemperature": "The entity regulates temperature.", + "hardware:boot": "Behaviours that verify and configure system startup processes.", + "hardware:boot:entersRecoveryMode": "The entity boots via alternative path.", + "hardware:boot:executesSecureBoot": "The entity verifies code integrity at startup.", + "hardware:boot:locksBootConfiguration": "The entity prevents boot setting changes.", + "hardware:boot:modifiesBootConfiguration": "The entity changes boot settings.", + "hardware:boot:readsBootConfiguration": "The entity retrieves boot settings.", + "hardware:boot:recordsBootMeasurement": "The entity logs boot component hashes.", + "hardware:boot:verifiesBootLoader": "The entity validates boot loader authenticity.", + "hardware:firmware": "Behaviours that manage and verify firmware integrity.", + "hardware:firmware:monitorsFirmwareIntegrity": "The entity checks for firmware tampering.", + "hardware:firmware:preventsFirmwareRollback": "The entity blocks reversion to old firmware.", + "hardware:firmware:readsFirmwareVersion": "The entity retrieves firmware version.", + "hardware:firmware:updatesFirmware": "The entity applies firmware changes.", + "hardware:firmware:verifiesFirmwareSignature": "The entity validates firmware authenticity.", + "hardware:memory": "Behaviours that protect and isolate memory regions.", + "hardware:memory:encryptsMemory": "The entity protects memory contents.", + "hardware:memory:isolatesMemory": "The entity separates memory regions.", + "hardware:memory:protectsStack": "The entity defends against stack attacks.", + "hardware:memory:randomizesAddressSpace": "The entity applies ASLR.", + "hardware:memory:readsProtectedMemory": "The entity accesses protected memory region.", + "hardware:memory:writesProtectedMemory": "The entity modifies protected memory region.", + "hardware:peripheral": "Behaviours that interact with peripheral devices and interfaces.", + "hardware:peripheral:accessesCamera": "The entity interacts with camera hardware.", + "hardware:peripheral:accessesDisplay": "The entity interacts with display hardware.", + "hardware:peripheral:accessesGpio": "The entity reads or writes GPIO pins.", + "hardware:peripheral:accessesJtag": "The entity uses JTAG debug interface.", + "hardware:peripheral:accessesKeyboard": "The entity interacts with keyboard hardware.", + "hardware:peripheral:accessesStorageDevice": "The entity interacts with storage hardware.", + "hardware:peripheral:accessesUsbDevice": "The entity interacts with USB peripheral.", + "hardware:peripheral:configuresDma": "The entity sets up direct memory access.", + "hardware:peripheral:protectsDma": "The entity prevents unauthorised DMA.", + "hardware:physicalSecurity": "Behaviours that detect and respond to physical tampering.", + "hardware:physicalSecurity:detectsPhysicalTamper": "The entity identifies physical interference.", + "hardware:physicalSecurity:disablesDebugInterface": "The entity prevents debug access.", + "hardware:physicalSecurity:enablesDebugInterface": "The entity permits debug access.", + "hardware:physicalSecurity:monitorsEnclosure": "The entity detects housing penetration.", + "hardware:physicalSecurity:respondsToTamper": "The entity reacts to physical attack.", + "hardware:physicalSecurity:zeroizesKeys": "The entity destroys keys on tamper detection.", + "hardware:security": "Behaviours that utilise hardware security features and trusted execution environments.", + "hardware:security:anchorsInHardwareRoot": "The entity uses tamper-resistant hardware for trust.", + "hardware:security:executesInTee": "The entity runs in trusted execution environment.", + "hardware:security:generatesPufResponse": "The entity uses physical unclonable function.", + "hardware:security:usesHsm": "The entity employs hardware security module.", + "hardware:security:usesSecureElement": "The entity employs dedicated security hardware.", + "hardware:sensor": "Behaviours that read measurements from hardware sensors.", + "hardware:sensor:calibratesSensor": "The entity adjusts sensor accuracy.", + "hardware:sensor:readsBatteryStatus": "The entity obtains battery state.", + "hardware:sensor:readsBloodOxygen": "The entity obtains SpO2 measurement.", + "hardware:sensor:readsBloodPressure": "The entity obtains blood pressure measurement.", + "hardware:sensor:readsCoTwoLevel": "The entity obtains CO2 measurement.", + "hardware:sensor:readsEcg": "The entity obtains electrocardiogram data.", + "hardware:sensor:readsPowerStatus": "The entity obtains power state.", + "hardware:sensor:readsTemperature": "The entity obtains temperature measurement.", + "hardware:sideChannelDefense": "Behaviours that protect against side-channel attacks.", + "hardware:sideChannelDefense:controlsEmEmissions": "The entity limits electromagnetic leakage.", + "hardware:sideChannelDefense:resistsFaultInjection": "The entity protects against induced faults.", + "hardware:sideChannelDefense:resistsPowerAnalysis": "The entity protects against power-based attacks.", + "hardware:sideChannelDefense:resistsTimingAnalysis": "The entity protects against timing-based attacks.", + "network": "Behaviours relating to network communication and data transmission between systems.", + "network:connection": "Behaviours that establish and manage network connections.", + "network:connection:acceptsConnection": "The entity receives an incoming connection.", + "network:connection:detectsConnectionLoss": "The entity identifies a dropped connection.", + "network:connection:establishesConnection": "The entity initiates a network connection.", + "network:connection:reconnects": "The entity re-establishes a dropped connection.", + "network:connection:reusesConnection": "The entity uses a pooled connection.", + "network:connection:sendsHeartbeat": "The entity transmits a keep-alive signal.", + "network:connection:terminatesConnection": "The entity closes a network connection.", + "network:discovery": "Behaviours that locate and advertise network services and resources.", + "network:discovery:advertisesService": "The entity announces its availability.", + "network:discovery:discoversService": "The entity locates an available service.", + "network:discovery:enumeratesInterfaces": "The entity lists network interfaces.", + "network:discovery:probesPort": "The entity checks if a port is open.", + "network:discovery:queriesDns": "The entity requests DNS resolution.", + "network:discovery:resolvesName": "The entity translates a name to an address.", + "network:discovery:scansNetwork": "The entity probes for active hosts or services.", + "network:protocol": "Behaviours that negotiate and implement communication protocols.", + "network:protocol:downgradesProtocol": "The entity falls back to a less secure protocol version.", + "network:protocol:framesMessage": "The entity structures data for transmission.", + "network:protocol:negotiatesProtocol": "The entity agrees on communication protocol with peer.", + "network:protocol:parsesMessage": "The entity interprets received network data.", + "network:protocol:retransmitsMessage": "The entity resends data after transmission failure.", + "network:protocol:upgradesProtocol": "The entity transitions to a more secure protocol version.", + "network:protocol:validatesMessage": "The entity verifies message format and integrity.", + "network:remoteInteraction": "Behaviours that execute operations on remote systems.", + "network:remoteInteraction:accessesRemoteDesktop": "The entity controls a remote graphical interface.", + "network:remoteInteraction:accessesRemoteShell": "The entity interacts with a remote command line.", + "network:remoteInteraction:executesRemoteCommand": "The entity runs a command on a remote system.", + "network:remoteInteraction:invokesRemoteProcedure": "The entity calls a function on a remote system.", + "network:remoteInteraction:sendsEmail": "The entity transmits an email message.", + "network:remoteInteraction:sendsSms": "The entity transmits a text message.", + "network:remoteInteraction:transfersFile": "The entity sends or receives a file remotely.", + "network:routing": "Behaviours that direct network traffic to its destination.", + "network:routing:configuresProxy": "The entity sets up traffic to route through a proxy.", + "network:routing:forwardsPacket": "The entity passes a packet toward its destination.", + "network:routing:redirectsTraffic": "The entity diverts traffic to a different destination.", + "network:routing:routesTraffic": "The entity directs network traffic to destinations.", + "network:routing:tunnelsTraffic": "The entity encapsulates traffic within another protocol.", + "network:trafficControl": "Behaviours that manage and manipulate network traffic flow.", + "network:trafficControl:balancesLoad": "The entity distributes requests across destinations.", + "network:trafficControl:filtersTraffic": "The entity blocks or allows traffic based on rules.", + "network:trafficControl:inspectsTraffic": "The entity examines traffic contents.", + "network:trafficControl:interceptsTraffic": "The entity captures traffic in transit.", + "network:trafficControl:limitsRate": "The entity restricts traffic volume.", + "network:trafficControl:modifiesTraffic": "The entity alters traffic in transit.", + "network:trafficControl:shapesTraffic": "The entity manages traffic timing and priority.", + "network:transmission": "Behaviours that send and receive data over network connections.", + "network:transmission:broadcastsData": "The entity sends data to multiple recipients.", + "network:transmission:multicastsData": "The entity sends data to a group of recipients.", + "network:transmission:receivesData": "The entity accepts data from the network.", + "network:transmission:sendsData": "The entity transmits data over the network.", + "network:transmission:streamsData": "The entity continuously transmits or receives data.", + "privacy": "Behaviours relating to the collection and processing of personal and sensitive data.", + "privacy:collection": "Behaviours that gather personal or sensitive information from individuals or systems.", + "privacy:collection:capturesAudio": "The entity records sound via microphone.", + "privacy:collection:capturesKeystrokes": "The entity records keyboard input.", + "privacy:collection:capturesScreen": "The entity records display contents.", + "privacy:collection:capturesVideo": "The entity records images via camera.", + "privacy:collection:collectsBehavioralData": "The entity records user actions and patterns.", + "privacy:collection:collectsBiometricData": "The entity captures biometric information.", + "privacy:collection:collectsCommunicationContent": "The entity captures message or call contents.", + "privacy:collection:collectsDeviceInformation": "The entity gathers device identifiers or characteristics.", + "privacy:collection:collectsFinancialData": "The entity gathers payment or financial information.", + "privacy:collection:collectsHealthData": "The entity gathers protected health information.", + "privacy:collection:collectsInBackground": "The entity gathers data without active user engagement.", + "privacy:collection:collectsLocationData": "The entity gathers geographical position information.", + "privacy:collection:collectsPersonalData": "The entity gathers personally identifiable information.", + "privacy:collection:collectsSilently": "The entity gathers data without user awareness.", + "privacy:collection:readsBrowserHistory": "The entity accesses web browsing history.", + "privacy:collection:readsClipboard": "The entity accesses clipboard contents.", + "privacy:deletion": "Behaviours that remove or destroy personal data.", + "privacy:deletion:clearsCache": "The entity removes data from temporary storage.", + "privacy:deletion:deletesPersonalData": "The entity removes personal data.", + "privacy:deletion:erasesSecurely": "The entity irreversibly destroys data.", + "privacy:deletion:purgesFromBackup": "The entity removes data from backup systems.", + "privacy:deletion:redactsData": "The entity removes specific content from records.", + "privacy:inference": "Behaviours that derive personal information through analysis and correlation of data.", + "privacy:inference:correlatesData": "The entity combines data from multiple sources.", + "privacy:inference:createsProfile": "The entity builds a profile from collected data.", + "privacy:inference:fingerprintsDevice": "The entity identifies device via characteristics.", + "privacy:inference:infersPersonalInformation": "The entity derives personal data from other data.", + "privacy:inference:linksIdentities": "The entity associates data across contexts.", + "privacy:inference:tracksUser": "The entity follows user activity across sessions.", + "privacy:minimization": "Behaviours that reduce the amount or sensitivity of personal data processed.", + "privacy:minimization:aggregatesData": "The entity combines records into summaries.", + "privacy:minimization:anonymizesData": "The entity removes identifying information.", + "privacy:minimization:filtersData": "The entity removes unnecessary data elements.", + "privacy:minimization:generalizesData": "The entity reduces data precision.", + "privacy:minimization:limitsCollection": "The entity gathers only necessary data.", + "privacy:minimization:limitsProcessing": "The entity restricts data use to stated purposes.", + "privacy:minimization:pseudonymizesData": "The entity replaces identifiers with pseudonyms.", + "privacy:privacyEnhancement": "Behaviours that employ technical measures to protect privacy during processing.", + "privacy:privacyEnhancement:addsDifferentialPrivacy": "The entity injects noise to protect individuals.", + "privacy:privacyEnhancement:computesMultiparty": "The entity performs joint computation privately.", + "privacy:privacyEnhancement:processesHomomorphically": "The entity computes on encrypted data.", + "privacy:privacyEnhancement:processesLocally": "The entity handles data on-device.", + "privacy:retention": "Behaviours that store personal data over time.", + "privacy:retention:archivesData": "The entity moves data to long-term storage.", + "privacy:retention:backsUpData": "The entity creates copies for recovery.", + "privacy:retention:enforcesRetentionPeriod": "The entity deletes data after specified time.", + "privacy:retention:retainsBeyondPurpose": "The entity keeps data longer than necessary.", + "privacy:retention:retainsInCache": "The entity keeps data in temporary storage.", + "privacy:retention:retainsInLog": "The entity keeps data in log files.", + "privacy:retention:storesPersonalData": "The entity saves personal data persistently.", + "privacy:sharing": "Behaviours that disclose personal data to third parties or across boundaries.", + "privacy:sharing:disclosesToThirdParty": "The entity transmits personal data externally.", + "privacy:sharing:exportsData": "The entity outputs data in portable format.", + "privacy:sharing:publishesData": "The entity makes data publicly available.", + "privacy:sharing:sellsData": "The entity provides data in exchange for value.", + "privacy:sharing:sharesWithAffiliate": "The entity provides data to related entities.", + "privacy:sharing:transfersCrossBorder": "The entity sends data across jurisdictions.", + "privacy:subjectRights": "Behaviours that fulfil data subject rights under privacy regulations.", + "privacy:subjectRights:correctsData": "The entity modifies inaccurate personal data.", + "privacy:subjectRights:exportsDataPortably": "The entity provides data in portable format.", + "privacy:subjectRights:honorsErasureRequest": "The entity deletes data upon request.", + "privacy:subjectRights:honorsObjection": "The entity ceases processing upon objection.", + "privacy:subjectRights:providesDataAccess": "The entity gives individuals their data.", + "privacy:subjectRights:restrictsProcessing": "The entity limits data use upon request.", + "privacy:transparency": "Behaviours that inform individuals about data processing activities.", + "privacy:transparency:disclosesProcessing": "The entity reveals data processing activities.", + "privacy:transparency:displaysPrivacyNotice": "The entity presents privacy information.", + "privacy:transparency:explainsAutomatedDecision": "The entity describes automated decision logic.", + "privacy:transparency:recordsConsent": "The entity stores consent decisions.", + "privacy:transparency:requestsConsent": "The entity asks for processing permission.", + "privacy:transparency:withdrawsConsent": "The entity processes consent revocation.", + "safety": "Behaviours relating to the prevention of harm to users and the environment.", + "safety:autonomousBehavior": "Behaviours that govern decision-making boundaries and human oversight of autonomous systems.", + "safety:autonomousBehavior:acceptsOverride": "The entity yields to human command.", + "safety:autonomousBehavior:enforcesHumanInLoop": "The entity requires human involvement.", + "safety:autonomousBehavior:explainsDecision": "The entity provides rationale for its action.", + "safety:autonomousBehavior:requestsGuidance": "The entity asks for human direction.", + "safety:autonomousBehavior:respectsDecisionBoundary": "The entity stays within authorised decision scope.", + "safety:contentSafety": "Behaviours that detect and filter harmful or inappropriate content.", + "safety:contentSafety:detectsHarmfulContent": "The entity identifies potentially harmful content.", + "safety:contentSafety:detectsMisinformation": "The entity identifies false or misleading content.", + "safety:contentSafety:enforcesAgeRestriction": "The entity limits access by user age.", + "safety:contentSafety:filtersContent": "The entity blocks or restricts content.", + "safety:contentSafety:labelsContent": "The entity marks content with warnings or ratings.", + "safety:harmPrevention": "Behaviours that actively protect users and bystanders from physical or psychological harm.", + "safety:harmPrevention:preventsEnvironmentalHarm": "The entity acts to protect the environment.", + "safety:harmPrevention:preventsPropertyDamage": "The entity acts to protect physical property.", + "safety:harmPrevention:preventsUserHarm": "The entity acts to protect users from injury.", + "safety:harmPrevention:protectsBystanders": "The entity considers safety of non-users.", + "safety:hazardManagement": "Behaviours that identify and mitigate potentially dangerous conditions.", + "safety:hazardManagement:assessesRisk": "The entity evaluates severity and likelihood of harm.", + "safety:hazardManagement:identifiesHazard": "The entity detects a potentially harmful condition.", + "safety:hazardManagement:mitigatesHazard": "The entity reduces hazard severity or likelihood.", + "safety:hazardManagement:reportsHazard": "The entity communicates a hazardous condition.", + "safety:humanInteraction": "Behaviours that manage communication and interaction with human operators.", + "safety:humanInteraction:adaptsForAccessibility": "The entity adjusts for users with disabilities.", + "safety:humanInteraction:managesCognitiveLoad": "The entity limits information to prevent overwhelm.", + "safety:humanInteraction:requestsConfirmation": "The entity requires human approval for action.", + "safety:humanInteraction:warnsOperator": "The entity alerts human to abnormal condition.", + "safety:operationalSafety": "Behaviours that enforce safe operating limits and conditions.", + "safety:operationalSafety:acceptsManualOverride": "The entity yields control to human operator.", + "safety:operationalSafety:enforcesInterlock": "The entity prevents unsafe operation combinations.", + "safety:operationalSafety:enforcesOperatingLimits": "The entity prevents operation outside safe bounds.", + "safety:operationalSafety:executesEmergencyStop": "The entity immediately halts dangerous operation.", + "safety:operationalSafety:monitorsWatchdog": "The entity checks for uncontrolled operation.", + "safety:operationalSafety:validatesSafetyCondition": "The entity confirms safe operating state.", + "security": "Behaviours relating to the protection of systems and data from unauthorised access and threats.", + "security:auditing": "Behaviours that record security-relevant events for accountability and forensic analysis.", + "security:auditing:logsEvent": "The entity records an occurrence.", + "security:auditing:logsSecurityEvent": "The entity records a security-relevant occurrence.", + "security:auditing:protectsAuditLog": "The entity prevents tampering with log records.", + "security:auditing:purgesLog": "The entity deletes old log records.", + "security:auditing:rotatesLog": "The entity archives and starts new log files.", + "security:auditing:signsLogEntry": "The entity cryptographically signs audit records.", + "security:auditing:timestampsEvent": "The entity records when an event occurred.", + "security:auditing:transmitsLog": "The entity sends log data to a remote destination.", + "security:authentication": "Behaviours that verify the identity of users and entities.", + "security:authentication:authenticatesDevice": "The entity confirms device identity.", + "security:authentication:authenticatesService": "The entity confirms service identity.", + "security:authentication:authenticatesUser": "The entity confirms user identity.", + "security:authentication:bypassesAuthentication": "The entity permits access without authentication.", + "security:authentication:capturesBiometric": "The entity collects biometric data for authentication.", + "security:authentication:delegatesAuthentication": "The entity relies on external identity provider.", + "security:authentication:failsAuthentication": "The entity rejects invalid credentials.", + "security:authentication:locksAccount": "The entity prevents further authentication attempts.", + "security:authentication:performsMultiFactorAuthentication": "The entity requires multiple authentication factors.", + "security:authentication:promptsForCredentials": "The entity requests authentication information.", + "security:authentication:unlocksAccount": "The entity restores authentication capability.", + "security:authentication:validatesBiometric": "The entity verifies biometric data.", + "security:authentication:validatesCredentials": "The entity verifies supplied credentials.", + "security:authorization": "Behaviours that determine and enforce access permissions.", + "security:authorization:checksPermission": "The entity verifies access rights.", + "security:authorization:delegatesAuthority": "The entity transfers access rights to another.", + "security:authorization:deniesAccess": "The entity refuses a requested action.", + "security:authorization:enforcesRole": "The entity restricts actions based on assigned role.", + "security:authorization:escalatesPrivilege": "The entity gains elevated permissions.", + "security:authorization:evaluatesAttributes": "The entity uses attributes for access decisions.", + "security:authorization:evaluatesPolicy": "The entity applies rules to make access decisions.", + "security:authorization:grantsAccess": "The entity permits a requested action.", + "security:authorization:grantsImpersonation": "The entity permits another to act within its security context.", + "security:authorization:impersonatesUser": "The entity performs actions within another user's security context.", + "security:authorization:requestsImpersonation": "The entity initiates a request to act as another user.", + "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", + "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", + "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", + "security:cryptography:authenticates": "The entity verifies the identity of a user, process, or device.", + "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", + "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", + "security:cryptography:decryptsDataAtRest": "The entity restores stored encrypted data to readable form.", + "security:cryptography:decryptsDataInTransit": "The entity restores data received over a network to readable form.", + "security:cryptography:decryptsDisk": "The entity unlocks and decrypts contents of an encrypted disk.", + "security:cryptography:decryptsSecret": "The entity retrieves and decrypts a secured credential or metadata.", + "security:cryptography:destroysKey": "The entity securely erases a key.", + "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", + "security:cryptography:encryptsDataAtRest": "The entity protects stored data by converting it to unreadable form.", + "security:cryptography:encryptsDataInTransit": "The entity protects data moving across a network.", + "security:cryptography:encryptsDisk": "The entity applies full-disk encryption to protect all data on a drive.", + "security:cryptography:encryptsSecret": "The entity secures sensitive credentials or metadata.", + "security:cryptography:ensuresAccountability": "The entity ensures actions can be traced to a specific individual or process.", + "security:cryptography:ensuresConfidentiality": "The entity protects sensitive information from unauthorised access.", + "security:cryptography:ensuresIntegrity": "The entity guarantees that data has not been altered or tampered with.", + "security:cryptography:ensuresNonRepudiation": "The entity provides proof of origin and integrity to prevent denial.", + "security:cryptography:exchangesKey": "The entity shares a key with another party.", + "security:cryptography:generatesKey": "The entity creates a cryptographic key.", + "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", + "security:cryptography:hashesData": "The entity generates a cryptographic hash.", + "security:cryptography:hashesPassword": "The entity applies a cryptographic hash function to a password.", + "security:cryptography:identifies": "The entity establishes a unique identity for an actor within the system.", + "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", + "security:cryptography:preservesPrivacy": "The entity protects personally identifiable information and user data.", + "security:cryptography:presentsClientCertificate": "The entity provides a client certificate for authentication.", + "security:cryptography:presentsServerCertificate": "The entity provides a server certificate for authentication.", + "security:cryptography:retrievesKey": "The entity obtains a stored key.", + "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", + "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", + "security:cryptography:signsCode": "The entity applies a digital signature to executable code.", + "security:cryptography:signsData": "The entity creates a digital signature.", + "security:cryptography:signsDocument": "The entity applies a digital signature to a document.", + "security:cryptography:storesKey": "The entity saves a key securely.", + "security:cryptography:usesIdentity": "The entity utilises established identity credentials for operations.", + "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", + "security:cryptography:validatesToken": "The entity verifies the authenticity and expiration of a security token.", + "security:cryptography:verifiesCodeSignature": "The entity validates a digital signature on executable code.", + "security:cryptography:verifiesDataSignature": "The entity validates a digital signature on data.", + "security:cryptography:verifiesDocumentSignature": "The entity validates a digital signature on a document.", + "security:cryptography:verifiesHash": "The entity validates data against a hash.", + "security:cryptography:verifiesSignature": "The entity validates a digital signature.", + "security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport.", + "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", + "security:errorHandling:catchesException": "The entity intercepts an error condition.", + "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", + "security:errorHandling:failsClosed": "The entity denies access when controls fail.", + "security:errorHandling:failsOpen": "The entity permits access when controls fail.", + "security:errorHandling:generatesError": "The entity produces an error condition.", + "security:errorHandling:logsError": "The entity records an error condition.", + "security:errorHandling:propagatesError": "The entity passes an error to caller.", + "security:errorHandling:returnsGenericError": "The entity provides minimal error information.", + "security:errorHandling:suppressesError": "The entity hides an error condition.", + "security:inputHandling": "Behaviours that validate and sanitise input data to prevent injection attacks.", + "security:inputHandling:escapesInput": "The entity encodes special characters in input.", + "security:inputHandling:normalizesInput": "The entity converts input to standard form.", + "security:inputHandling:rejectsInvalidInput": "The entity refuses malformed or dangerous input.", + "security:inputHandling:sanitizesInput": "The entity removes potentially harmful content from input.", + "security:inputHandling:truncatesInput": "The entity shortens input to acceptable length.", + "security:inputHandling:validatesFormat": "The entity verifies input conforms to expected format.", + "security:inputHandling:validatesRange": "The entity ensures values fall within acceptable bounds.", + "security:inputHandling:validatesSchema": "The entity checks input against a defined schema.", + "security:integrity": "Behaviours that verify and protect the integrity of data and code.", + "security:integrity:attestsIntegrity": "The entity provides evidence of its own integrity.", + "security:integrity:detectsTampering": "The entity identifies modification attempts.", + "security:integrity:respondsToTampering": "The entity reacts to detected tampering.", + "security:integrity:validatesComponent": "The entity verifies authenticity of a dependency.", + "security:integrity:verifiesIntegrity": "The entity confirms data or code has not been altered.", + "security:integrity:verifiesProvenance": "The entity confirms origin and history.", + "security:outputHandling": "Behaviours that encode and filter output data to prevent information leakage.", + "security:outputHandling:encodesOutput": "The entity transforms output to prevent injection.", + "security:outputHandling:enforcesContentPolicy": "The entity restricts content sources.", + "security:outputHandling:escapesOutput": "The entity encodes special characters in output.", + "security:outputHandling:filtersOutput": "The entity removes sensitive content from output.", + "security:outputHandling:masksOutput": "The entity obscures sensitive data in output.", + "security:outputHandling:setsSecurityHeader": "The entity adds security-related HTTP headers.", + "security:session": "Behaviours that manage authenticated user sessions.", + "security:session:createsSession": "The entity establishes an authenticated session.", + "security:session:detectsSessionHijacking": "The entity identifies unauthorised session use.", + "security:session:invalidatesSession": "The entity revokes session validity.", + "security:session:refreshesSession": "The entity extends session lifetime.", + "security:session:regeneratesSessionId": "The entity creates a new session identifier.", + "security:session:terminatesSession": "The entity ends an authenticated session.", + "security:session:validatesSession": "The entity verifies session validity.", + "security:threatResponse": "Behaviours that detect and respond to security threats and incidents.", + "security:threatResponse:blocksRequest": "The entity refuses a suspicious request.", + "security:threatResponse:blocksSource": "The entity prevents further requests from a source.", + "security:threatResponse:collectsForensicData": "The entity gathers evidence for investigation.", + "security:threatResponse:detectsAnomaly": "The entity recognises deviation from normal patterns.", + "security:threatResponse:detectsIntrusion": "The entity identifies a potential security breach.", + "security:threatResponse:initiatesIncidentResponse": "The entity triggers security response procedures.", + "security:threatResponse:quarantinesElement": "The entity isolates a suspicious item.", + "security:threatResponse:raisesAlert": "The entity notifies of a security event.", + "system": "Behaviours relating to operating system interactions and the management of computational resources.", + "system:configuration": "Behaviours that read and modify system configuration settings.", + "system:configuration:deletesRegistryKey": "The entity removes entries from the registry.", + "system:configuration:modifiesGroupPolicy": "The entity changes group policy settings.", + "system:configuration:readsConfigurationFile": "The entity loads settings from a configuration file.", + "system:configuration:readsEnvironmentVariable": "The entity retrieves an environment variable value.", + "system:configuration:readsGroupPolicy": "The entity retrieves group policy settings.", + "system:configuration:readsRegistry": "The entity retrieves values from the system registry.", + "system:configuration:setsEnvironmentVariable": "The entity modifies an environment variable.", + "system:configuration:writesConfigurationFile": "The entity saves settings to a configuration file.", + "system:configuration:writesRegistry": "The entity stores values in the system registry.", + "system:informationGathering": "Behaviours that collect information about the host system and its configuration.", + "system:informationGathering:detectsOsVersion": "The entity determines the operating system version.", + "system:informationGathering:gathersSystemInformation": "The entity collects system configuration details.", + "system:informationGathering:queriesHardwareInformation": "The entity retrieves hardware specifications.", + "system:informationGathering:retrievesHostname": "The entity obtains the system hostname.", + "system:kernelInteraction": "Behaviours that interact directly with the operating system kernel.", + "system:kernelInteraction:hooksKernelFunction": "The entity intercepts kernel-level calls.", + "system:kernelInteraction:installsDriver": "The entity loads a kernel-mode driver.", + "system:kernelInteraction:readsKernelMemory": "The entity accesses kernel memory space.", + "system:kernelInteraction:writesKernelMemory": "The entity modifies kernel memory space.", + "system:lifecycle": "Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.", + "system:lifecycle:appliesUpdate": "The entity installs software or firmware updates.", + "system:lifecycle:decommissions": "The entity securely retires from service.", + "system:lifecycle:initializes": "The entity performs start-up routines and loads configuration.", + "system:lifecycle:performsSelfTest": "The entity verifies its own operational readiness.", + "system:lifecycle:provisions": "The entity configures itself for deployment.", + "system:lifecycle:rollsBack": "The entity reverts to a previous known-good state.", + "system:lifecycle:shutsDown": "The entity executes orderly cessation of operations.", + "system:operationalState": "Behaviours that govern an entity's functional status and mode of operation.", + "system:operationalState:entersFailSafeState": "The entity transitions to a known safe state upon detecting a fault.", + "system:operationalState:entersFailSecureState": "The entity denies access or ceases sensitive operations upon detecting a security fault.", + "system:operationalState:operatesInDegradedMode": "The entity continues operation with reduced functionality.", + "system:operationalState:operatesNormally": "The entity performs its intended functions within designed parameters.", + "system:operationalState:performsEmergencyShutdown": "The entity immediately halts to prevent harm or damage.", + "system:persistence": "Behaviours that establish mechanisms for an entity to survive system restarts.", + "system:persistence:createsScheduledTask": "The entity schedules itself for recurring execution.", + "system:persistence:installsAsService": "The entity registers itself as a system service.", + "system:persistence:loadsAsKernelModule": "The entity loads itself into the kernel.", + "system:persistence:registersForStartup": "The entity configures itself to execute at system boot.", + "system:persistence:removesPersistence": "The entity removes its persistence mechanism.", + "system:processControl": "Behaviours that create and manipulate operating system processes.", + "system:processControl:createsProcess": "The entity starts a new process.", + "system:processControl:dumpsProcessMemory": "The entity extracts memory contents from a process.", + "system:processControl:enumeratesProcesses": "The entity lists running processes.", + "system:processControl:hooksFunction": "The entity intercepts and redirects function calls.", + "system:processControl:injectsCodeIntoProcess": "The entity inserts executable code into another process.", + "system:processControl:modifiesProcess": "The entity changes attributes of a running process.", + "system:processControl:resumesProcess": "The entity continues paused process execution.", + "system:processControl:suspendsProcess": "The entity pauses process execution.", + "system:processControl:terminatesProcess": "The entity ends a running process.", + "system:resilience": "Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.", + "system:resilience:activatesRedundancy": "The entity activates backup systems or alternative processing paths.", + "system:resilience:degradesGracefully": "The entity progressively reduces functionality rather than failing abruptly.", + "system:resilience:detectsFault": "The entity identifies an internal fault or anomalous condition.", + "system:resilience:recoversFromFailure": "The entity restores normal operation following a failure.", + "system:resilience:toleratesFault": "The entity continues operation despite the presence of a fault.", + "system:resourceManagement": "Behaviours that allocate and deallocate computational resources such as memory and threads.", + "system:resourceManagement:allocatesMemory": "The entity reserves memory for use.", + "system:resourceManagement:deallocatesMemory": "The entity releases previously allocated memory.", + "system:resourceManagement:handlesResourceExhaustion": "The entity responds to depleted resources.", + "system:resourceManagement:managesPowerState": "The entity transitions between power consumption states.", + "system:resourceManagement:readsFromStorage": "The entity retrieves data from persistent storage.", + "system:resourceManagement:resumesThread": "The entity continues paused thread execution.", + "system:resourceManagement:spawnsThread": "The entity creates a new execution thread.", + "system:resourceManagement:suspendsThread": "The entity pauses thread execution.", + "system:resourceManagement:terminatesThread": "The entity ends an execution thread.", + "system:resourceManagement:writesToStorage": "The entity saves data to persistent storage.", + "system:serviceControl": "Behaviours that manage system services and daemons.", + "system:serviceControl:createsService": "The entity installs a system service or daemon.", + "system:serviceControl:deletesService": "The entity removes a system service.", + "system:serviceControl:enumeratesServices": "The entity lists installed services.", + "system:serviceControl:modifiesService": "The entity changes service configuration.", + "system:serviceControl:startsService": "The entity initiates service execution.", + "system:serviceControl:stopsService": "The entity halts service execution.", + "system:synchronization": "Behaviours that coordinate access to shared resources across concurrent execution contexts.", + "system:synchronization:acquiresMutex": "The entity obtains exclusive access via mutex.", + "system:synchronization:releasesMutex": "The entity relinquishes mutex ownership.", + "system:synchronization:signalsEvent": "The entity triggers a synchronisation event.", + "system:synchronization:signalsSemaphore": "The entity releases a semaphore.", + "system:synchronization:waitsOnEvent": "The entity blocks until an event is signalled.", + "system:synchronization:waitsOnSemaphore": "The entity blocks until semaphore is available.", + "system:timing": "Behaviours that govern temporal aspects of execution including scheduling and synchronisation.", + "system:timing:delaysExecution": "The entity postpones an operation.", + "system:timing:enforcesDeadline": "The entity ensures completion within a timing constraint.", + "system:timing:executesScheduledTask": "The entity performs a task at a predetermined time.", + "system:timing:resetsWatchdog": "The entity signals continued operation to a watchdog monitor.", + "system:timing:synchronizesClock": "The entity aligns its internal clock with an external source.", + "system:timing:triggersTimeout": "The entity acts upon detecting an unresponsive condition.", + "system:timing:waits": "The entity pauses execution for a specified duration.", + "system:userManagement": "Behaviours that create and manipulate user accounts and privileges.", + "system:userManagement:createsUserAccount": "The entity adds a new user account.", + "system:userManagement:deletesUserAccount": "The entity removes a user account.", + "system:userManagement:elevatesPrivileges": "The entity gains higher access permissions.", + "system:userManagement:enumeratesUsers": "The entity lists user accounts.", + "system:userManagement:impersonatesUser": "The entity assumes another user's identity.", + "system:userManagement:modifiesUserAccount": "The entity changes user account properties." + } +} diff --git a/tools/src/main/js/bundler/bundle-schemas.js b/tools/src/main/js/bundler/bundle-schemas.js index 784a3c0e3..c074c78f3 100644 --- a/tools/src/main/js/bundler/bundle-schemas.js +++ b/tools/src/main/js/bundler/bundle-schemas.js @@ -7,6 +7,7 @@ const path = require('path'); // This constant is used as the default value for ref exceptions; can be overridden via options.refExceptions. const DEFAULT_REF_EXCEPTION_FILES = [ 'spdx.schema.json', + 'behavior-taxonomy.schema.json', 'cryptography-defs.schema.json', 'jsf-0.82.schema.json' ]; From 55b67ea64c62df4b5e2cd819a240873829bfbbda Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 27 Mar 2026 00:44:52 +0000 Subject: [PATCH 19/44] chore: update bundled schemas [skip ci] --- .../2.0/cyclonedx-2.0-bundled.min.schema.json | 2 +- schema/2.0/cyclonedx-2.0-bundled.schema.json | 1946 ++++------------- 2 files changed, 373 insertions(+), 1575 deletions(-) diff --git a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json index e675ddb9f..6c0d4257a 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json @@ -1 +1 @@ -{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-behavior-2.0":{"type":"null","title":"CycloneDX Behavior Model","properties":{"behaviors":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviors"}},"$defs":{"trigger":{"type":"string","title":"Trigger","description":"The condition or event that initiates a behavior.","enum":["startup","shutdown","scheduled","event-driven","user-initiated","api-call","signal","condition-based","continuous","on-demand","unknown"],"meta:enum":{"startup":"Triggered during system or component initialisation.","shutdown":"Triggered during system or component termination.","scheduled":"Triggered at predetermined times or intervals.","event-driven":"Triggered in response to a specific event.","user-initiated":"Triggered by explicit user action.","api-call":"Triggered by an API invocation.","signal":"Triggered by a system or inter-process signal.","condition-based":"Triggered when specific conditions are met.","continuous":"Runs continuously during normal operation.","on-demand":"Triggered on demand as needed.","unknown":"The trigger mechanism is not known."}},"ordering":{"type":"string","title":"Ordering","description":"Execution semantics for steps within a flow.","default":"sequential","enum":["sequential","unordered","parallel","conditional"],"meta:enum":{"sequential":"Steps execute in ordinal order. Each completes before the next begins.","unordered":"All steps execute, but order is not guaranteed.","parallel":"Steps may execute concurrently.","conditional":"Step execution is determined by runtime conditions."}},"acknowledgment":{"type":"array","title":"Acknowledgment","description":"Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.","uniqueItems":true,"items":{"type":"string","enum":["declared","observed"],"meta:enum":{"declared":"The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.","observed":"The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis."}}},"behaviors":{"type":"object","title":"Behaviors","description":"Behaviors performed by objects within the BOM.","additionalProperties":false,"properties":{"instances":{"type":"array","title":"Instances","description":"Individual behavior instances.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance"}},"flows":{"type":"array","title":"Flows","description":"Behavior flows that organise behaviors into operational patterns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorFlow"}}}},"behaviorInstance":{"type":"object","title":"Behavior Instance","description":"A behavior performed by one or more objects within the BOM.","additionalProperties":false,"required":["bom-ref","behavior"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"behavior":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behavior","title":"Behavior","description":"The behavior from the taxonomy."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}},"behaviorFlow":{"type":"object","title":"Behavior Flow","description":"An organised collection of behaviors forming a coherent process.","additionalProperties":false,"required":["bom-ref","steps"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"ordering":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/ordering"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"steps":{"type":"array","title":"Steps","description":"The steps that comprise this flow.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/flowStep"}}},"allOf":[{"if":{"anyOf":[{"properties":{"ordering":{"const":"sequential"}},"required":["ordering"]},{"not":{"required":["ordering"]}}]},"then":{"properties":{"steps":{"items":{"required":["ordinal"]}}}}}]},"flowStep":{"type":"object","title":"Flow Step","description":"A single step within a behavior flow.","additionalProperties":false,"properties":{"ordinal":{"type":"integer","title":"Ordinal","description":"Position within the flow. Required when ordering is 'sequential' or omitted.","minimum":1},"behavior":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behavior","title":"Behavior","description":"The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'."},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Behavior Reference","description":"Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'."},"flow":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Flow Reference","description":"Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'."},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}},"oneOf":[{"required":["behavior"]},{"required":["ref"]},{"required":["flow"]}]},"behavior":{"type":"string","title":"Behavior","description":"Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.","enum":["ai","ai:agent","ai:agent:actsOnBehalfOfUser","ai:agent:coordinatesAgents","ai:agent:delegatesTask","ai:agent:executesAction","ai:agent:invokesTool","ai:agent:observesResult","ai:agent:plansAction","ai:agent:receivesHumanDelegation","ai:agent:reflectsOnResult","ai:agent:reportsDelegatedAction","ai:agent:requestsUserApproval","ai:agent:returnsDelegation","ai:agent:revisesPlan","ai:explainability","ai:explainability:attributesFeatures","ai:explainability:documentsModel","ai:explainability:explainsDecision","ai:explainability:tracesPrediction","ai:explainability:visualizesModel","ai:fairness","ai:fairness:auditsModelFairness","ai:fairness:calculatesFairnessMetric","ai:fairness:detectsBias","ai:fairness:handlesProtectedAttribute","ai:fairness:mitigatesBias","ai:generative","ai:generative:citesSource","ai:generative:filtersOutput","ai:generative:generatesAudio","ai:generative:generatesCode","ai:generative:generatesEmbedding","ai:generative:generatesImage","ai:generative:generatesText","ai:generative:mitigatesHallucination","ai:generative:processesPrompt","ai:generative:streamsResponse","ai:inference","ai:inference:appliesThreshold","ai:inference:batchesInference","ai:inference:cachesPrediction","ai:inference:ensemblesModels","ai:inference:generatesPrediction","ai:inference:infersInRealTime","ai:inference:ranksResults","ai:inference:scoresConfidence","ai:management","ai:management:comparesModels","ai:management:deploysModel","ai:management:loadsModel","ai:management:monitorsModel","ai:management:retiresModel","ai:management:rollsBackModel","ai:management:unloadsModel","ai:management:versionsModel","ai:quality","ai:quality:detectsConceptDrift","ai:quality:detectsDataDrift","ai:quality:detectsOutlier","ai:quality:engineersFeatures","ai:quality:selectsFeatures","ai:quality:validatesInputData","ai:robustness","ai:robustness:defendsAgainstAdversarial","ai:robustness:detectsAdversarialInput","ai:robustness:detectsOutOfDistribution","ai:robustness:estimatesUncertainty","ai:robustness:validatesRobustness","ai:training","ai:training:appliesTransferLearning","ai:training:checkpointsModel","ai:training:fineTunesModel","ai:training:ingestsTrainingData","ai:training:preprocessesTrainingData","ai:training:trainsFederatedly","ai:training:trainsModel","ai:training:tunesHyperparameters","ai:training:validatesModel","ai:training:validatesTrainingData","application","application:codeExecution","application:codeExecution:compilesCode","application:codeExecution:evaluatesExpression","application:codeExecution:executesNativeCommand","application:codeExecution:executesScript","application:codeExecution:interpretsCode","application:codeExecution:invokesViaReflection","application:codeExecution:loadsCodeDynamically","application:configuration","application:configuration:detectsEnvironment","application:configuration:evaluatesFeatureFlag","application:configuration:loadsConfiguration","application:configuration:reloadsConfiguration","application:controlFlow","application:controlFlow:awaitsAsyncResult","application:controlFlow:catchesException","application:controlFlow:emitsEvent","application:controlFlow:handlesEvent","application:controlFlow:invokesCallback","application:controlFlow:invokesHandler","application:controlFlow:invokesMiddleware","application:controlFlow:schedulesAsyncOperation","application:controlFlow:throwsException","application:dependencyManagement","application:dependencyManagement:closesCircuitBreaker","application:dependencyManagement:fallsBack","application:dependencyManagement:injectsDependency","application:dependencyManagement:opensCircuitBreaker","application:dependencyManagement:resolvesDependency","application:externalIntegration","application:externalIntegration:callsExternalService","application:externalIntegration:consumesEvent","application:externalIntegration:publishesEvent","application:externalIntegration:receivesWebhook","application:observability","application:observability:emitsTelemetry","application:observability:logsOperation","application:observability:recordsMetric","application:observability:reportsHealth","application:observability:tracesRequest","application:requestHandling","application:requestHandling:authenticatesRequest","application:requestHandling:authorizesRequest","application:requestHandling:bindsParameters","application:requestHandling:parsesRequest","application:requestHandling:receivesHttpRequest","application:requestHandling:rejectsRequest","application:requestHandling:routesRequest","application:requestHandling:validatesRequest","application:responseGeneration","application:responseGeneration:generatesResponse","application:responseGeneration:readsCookie","application:responseGeneration:redirectsRequest","application:responseGeneration:returnsError","application:responseGeneration:returnsSuccess","application:responseGeneration:sendsHttpResponse","application:responseGeneration:setsCookie","application:responseGeneration:setsHeader","application:stateManagement","application:stateManagement:acquiresLock","application:stateManagement:beginsTransaction","application:stateManagement:commitsTransaction","application:stateManagement:createsSessionState","application:stateManagement:destroysSessionState","application:stateManagement:readsSessionState","application:stateManagement:releasesLock","application:stateManagement:rollsBackTransaction","application:stateManagement:synchronizesState","application:stateManagement:updatesSessionState","data","data:encoding","data:encoding:appliesXor","data:encoding:decodesBaseSixtyFour","data:encoding:decodesUrl","data:encoding:encodesBaseSixtyFour","data:encoding:encodesUrl","data:ingestion","data:ingestion:pollsSource","data:ingestion:readsFile","data:ingestion:readsStream","data:ingestion:receivesInput","data:ingestion:receivesMessage","data:ingestion:receivesRequest","data:ingestion:subscribesToFeed","data:output","data:output:formatsResponse","data:output:producesOutput","data:output:publishesMessage","data:output:rendersTemplate","data:output:sendsResponse","data:output:serializesObject","data:output:streamsOutput","data:output:writesFile","data:parsing","data:parsing:decodesData","data:parsing:deserializesObject","data:parsing:extractsFields","data:parsing:parsesData","data:parsing:parsesHtml","data:parsing:parsesJson","data:parsing:parsesXml","data:query","data:query:executesLdapQuery","data:query:executesNoSqlQuery","data:query:executesSearch","data:query:executesSql","data:query:executesXPath","data:query:queriesData","data:storage","data:storage:cachesData","data:storage:deletesData","data:storage:flushesCache","data:storage:invalidatesCache","data:storage:retrievesData","data:storage:storesData","data:storage:updatesData","data:transformation","data:transformation:aggregatesData","data:transformation:compressesData","data:transformation:decompressesData","data:transformation:encodesData","data:transformation:enrichesData","data:transformation:filtersData","data:transformation:joinsData","data:transformation:mapsData","data:transformation:normalizesData","data:transformation:sortsData","data:transformation:transformsData","evasion","evasion:analysisResistance","evasion:analysisResistance:detectsAnalysisTool","evasion:analysisResistance:detectsDebugger","evasion:analysisResistance:detectsEmulator","evasion:analysisResistance:detectsSandbox","evasion:analysisResistance:detectsVirtualMachine","evasion:analysisResistance:evadesDebugger","evasion:analysisResistance:evadesEmulator","evasion:analysisResistance:evadesSandbox","evasion:analysisResistance:evadesVirtualMachine","evasion:analysisResistance:usesTimingEvasion","evasion:antiSecurity","evasion:antiSecurity:detectsAntivirus","evasion:antiSecurity:disablesSecuritySoftware","evasion:antiSecurity:evadesAntivirus","evasion:antiSecurity:terminatesSecurityProcess","evasion:indirection","evasion:indirection:resolvesApiDynamically","evasion:indirection:usesIndirectCalls","evasion:indirection:usesProxyExecution","evasion:obfuscation","evasion:obfuscation:obfuscatesCode","evasion:obfuscation:obfuscatesControlFlow","evasion:obfuscation:obfuscatesData","evasion:obfuscation:obfuscatesStrings","evasion:obfuscation:packsCode","evasion:obfuscation:unpacksAtRuntime","file","file:directory","file:directory:changesDirectory","file:directory:createsDirectory","file:directory:deletesDirectory","file:directory:listsDirectory","file:directory:traversesDirectory","file:disk","file:disk:decryptsVolume","file:disk:encryptsVolume","file:disk:formatsVolume","file:disk:mountsVolume","file:disk:unmountsVolume","file:disk:wipesDisk","file:operations","file:operations:appendsToFile","file:operations:checksFileExistence","file:operations:closesFile","file:operations:copiesFile","file:operations:createsFile","file:operations:deletesFile","file:operations:getsFileAttributes","file:operations:movesFile","file:operations:opensFile","file:operations:readsFile","file:operations:renamesFile","file:operations:setsFileAttributes","file:operations:setsFilePermissions","file:operations:writesFile","gui","gui:display","gui:display:displaysData","gui:display:monitorsDisplay","gui:display:updatesDisplay","gui:session","gui:session:displaysLogin","gui:session:interactsWithSession","gui:session:switchesSession","gui:window","gui:window:capturesWindow","gui:window:createsWindow","gui:window:destroysWindow","gui:window:enumeratesWindows","gui:window:interactsWithTaskbar","gui:window:modifiesWindow","hardware","hardware:actuator","hardware:actuator:calibratesActuator","hardware:actuator:controlsBattery","hardware:actuator:controlsHeating","hardware:actuator:controlsLed","hardware:actuator:controlsMotor","hardware:actuator:controlsPower","hardware:actuator:controlsPump","hardware:actuator:controlsTemperature","hardware:boot","hardware:boot:entersRecoveryMode","hardware:boot:executesSecureBoot","hardware:boot:locksBootConfiguration","hardware:boot:modifiesBootConfiguration","hardware:boot:readsBootConfiguration","hardware:boot:recordsBootMeasurement","hardware:boot:verifiesBootLoader","hardware:firmware","hardware:firmware:monitorsFirmwareIntegrity","hardware:firmware:preventsFirmwareRollback","hardware:firmware:readsFirmwareVersion","hardware:firmware:updatesFirmware","hardware:firmware:verifiesFirmwareSignature","hardware:memory","hardware:memory:encryptsMemory","hardware:memory:isolatesMemory","hardware:memory:protectsStack","hardware:memory:randomizesAddressSpace","hardware:memory:readsProtectedMemory","hardware:memory:writesProtectedMemory","hardware:peripheral","hardware:peripheral:accessesCamera","hardware:peripheral:accessesDisplay","hardware:peripheral:accessesGpio","hardware:peripheral:accessesJtag","hardware:peripheral:accessesKeyboard","hardware:peripheral:accessesStorageDevice","hardware:peripheral:accessesUsbDevice","hardware:peripheral:configuresDma","hardware:peripheral:protectsDma","hardware:physicalSecurity","hardware:physicalSecurity:detectsPhysicalTamper","hardware:physicalSecurity:disablesDebugInterface","hardware:physicalSecurity:enablesDebugInterface","hardware:physicalSecurity:monitorsEnclosure","hardware:physicalSecurity:respondsToTamper","hardware:physicalSecurity:zeroizesKeys","hardware:security","hardware:security:anchorsInHardwareRoot","hardware:security:executesInTee","hardware:security:generatesPufResponse","hardware:security:usesHsm","hardware:security:usesSecureElement","hardware:sensor","hardware:sensor:calibratesSensor","hardware:sensor:readsBatteryStatus","hardware:sensor:readsBloodOxygen","hardware:sensor:readsBloodPressure","hardware:sensor:readsCoTwoLevel","hardware:sensor:readsEcg","hardware:sensor:readsPowerStatus","hardware:sensor:readsTemperature","hardware:sideChannelDefense","hardware:sideChannelDefense:controlsEmEmissions","hardware:sideChannelDefense:resistsFaultInjection","hardware:sideChannelDefense:resistsPowerAnalysis","hardware:sideChannelDefense:resistsTimingAnalysis","network","network:connection","network:connection:acceptsConnection","network:connection:detectsConnectionLoss","network:connection:establishesConnection","network:connection:reconnects","network:connection:reusesConnection","network:connection:sendsHeartbeat","network:connection:terminatesConnection","network:discovery","network:discovery:advertisesService","network:discovery:discoversService","network:discovery:enumeratesInterfaces","network:discovery:probesPort","network:discovery:queriesDns","network:discovery:resolvesName","network:discovery:scansNetwork","network:protocol","network:protocol:downgradesProtocol","network:protocol:framesMessage","network:protocol:negotiatesProtocol","network:protocol:parsesMessage","network:protocol:retransmitsMessage","network:protocol:upgradesProtocol","network:protocol:validatesMessage","network:remoteInteraction","network:remoteInteraction:accessesRemoteDesktop","network:remoteInteraction:accessesRemoteShell","network:remoteInteraction:executesRemoteCommand","network:remoteInteraction:invokesRemoteProcedure","network:remoteInteraction:sendsEmail","network:remoteInteraction:sendsSms","network:remoteInteraction:transfersFile","network:routing","network:routing:configuresProxy","network:routing:forwardsPacket","network:routing:redirectsTraffic","network:routing:routesTraffic","network:routing:tunnelsTraffic","network:trafficControl","network:trafficControl:balancesLoad","network:trafficControl:filtersTraffic","network:trafficControl:inspectsTraffic","network:trafficControl:interceptsTraffic","network:trafficControl:limitsRate","network:trafficControl:modifiesTraffic","network:trafficControl:shapesTraffic","network:transmission","network:transmission:broadcastsData","network:transmission:multicastsData","network:transmission:receivesData","network:transmission:sendsData","network:transmission:streamsData","privacy","privacy:collection","privacy:collection:capturesAudio","privacy:collection:capturesKeystrokes","privacy:collection:capturesScreen","privacy:collection:capturesVideo","privacy:collection:collectsBehavioralData","privacy:collection:collectsBiometricData","privacy:collection:collectsCommunicationContent","privacy:collection:collectsDeviceInformation","privacy:collection:collectsFinancialData","privacy:collection:collectsHealthData","privacy:collection:collectsInBackground","privacy:collection:collectsLocationData","privacy:collection:collectsPersonalData","privacy:collection:collectsSilently","privacy:collection:readsBrowserHistory","privacy:collection:readsClipboard","privacy:deletion","privacy:deletion:clearsCache","privacy:deletion:deletesPersonalData","privacy:deletion:erasesSecurely","privacy:deletion:purgesFromBackup","privacy:deletion:redactsData","privacy:inference","privacy:inference:correlatesData","privacy:inference:createsProfile","privacy:inference:fingerprintsDevice","privacy:inference:infersPersonalInformation","privacy:inference:linksIdentities","privacy:inference:tracksUser","privacy:minimization","privacy:minimization:aggregatesData","privacy:minimization:anonymizesData","privacy:minimization:filtersData","privacy:minimization:generalizesData","privacy:minimization:limitsCollection","privacy:minimization:limitsProcessing","privacy:minimization:pseudonymizesData","privacy:privacyEnhancement","privacy:privacyEnhancement:addsDifferentialPrivacy","privacy:privacyEnhancement:computesMultiparty","privacy:privacyEnhancement:processesHomomorphically","privacy:privacyEnhancement:processesLocally","privacy:retention","privacy:retention:archivesData","privacy:retention:backsUpData","privacy:retention:enforcesRetentionPeriod","privacy:retention:retainsBeyondPurpose","privacy:retention:retainsInCache","privacy:retention:retainsInLog","privacy:retention:storesPersonalData","privacy:sharing","privacy:sharing:disclosesToThirdParty","privacy:sharing:exportsData","privacy:sharing:publishesData","privacy:sharing:sellsData","privacy:sharing:sharesWithAffiliate","privacy:sharing:transfersCrossBorder","privacy:subjectRights","privacy:subjectRights:correctsData","privacy:subjectRights:exportsDataPortably","privacy:subjectRights:honorsErasureRequest","privacy:subjectRights:honorsObjection","privacy:subjectRights:providesDataAccess","privacy:subjectRights:restrictsProcessing","privacy:transparency","privacy:transparency:disclosesProcessing","privacy:transparency:displaysPrivacyNotice","privacy:transparency:explainsAutomatedDecision","privacy:transparency:recordsConsent","privacy:transparency:requestsConsent","privacy:transparency:withdrawsConsent","safety","safety:autonomousBehavior","safety:autonomousBehavior:acceptsOverride","safety:autonomousBehavior:enforcesHumanInLoop","safety:autonomousBehavior:explainsDecision","safety:autonomousBehavior:requestsGuidance","safety:autonomousBehavior:respectsDecisionBoundary","safety:contentSafety","safety:contentSafety:detectsHarmfulContent","safety:contentSafety:detectsMisinformation","safety:contentSafety:enforcesAgeRestriction","safety:contentSafety:filtersContent","safety:contentSafety:labelsContent","safety:harmPrevention","safety:harmPrevention:preventsEnvironmentalHarm","safety:harmPrevention:preventsPropertyDamage","safety:harmPrevention:preventsUserHarm","safety:harmPrevention:protectsBystanders","safety:hazardManagement","safety:hazardManagement:assessesRisk","safety:hazardManagement:identifiesHazard","safety:hazardManagement:mitigatesHazard","safety:hazardManagement:reportsHazard","safety:humanInteraction","safety:humanInteraction:adaptsForAccessibility","safety:humanInteraction:managesCognitiveLoad","safety:humanInteraction:requestsConfirmation","safety:humanInteraction:warnsOperator","safety:operationalSafety","safety:operationalSafety:acceptsManualOverride","safety:operationalSafety:enforcesInterlock","safety:operationalSafety:enforcesOperatingLimits","safety:operationalSafety:executesEmergencyStop","safety:operationalSafety:monitorsWatchdog","safety:operationalSafety:validatesSafetyCondition","security","security:auditing","security:auditing:logsEvent","security:auditing:logsSecurityEvent","security:auditing:protectsAuditLog","security:auditing:purgesLog","security:auditing:rotatesLog","security:auditing:signsLogEntry","security:auditing:timestampsEvent","security:auditing:transmitsLog","security:authentication","security:authentication:authenticatesDevice","security:authentication:authenticatesService","security:authentication:authenticatesUser","security:authentication:bypassesAuthentication","security:authentication:capturesBiometric","security:authentication:delegatesAuthentication","security:authentication:failsAuthentication","security:authentication:locksAccount","security:authentication:performsMultiFactorAuthentication","security:authentication:promptsForCredentials","security:authentication:unlocksAccount","security:authentication:validatesBiometric","security:authentication:validatesCredentials","security:authorization","security:authorization:checksPermission","security:authorization:delegatesAuthority","security:authorization:deniesAccess","security:authorization:enforcesRole","security:authorization:escalatesPrivilege","security:authorization:evaluatesAttributes","security:authorization:evaluatesPolicy","security:authorization:grantsAccess","security:authorization:grantsImpersonation","security:authorization:impersonatesUser","security:authorization:requestsImpersonation","security:authorization:revokesAccess","security:authorization:revokesImpersonation","security:cryptography","security:cryptography:authenticates","security:cryptography:checksRevocation","security:cryptography:decryptsData","security:cryptography:decryptsDataAtRest","security:cryptography:decryptsDataInTransit","security:cryptography:decryptsDisk","security:cryptography:decryptsSecret","security:cryptography:destroysKey","security:cryptography:encryptsData","security:cryptography:encryptsDataAtRest","security:cryptography:encryptsDataInTransit","security:cryptography:encryptsDisk","security:cryptography:encryptsSecret","security:cryptography:ensuresAccountability","security:cryptography:ensuresConfidentiality","security:cryptography:ensuresIntegrity","security:cryptography:ensuresNonRepudiation","security:cryptography:exchangesKey","security:cryptography:generatesKey","security:cryptography:generatesRandomValue","security:cryptography:hashesData","security:cryptography:hashesPassword","security:cryptography:identifies","security:cryptography:issuesCertificate","security:cryptography:preservesPrivacy","security:cryptography:presentsClientCertificate","security:cryptography:presentsServerCertificate","security:cryptography:retrievesKey","security:cryptography:revokesCertificate","security:cryptography:rotatesKey","security:cryptography:signsCode","security:cryptography:signsData","security:cryptography:signsDocument","security:cryptography:storesKey","security:cryptography:usesIdentity","security:cryptography:validatesCertificate","security:cryptography:validatesToken","security:cryptography:verifiesCodeSignature","security:cryptography:verifiesDataSignature","security:cryptography:verifiesDocumentSignature","security:cryptography:verifiesHash","security:cryptography:verifiesSignature","security:cryptography:wrapsKey","security:errorHandling","security:errorHandling:catchesException","security:errorHandling:disclosesErrorDetails","security:errorHandling:failsClosed","security:errorHandling:failsOpen","security:errorHandling:generatesError","security:errorHandling:logsError","security:errorHandling:propagatesError","security:errorHandling:returnsGenericError","security:errorHandling:suppressesError","security:inputHandling","security:inputHandling:escapesInput","security:inputHandling:normalizesInput","security:inputHandling:rejectsInvalidInput","security:inputHandling:sanitizesInput","security:inputHandling:truncatesInput","security:inputHandling:validatesFormat","security:inputHandling:validatesRange","security:inputHandling:validatesSchema","security:integrity","security:integrity:attestsIntegrity","security:integrity:detectsTampering","security:integrity:respondsToTampering","security:integrity:validatesComponent","security:integrity:verifiesIntegrity","security:integrity:verifiesProvenance","security:outputHandling","security:outputHandling:encodesOutput","security:outputHandling:enforcesContentPolicy","security:outputHandling:escapesOutput","security:outputHandling:filtersOutput","security:outputHandling:masksOutput","security:outputHandling:setsSecurityHeader","security:session","security:session:createsSession","security:session:detectsSessionHijacking","security:session:invalidatesSession","security:session:refreshesSession","security:session:regeneratesSessionId","security:session:terminatesSession","security:session:validatesSession","security:threatResponse","security:threatResponse:blocksRequest","security:threatResponse:blocksSource","security:threatResponse:collectsForensicData","security:threatResponse:detectsAnomaly","security:threatResponse:detectsIntrusion","security:threatResponse:initiatesIncidentResponse","security:threatResponse:quarantinesElement","security:threatResponse:raisesAlert","system","system:configuration","system:configuration:deletesRegistryKey","system:configuration:modifiesGroupPolicy","system:configuration:readsConfigurationFile","system:configuration:readsEnvironmentVariable","system:configuration:readsGroupPolicy","system:configuration:readsRegistry","system:configuration:setsEnvironmentVariable","system:configuration:writesConfigurationFile","system:configuration:writesRegistry","system:informationGathering","system:informationGathering:detectsOsVersion","system:informationGathering:gathersSystemInformation","system:informationGathering:queriesHardwareInformation","system:informationGathering:retrievesHostname","system:kernelInteraction","system:kernelInteraction:hooksKernelFunction","system:kernelInteraction:installsDriver","system:kernelInteraction:readsKernelMemory","system:kernelInteraction:writesKernelMemory","system:lifecycle","system:lifecycle:appliesUpdate","system:lifecycle:decommissions","system:lifecycle:initializes","system:lifecycle:performsSelfTest","system:lifecycle:provisions","system:lifecycle:rollsBack","system:lifecycle:shutsDown","system:operationalState","system:operationalState:entersFailSafeState","system:operationalState:entersFailSecureState","system:operationalState:operatesInDegradedMode","system:operationalState:operatesNormally","system:operationalState:performsEmergencyShutdown","system:persistence","system:persistence:createsScheduledTask","system:persistence:installsAsService","system:persistence:loadsAsKernelModule","system:persistence:registersForStartup","system:persistence:removesPersistence","system:processControl","system:processControl:createsProcess","system:processControl:dumpsProcessMemory","system:processControl:enumeratesProcesses","system:processControl:hooksFunction","system:processControl:injectsCodeIntoProcess","system:processControl:modifiesProcess","system:processControl:resumesProcess","system:processControl:suspendsProcess","system:processControl:terminatesProcess","system:resilience","system:resilience:activatesRedundancy","system:resilience:degradesGracefully","system:resilience:detectsFault","system:resilience:recoversFromFailure","system:resilience:toleratesFault","system:resourceManagement","system:resourceManagement:allocatesMemory","system:resourceManagement:deallocatesMemory","system:resourceManagement:handlesResourceExhaustion","system:resourceManagement:managesPowerState","system:resourceManagement:readsFromStorage","system:resourceManagement:resumesThread","system:resourceManagement:spawnsThread","system:resourceManagement:suspendsThread","system:resourceManagement:terminatesThread","system:resourceManagement:writesToStorage","system:serviceControl","system:serviceControl:createsService","system:serviceControl:deletesService","system:serviceControl:enumeratesServices","system:serviceControl:modifiesService","system:serviceControl:startsService","system:serviceControl:stopsService","system:synchronization","system:synchronization:acquiresMutex","system:synchronization:releasesMutex","system:synchronization:signalsEvent","system:synchronization:signalsSemaphore","system:synchronization:waitsOnEvent","system:synchronization:waitsOnSemaphore","system:timing","system:timing:delaysExecution","system:timing:enforcesDeadline","system:timing:executesScheduledTask","system:timing:resetsWatchdog","system:timing:synchronizesClock","system:timing:triggersTimeout","system:timing:waits","system:userManagement","system:userManagement:createsUserAccount","system:userManagement:deletesUserAccount","system:userManagement:elevatesPrivileges","system:userManagement:enumeratesUsers","system:userManagement:impersonatesUser","system:userManagement:modifiesUserAccount"],"meta:enum":{"ai":"Behaviours relating to artificial intelligence and machine learning operations.","ai:agent":"Behaviours that enable autonomous agents to plan and execute tasks.","ai:agent:actsOnBehalfOfUser":"The entity performs actions within a delegated user context.","ai:agent:coordinatesAgents":"The entity orchestrates multiple agents.","ai:agent:delegatesTask":"The entity assigns work to another agent.","ai:agent:executesAction":"The entity performs planned step.","ai:agent:invokesTool":"The entity calls external capability.","ai:agent:observesResult":"The entity captures action outcome.","ai:agent:plansAction":"The entity determines steps to achieve goal.","ai:agent:receivesHumanDelegation":"The entity accepts authority delegated by a human user.","ai:agent:reflectsOnResult":"The entity evaluates action effectiveness.","ai:agent:reportsDelegatedAction":"The entity notifies the delegating user of actions taken.","ai:agent:requestsUserApproval":"The entity seeks explicit user authorisation before acting.","ai:agent:returnsDelegation":"The entity relinquishes delegated authority.","ai:agent:revisesPlan":"The entity modifies approach based on results.","ai:explainability":"Behaviours that provide interpretable explanations for model decisions.","ai:explainability:attributesFeatures":"The entity identifies influential inputs.","ai:explainability:documentsModel":"The entity records model design and behaviour.","ai:explainability:explainsDecision":"The entity provides human-readable rationale.","ai:explainability:tracesPrediction":"The entity records basis for output.","ai:explainability:visualizesModel":"The entity renders model behaviour graphically.","ai:fairness":"Behaviours that detect and mitigate bias in machine learning models.","ai:fairness:auditsModelFairness":"The entity evaluates model for bias.","ai:fairness:calculatesFairnessMetric":"The entity measures outcome equality.","ai:fairness:detectsBias":"The entity identifies unfair model behaviour.","ai:fairness:handlesProtectedAttribute":"The entity manages sensitive attributes.","ai:fairness:mitigatesBias":"The entity reduces unfair treatment.","ai:generative":"Behaviours that produce content using generative models.","ai:generative:citesSource":"The entity attributes generated content.","ai:generative:filtersOutput":"The entity screens generated content.","ai:generative:generatesAudio":"The entity produces sound content.","ai:generative:generatesCode":"The entity produces executable code.","ai:generative:generatesEmbedding":"The entity produces vector representation.","ai:generative:generatesImage":"The entity produces visual content.","ai:generative:generatesText":"The entity produces natural language.","ai:generative:mitigatesHallucination":"The entity reduces false content generation.","ai:generative:processesPrompt":"The entity interprets user instruction.","ai:generative:streamsResponse":"The entity delivers output incrementally.","ai:inference":"Behaviours that generate predictions using trained models.","ai:inference:appliesThreshold":"The entity uses decision boundary.","ai:inference:batchesInference":"The entity processes multiple inputs together.","ai:inference:cachesPrediction":"The entity stores prediction for reuse.","ai:inference:ensemblesModels":"The entity combines multiple model outputs.","ai:inference:generatesPrediction":"The entity produces model output.","ai:inference:infersInRealTime":"The entity generates prediction with low latency.","ai:inference:ranksResults":"The entity orders predictions by relevance.","ai:inference:scoresConfidence":"The entity assigns certainty to prediction.","ai:management":"Behaviours that deploy and manage machine learning models throughout their lifecycle.","ai:management:comparesModels":"The entity evaluates relative model performance.","ai:management:deploysModel":"The entity places model into service.","ai:management:loadsModel":"The entity retrieves model for use.","ai:management:monitorsModel":"The entity observes model performance.","ai:management:retiresModel":"The entity removes model from service.","ai:management:rollsBackModel":"The entity reverts to previous version.","ai:management:unloadsModel":"The entity removes model from memory.","ai:management:versionsModel":"The entity tracks model versions.","ai:quality":"Behaviours that monitor and maintain model and data quality.","ai:quality:detectsConceptDrift":"The entity identifies input-output relationship change.","ai:quality:detectsDataDrift":"The entity identifies input distribution change.","ai:quality:detectsOutlier":"The entity identifies anomalous input.","ai:quality:engineersFeatures":"The entity transforms raw data for model.","ai:quality:selectsFeatures":"The entity chooses relevant input features.","ai:quality:validatesInputData":"The entity checks inference input quality.","ai:robustness":"Behaviours that defend against adversarial attacks and handle uncertain inputs.","ai:robustness:defendsAgainstAdversarial":"The entity resists adversarial manipulation.","ai:robustness:detectsAdversarialInput":"The entity identifies crafted malicious input.","ai:robustness:detectsOutOfDistribution":"The entity identifies unfamiliar input.","ai:robustness:estimatesUncertainty":"The entity quantifies prediction confidence.","ai:robustness:validatesRobustness":"The entity tests model resilience.","ai:training":"Behaviours that prepare data and train machine learning models.","ai:training:appliesTransferLearning":"The entity adapts pre-trained model.","ai:training:checkpointsModel":"The entity saves model state during training.","ai:training:fineTunesModel":"The entity refines model for specific task.","ai:training:ingestsTrainingData":"The entity acquires data for training.","ai:training:preprocessesTrainingData":"The entity prepares data for training.","ai:training:trainsFederatedly":"The entity trains on distributed data.","ai:training:trainsModel":"The entity adjusts model parameters.","ai:training:tunesHyperparameters":"The entity optimises configuration parameters.","ai:training:validatesModel":"The entity evaluates model during training.","ai:training:validatesTrainingData":"The entity checks training data quality.","application":"Behaviours relating to application-level request processing and business logic.","application:codeExecution":"Behaviours that dynamically load and execute code at runtime.","application:codeExecution:compilesCode":"The entity transforms source to executable form.","application:codeExecution:evaluatesExpression":"The entity interprets and executes an expression.","application:codeExecution:executesNativeCommand":"The entity runs an operating system command.","application:codeExecution:executesScript":"The entity runs script code.","application:codeExecution:interpretsCode":"The entity executes code without compilation.","application:codeExecution:invokesViaReflection":"The entity calls method through reflection.","application:codeExecution:loadsCodeDynamically":"The entity loads executable code at runtime.","application:configuration":"Behaviours that load and manage application configuration settings.","application:configuration:detectsEnvironment":"The entity determines deployment context.","application:configuration:evaluatesFeatureFlag":"The entity checks feature toggle state.","application:configuration:loadsConfiguration":"The entity reads configuration settings.","application:configuration:reloadsConfiguration":"The entity refreshes configuration dynamically.","application:controlFlow":"Behaviours that manage the execution sequence and event handling within an application.","application:controlFlow:awaitsAsyncResult":"The entity waits for asynchronous completion.","application:controlFlow:catchesException":"The entity handles an error condition.","application:controlFlow:emitsEvent":"The entity triggers an event.","application:controlFlow:handlesEvent":"The entity responds to an event.","application:controlFlow:invokesCallback":"The entity executes a callback function.","application:controlFlow:invokesHandler":"The entity calls a request handler.","application:controlFlow:invokesMiddleware":"The entity executes middleware component.","application:controlFlow:schedulesAsyncOperation":"The entity queues work for later execution.","application:controlFlow:throwsException":"The entity raises an error condition.","application:dependencyManagement":"Behaviours that resolve and manage dependencies on other components.","application:dependencyManagement:closesCircuitBreaker":"The entity resumes calls to recovered dependency.","application:dependencyManagement:fallsBack":"The entity uses alternative when primary fails.","application:dependencyManagement:injectsDependency":"The entity provides component to dependent.","application:dependencyManagement:opensCircuitBreaker":"The entity stops calls to failing dependency.","application:dependencyManagement:resolvesDependency":"The entity locates required component.","application:externalIntegration":"Behaviours that communicate with external services and systems.","application:externalIntegration:callsExternalService":"The entity invokes an external API.","application:externalIntegration:consumesEvent":"The entity receives event from external system.","application:externalIntegration:publishesEvent":"The entity sends event to external system.","application:externalIntegration:receivesWebhook":"The entity accepts callback from external service.","application:observability":"Behaviours that emit telemetry for monitoring and debugging purposes.","application:observability:emitsTelemetry":"The entity transmits operational data.","application:observability:logsOperation":"The entity records an operational event.","application:observability:recordsMetric":"The entity captures a quantitative measurement.","application:observability:reportsHealth":"The entity communicates operational status.","application:observability:tracesRequest":"The entity tracks request across services.","application:requestHandling":"Behaviours that receive and process incoming requests.","application:requestHandling:authenticatesRequest":"The entity verifies requestor identity.","application:requestHandling:authorizesRequest":"The entity verifies requestor permissions.","application:requestHandling:bindsParameters":"The entity maps request data to parameters.","application:requestHandling:parsesRequest":"The entity interprets incoming request.","application:requestHandling:receivesHttpRequest":"The entity accepts an HTTP request.","application:requestHandling:rejectsRequest":"The entity refuses to process request.","application:requestHandling:routesRequest":"The entity directs request to appropriate handler.","application:requestHandling:validatesRequest":"The entity verifies request validity.","application:responseGeneration":"Behaviours that construct and transmit responses to requests.","application:responseGeneration:generatesResponse":"The entity creates a response.","application:responseGeneration:readsCookie":"The entity retrieves cookie value.","application:responseGeneration:redirectsRequest":"The entity sends client to different location.","application:responseGeneration:returnsError":"The entity indicates failure.","application:responseGeneration:returnsSuccess":"The entity indicates successful completion.","application:responseGeneration:sendsHttpResponse":"The entity transmits an HTTP response.","application:responseGeneration:setsCookie":"The entity creates or modifies a cookie.","application:responseGeneration:setsHeader":"The entity adds HTTP header to response.","application:stateManagement":"Behaviours that maintain and synchronise application state across requests.","application:stateManagement:acquiresLock":"The entity obtains exclusive access to resource.","application:stateManagement:beginsTransaction":"The entity starts an atomic operation group.","application:stateManagement:commitsTransaction":"The entity finalises transaction changes.","application:stateManagement:createsSessionState":"The entity initialises session data.","application:stateManagement:destroysSessionState":"The entity removes session data.","application:stateManagement:readsSessionState":"The entity retrieves session data.","application:stateManagement:releasesLock":"The entity relinquishes exclusive access.","application:stateManagement:rollsBackTransaction":"The entity undoes transaction changes.","application:stateManagement:synchronizesState":"The entity maintains consistency across replicas.","application:stateManagement:updatesSessionState":"The entity modifies session data.","data":"Behaviours relating to the ingestion and transformation of structured and unstructured data.","data:encoding":"Behaviours that apply specific encoding schemes to data.","data:encoding:appliesXor":"The entity transforms data using XOR operation.","data:encoding:decodesBaseSixtyFour":"The entity converts Base64 to original form.","data:encoding:decodesUrl":"The entity converts URL-encoded data.","data:encoding:encodesBaseSixtyFour":"The entity converts data to Base64.","data:encoding:encodesUrl":"The entity converts data for URL inclusion.","data:ingestion":"Behaviours that acquire data from external sources.","data:ingestion:pollsSource":"The entity periodically checks for new data.","data:ingestion:readsFile":"The entity retrieves data from a file.","data:ingestion:readsStream":"The entity consumes data from a continuous source.","data:ingestion:receivesInput":"The entity accepts data from an external source.","data:ingestion:receivesMessage":"The entity accepts a message from a queue.","data:ingestion:receivesRequest":"The entity accepts an incoming request.","data:ingestion:subscribesToFeed":"The entity registers to receive updates.","data:output":"Behaviours that produce and transmit data to external consumers.","data:output:formatsResponse":"The entity structures data for delivery.","data:output:producesOutput":"The entity generates data for consumption.","data:output:publishesMessage":"The entity sends a message to a queue.","data:output:rendersTemplate":"The entity generates output from a template.","data:output:sendsResponse":"The entity transmits a reply.","data:output:serializesObject":"The entity converts object to transmittable form.","data:output:streamsOutput":"The entity continuously produces data.","data:output:writesFile":"The entity saves data to a file.","data:parsing":"Behaviours that interpret and extract information from structured data formats.","data:parsing:decodesData":"The entity converts encoded data to original form.","data:parsing:deserializesObject":"The entity reconstructs object from serialised form.","data:parsing:extractsFields":"The entity isolates specific data elements.","data:parsing:parsesData":"The entity interprets structured data.","data:parsing:parsesHtml":"The entity interprets HTML content.","data:parsing:parsesJson":"The entity interprets JSON-formatted data.","data:parsing:parsesXml":"The entity interprets XML-formatted data.","data:query":"Behaviours that retrieve data based on specified criteria.","data:query:executesLdapQuery":"The entity queries an LDAP directory.","data:query:executesNoSqlQuery":"The entity queries a NoSQL database.","data:query:executesSearch":"The entity performs full-text or indexed search.","data:query:executesSql":"The entity runs a SQL statement.","data:query:executesXPath":"The entity evaluates an XPath expression.","data:query:queriesData":"The entity retrieves data matching criteria.","data:storage":"Behaviours that persist and retrieve data from storage systems.","data:storage:cachesData":"The entity stores data for quick retrieval.","data:storage:deletesData":"The entity removes stored data.","data:storage:flushesCache":"The entity writes cached data to persistent storage.","data:storage:invalidatesCache":"The entity marks cached data as stale.","data:storage:retrievesData":"The entity fetches stored data.","data:storage:storesData":"The entity saves data persistently.","data:storage:updatesData":"The entity modifies stored data.","data:transformation":"Behaviours that convert data from one form or structure to another.","data:transformation:aggregatesData":"The entity combines multiple values.","data:transformation:compressesData":"The entity reduces data size.","data:transformation:decompressesData":"The entity restores compressed data.","data:transformation:encodesData":"The entity converts data to encoded form.","data:transformation:enrichesData":"The entity adds information from external sources.","data:transformation:filtersData":"The entity removes unwanted elements.","data:transformation:joinsData":"The entity combines data from multiple sources.","data:transformation:mapsData":"The entity converts between data structures.","data:transformation:normalizesData":"The entity converts to standard form.","data:transformation:sortsData":"The entity orders data elements.","data:transformation:transformsData":"The entity converts data from one form to another.","evasion":"Behaviours relating to techniques that avoid detection and analysis.","evasion:analysisResistance":"Behaviours that detect and evade analysis environments.","evasion:analysisResistance:detectsAnalysisTool":"The entity identifies analysis software.","evasion:analysisResistance:detectsDebugger":"The entity identifies debugger presence.","evasion:analysisResistance:detectsEmulator":"The entity identifies emulation environment.","evasion:analysisResistance:detectsSandbox":"The entity identifies sandbox environment.","evasion:analysisResistance:detectsVirtualMachine":"The entity identifies VM environment.","evasion:analysisResistance:evadesDebugger":"The entity modifies behaviour under debugging.","evasion:analysisResistance:evadesEmulator":"The entity modifies behaviour under emulation.","evasion:analysisResistance:evadesSandbox":"The entity modifies behaviour in sandbox.","evasion:analysisResistance:evadesVirtualMachine":"The entity modifies behaviour in VM.","evasion:analysisResistance:usesTimingEvasion":"The entity uses delays to evade analysis.","evasion:antiSecurity":"Behaviours that detect and disable security software.","evasion:antiSecurity:detectsAntivirus":"The entity identifies AV software.","evasion:antiSecurity:disablesSecuritySoftware":"The entity deactivates security tools.","evasion:antiSecurity:evadesAntivirus":"The entity avoids AV detection.","evasion:antiSecurity:terminatesSecurityProcess":"The entity kills security software processes.","evasion:indirection":"Behaviours that use indirect methods to execute code.","evasion:indirection:resolvesApiDynamically":"The entity finds API addresses at runtime.","evasion:indirection:usesIndirectCalls":"The entity invokes functions indirectly.","evasion:indirection:usesProxyExecution":"The entity executes through intermediary.","evasion:obfuscation":"Behaviours that obscure code and data to hinder analysis.","evasion:obfuscation:obfuscatesCode":"The entity makes code difficult to analyse.","evasion:obfuscation:obfuscatesControlFlow":"The entity obscures execution paths.","evasion:obfuscation:obfuscatesData":"The entity hides data structures.","evasion:obfuscation:obfuscatesStrings":"The entity hides string contents.","evasion:obfuscation:packsCode":"The entity compresses or encrypts executable.","evasion:obfuscation:unpacksAtRuntime":"The entity decompresses code during execution.","file":"Behaviours relating to file system operations and disk management.","file:directory":"Behaviours that create and navigate directory structures.","file:directory:changesDirectory":"The entity sets current working directory.","file:directory:createsDirectory":"The entity creates a new directory.","file:directory:deletesDirectory":"The entity removes a directory.","file:directory:listsDirectory":"The entity enumerates directory contents.","file:directory:traversesDirectory":"The entity recursively explores directories.","file:disk":"Behaviours that manage storage volumes and disk-level operations.","file:disk:decryptsVolume":"The entity decrypts a storage volume.","file:disk:encryptsVolume":"The entity encrypts a storage volume.","file:disk:formatsVolume":"The entity prepares storage for use.","file:disk:mountsVolume":"The entity attaches a storage volume.","file:disk:unmountsVolume":"The entity detaches a storage volume.","file:disk:wipesDisk":"The entity securely erases disk contents.","file:operations":"Behaviours that create and manipulate files.","file:operations:appendsToFile":"The entity adds data to end of file.","file:operations:checksFileExistence":"The entity verifies whether a file exists.","file:operations:closesFile":"The entity releases file access.","file:operations:copiesFile":"The entity duplicates a file.","file:operations:createsFile":"The entity creates a new file.","file:operations:deletesFile":"The entity removes a file.","file:operations:getsFileAttributes":"The entity retrieves file metadata.","file:operations:movesFile":"The entity relocates a file.","file:operations:opensFile":"The entity prepares a file for access.","file:operations:readsFile":"The entity retrieves file contents.","file:operations:renamesFile":"The entity changes a file name.","file:operations:setsFileAttributes":"The entity modifies file metadata.","file:operations:setsFilePermissions":"The entity modifies file access permissions.","file:operations:writesFile":"The entity modifies file contents.","gui":"Behaviours relating to graphical user interface interactions.","gui:display":"Behaviours that render and monitor visual output.","gui:display:displaysData":"The entity renders information visually.","gui:display:monitorsDisplay":"The entity observes displayed content.","gui:display:updatesDisplay":"The entity refreshes visual presentation.","gui:session":"Behaviours that interact with user login sessions.","gui:session:displaysLogin":"The entity presents login interface.","gui:session:interactsWithSession":"The entity operates within user session.","gui:session:switchesSession":"The entity changes active user session.","gui:window":"Behaviours that create and manipulate graphical windows.","gui:window:capturesWindow":"The entity captures window contents.","gui:window:createsWindow":"The entity creates a graphical window.","gui:window:destroysWindow":"The entity closes a window.","gui:window:enumeratesWindows":"The entity lists open windows.","gui:window:interactsWithTaskbar":"The entity modifies taskbar elements.","gui:window:modifiesWindow":"The entity changes window properties.","hardware":"Behaviours relating to hardware components and physical device interactions.","hardware:actuator":"Behaviours that control physical actuators and output devices.","hardware:actuator:calibratesActuator":"The entity adjusts actuator accuracy.","hardware:actuator:controlsBattery":"The entity manages battery charging.","hardware:actuator:controlsHeating":"The entity manages heating element.","hardware:actuator:controlsLed":"The entity manages LED indicator.","hardware:actuator:controlsMotor":"The entity manages motor operation.","hardware:actuator:controlsPower":"The entity manages power distribution.","hardware:actuator:controlsPump":"The entity manages fluid pump.","hardware:actuator:controlsTemperature":"The entity regulates temperature.","hardware:boot":"Behaviours that verify and configure system startup processes.","hardware:boot:entersRecoveryMode":"The entity boots via alternative path.","hardware:boot:executesSecureBoot":"The entity verifies code integrity at startup.","hardware:boot:locksBootConfiguration":"The entity prevents boot setting changes.","hardware:boot:modifiesBootConfiguration":"The entity changes boot settings.","hardware:boot:readsBootConfiguration":"The entity retrieves boot settings.","hardware:boot:recordsBootMeasurement":"The entity logs boot component hashes.","hardware:boot:verifiesBootLoader":"The entity validates boot loader authenticity.","hardware:firmware":"Behaviours that manage and verify firmware integrity.","hardware:firmware:monitorsFirmwareIntegrity":"The entity checks for firmware tampering.","hardware:firmware:preventsFirmwareRollback":"The entity blocks reversion to old firmware.","hardware:firmware:readsFirmwareVersion":"The entity retrieves firmware version.","hardware:firmware:updatesFirmware":"The entity applies firmware changes.","hardware:firmware:verifiesFirmwareSignature":"The entity validates firmware authenticity.","hardware:memory":"Behaviours that protect and isolate memory regions.","hardware:memory:encryptsMemory":"The entity protects memory contents.","hardware:memory:isolatesMemory":"The entity separates memory regions.","hardware:memory:protectsStack":"The entity defends against stack attacks.","hardware:memory:randomizesAddressSpace":"The entity applies ASLR.","hardware:memory:readsProtectedMemory":"The entity accesses protected memory region.","hardware:memory:writesProtectedMemory":"The entity modifies protected memory region.","hardware:peripheral":"Behaviours that interact with peripheral devices and interfaces.","hardware:peripheral:accessesCamera":"The entity interacts with camera hardware.","hardware:peripheral:accessesDisplay":"The entity interacts with display hardware.","hardware:peripheral:accessesGpio":"The entity reads or writes GPIO pins.","hardware:peripheral:accessesJtag":"The entity uses JTAG debug interface.","hardware:peripheral:accessesKeyboard":"The entity interacts with keyboard hardware.","hardware:peripheral:accessesStorageDevice":"The entity interacts with storage hardware.","hardware:peripheral:accessesUsbDevice":"The entity interacts with USB peripheral.","hardware:peripheral:configuresDma":"The entity sets up direct memory access.","hardware:peripheral:protectsDma":"The entity prevents unauthorised DMA.","hardware:physicalSecurity":"Behaviours that detect and respond to physical tampering.","hardware:physicalSecurity:detectsPhysicalTamper":"The entity identifies physical interference.","hardware:physicalSecurity:disablesDebugInterface":"The entity prevents debug access.","hardware:physicalSecurity:enablesDebugInterface":"The entity permits debug access.","hardware:physicalSecurity:monitorsEnclosure":"The entity detects housing penetration.","hardware:physicalSecurity:respondsToTamper":"The entity reacts to physical attack.","hardware:physicalSecurity:zeroizesKeys":"The entity destroys keys on tamper detection.","hardware:security":"Behaviours that utilise hardware security features and trusted execution environments.","hardware:security:anchorsInHardwareRoot":"The entity uses tamper-resistant hardware for trust.","hardware:security:executesInTee":"The entity runs in trusted execution environment.","hardware:security:generatesPufResponse":"The entity uses physical unclonable function.","hardware:security:usesHsm":"The entity employs hardware security module.","hardware:security:usesSecureElement":"The entity employs dedicated security hardware.","hardware:sensor":"Behaviours that read measurements from hardware sensors.","hardware:sensor:calibratesSensor":"The entity adjusts sensor accuracy.","hardware:sensor:readsBatteryStatus":"The entity obtains battery state.","hardware:sensor:readsBloodOxygen":"The entity obtains SpO2 measurement.","hardware:sensor:readsBloodPressure":"The entity obtains blood pressure measurement.","hardware:sensor:readsCoTwoLevel":"The entity obtains CO2 measurement.","hardware:sensor:readsEcg":"The entity obtains electrocardiogram data.","hardware:sensor:readsPowerStatus":"The entity obtains power state.","hardware:sensor:readsTemperature":"The entity obtains temperature measurement.","hardware:sideChannelDefense":"Behaviours that protect against side-channel attacks.","hardware:sideChannelDefense:controlsEmEmissions":"The entity limits electromagnetic leakage.","hardware:sideChannelDefense:resistsFaultInjection":"The entity protects against induced faults.","hardware:sideChannelDefense:resistsPowerAnalysis":"The entity protects against power-based attacks.","hardware:sideChannelDefense:resistsTimingAnalysis":"The entity protects against timing-based attacks.","network":"Behaviours relating to network communication and data transmission between systems.","network:connection":"Behaviours that establish and manage network connections.","network:connection:acceptsConnection":"The entity receives an incoming connection.","network:connection:detectsConnectionLoss":"The entity identifies a dropped connection.","network:connection:establishesConnection":"The entity initiates a network connection.","network:connection:reconnects":"The entity re-establishes a dropped connection.","network:connection:reusesConnection":"The entity uses a pooled connection.","network:connection:sendsHeartbeat":"The entity transmits a keep-alive signal.","network:connection:terminatesConnection":"The entity closes a network connection.","network:discovery":"Behaviours that locate and advertise network services and resources.","network:discovery:advertisesService":"The entity announces its availability.","network:discovery:discoversService":"The entity locates an available service.","network:discovery:enumeratesInterfaces":"The entity lists network interfaces.","network:discovery:probesPort":"The entity checks if a port is open.","network:discovery:queriesDns":"The entity requests DNS resolution.","network:discovery:resolvesName":"The entity translates a name to an address.","network:discovery:scansNetwork":"The entity probes for active hosts or services.","network:protocol":"Behaviours that negotiate and implement communication protocols.","network:protocol:downgradesProtocol":"The entity falls back to a less secure protocol version.","network:protocol:framesMessage":"The entity structures data for transmission.","network:protocol:negotiatesProtocol":"The entity agrees on communication protocol with peer.","network:protocol:parsesMessage":"The entity interprets received network data.","network:protocol:retransmitsMessage":"The entity resends data after transmission failure.","network:protocol:upgradesProtocol":"The entity transitions to a more secure protocol version.","network:protocol:validatesMessage":"The entity verifies message format and integrity.","network:remoteInteraction":"Behaviours that execute operations on remote systems.","network:remoteInteraction:accessesRemoteDesktop":"The entity controls a remote graphical interface.","network:remoteInteraction:accessesRemoteShell":"The entity interacts with a remote command line.","network:remoteInteraction:executesRemoteCommand":"The entity runs a command on a remote system.","network:remoteInteraction:invokesRemoteProcedure":"The entity calls a function on a remote system.","network:remoteInteraction:sendsEmail":"The entity transmits an email message.","network:remoteInteraction:sendsSms":"The entity transmits a text message.","network:remoteInteraction:transfersFile":"The entity sends or receives a file remotely.","network:routing":"Behaviours that direct network traffic to its destination.","network:routing:configuresProxy":"The entity sets up traffic to route through a proxy.","network:routing:forwardsPacket":"The entity passes a packet toward its destination.","network:routing:redirectsTraffic":"The entity diverts traffic to a different destination.","network:routing:routesTraffic":"The entity directs network traffic to destinations.","network:routing:tunnelsTraffic":"The entity encapsulates traffic within another protocol.","network:trafficControl":"Behaviours that manage and manipulate network traffic flow.","network:trafficControl:balancesLoad":"The entity distributes requests across destinations.","network:trafficControl:filtersTraffic":"The entity blocks or allows traffic based on rules.","network:trafficControl:inspectsTraffic":"The entity examines traffic contents.","network:trafficControl:interceptsTraffic":"The entity captures traffic in transit.","network:trafficControl:limitsRate":"The entity restricts traffic volume.","network:trafficControl:modifiesTraffic":"The entity alters traffic in transit.","network:trafficControl:shapesTraffic":"The entity manages traffic timing and priority.","network:transmission":"Behaviours that send and receive data over network connections.","network:transmission:broadcastsData":"The entity sends data to multiple recipients.","network:transmission:multicastsData":"The entity sends data to a group of recipients.","network:transmission:receivesData":"The entity accepts data from the network.","network:transmission:sendsData":"The entity transmits data over the network.","network:transmission:streamsData":"The entity continuously transmits or receives data.","privacy":"Behaviours relating to the collection and processing of personal and sensitive data.","privacy:collection":"Behaviours that gather personal or sensitive information from individuals or systems.","privacy:collection:capturesAudio":"The entity records sound via microphone.","privacy:collection:capturesKeystrokes":"The entity records keyboard input.","privacy:collection:capturesScreen":"The entity records display contents.","privacy:collection:capturesVideo":"The entity records images via camera.","privacy:collection:collectsBehavioralData":"The entity records user actions and patterns.","privacy:collection:collectsBiometricData":"The entity captures biometric information.","privacy:collection:collectsCommunicationContent":"The entity captures message or call contents.","privacy:collection:collectsDeviceInformation":"The entity gathers device identifiers or characteristics.","privacy:collection:collectsFinancialData":"The entity gathers payment or financial information.","privacy:collection:collectsHealthData":"The entity gathers protected health information.","privacy:collection:collectsInBackground":"The entity gathers data without active user engagement.","privacy:collection:collectsLocationData":"The entity gathers geographical position information.","privacy:collection:collectsPersonalData":"The entity gathers personally identifiable information.","privacy:collection:collectsSilently":"The entity gathers data without user awareness.","privacy:collection:readsBrowserHistory":"The entity accesses web browsing history.","privacy:collection:readsClipboard":"The entity accesses clipboard contents.","privacy:deletion":"Behaviours that remove or destroy personal data.","privacy:deletion:clearsCache":"The entity removes data from temporary storage.","privacy:deletion:deletesPersonalData":"The entity removes personal data.","privacy:deletion:erasesSecurely":"The entity irreversibly destroys data.","privacy:deletion:purgesFromBackup":"The entity removes data from backup systems.","privacy:deletion:redactsData":"The entity removes specific content from records.","privacy:inference":"Behaviours that derive personal information through analysis and correlation of data.","privacy:inference:correlatesData":"The entity combines data from multiple sources.","privacy:inference:createsProfile":"The entity builds a profile from collected data.","privacy:inference:fingerprintsDevice":"The entity identifies device via characteristics.","privacy:inference:infersPersonalInformation":"The entity derives personal data from other data.","privacy:inference:linksIdentities":"The entity associates data across contexts.","privacy:inference:tracksUser":"The entity follows user activity across sessions.","privacy:minimization":"Behaviours that reduce the amount or sensitivity of personal data processed.","privacy:minimization:aggregatesData":"The entity combines records into summaries.","privacy:minimization:anonymizesData":"The entity removes identifying information.","privacy:minimization:filtersData":"The entity removes unnecessary data elements.","privacy:minimization:generalizesData":"The entity reduces data precision.","privacy:minimization:limitsCollection":"The entity gathers only necessary data.","privacy:minimization:limitsProcessing":"The entity restricts data use to stated purposes.","privacy:minimization:pseudonymizesData":"The entity replaces identifiers with pseudonyms.","privacy:privacyEnhancement":"Behaviours that employ technical measures to protect privacy during processing.","privacy:privacyEnhancement:addsDifferentialPrivacy":"The entity injects noise to protect individuals.","privacy:privacyEnhancement:computesMultiparty":"The entity performs joint computation privately.","privacy:privacyEnhancement:processesHomomorphically":"The entity computes on encrypted data.","privacy:privacyEnhancement:processesLocally":"The entity handles data on-device.","privacy:retention":"Behaviours that store personal data over time.","privacy:retention:archivesData":"The entity moves data to long-term storage.","privacy:retention:backsUpData":"The entity creates copies for recovery.","privacy:retention:enforcesRetentionPeriod":"The entity deletes data after specified time.","privacy:retention:retainsBeyondPurpose":"The entity keeps data longer than necessary.","privacy:retention:retainsInCache":"The entity keeps data in temporary storage.","privacy:retention:retainsInLog":"The entity keeps data in log files.","privacy:retention:storesPersonalData":"The entity saves personal data persistently.","privacy:sharing":"Behaviours that disclose personal data to third parties or across boundaries.","privacy:sharing:disclosesToThirdParty":"The entity transmits personal data externally.","privacy:sharing:exportsData":"The entity outputs data in portable format.","privacy:sharing:publishesData":"The entity makes data publicly available.","privacy:sharing:sellsData":"The entity provides data in exchange for value.","privacy:sharing:sharesWithAffiliate":"The entity provides data to related entities.","privacy:sharing:transfersCrossBorder":"The entity sends data across jurisdictions.","privacy:subjectRights":"Behaviours that fulfil data subject rights under privacy regulations.","privacy:subjectRights:correctsData":"The entity modifies inaccurate personal data.","privacy:subjectRights:exportsDataPortably":"The entity provides data in portable format.","privacy:subjectRights:honorsErasureRequest":"The entity deletes data upon request.","privacy:subjectRights:honorsObjection":"The entity ceases processing upon objection.","privacy:subjectRights:providesDataAccess":"The entity gives individuals their data.","privacy:subjectRights:restrictsProcessing":"The entity limits data use upon request.","privacy:transparency":"Behaviours that inform individuals about data processing activities.","privacy:transparency:disclosesProcessing":"The entity reveals data processing activities.","privacy:transparency:displaysPrivacyNotice":"The entity presents privacy information.","privacy:transparency:explainsAutomatedDecision":"The entity describes automated decision logic.","privacy:transparency:recordsConsent":"The entity stores consent decisions.","privacy:transparency:requestsConsent":"The entity asks for processing permission.","privacy:transparency:withdrawsConsent":"The entity processes consent revocation.","safety":"Behaviours relating to the prevention of harm to users and the environment.","safety:autonomousBehavior":"Behaviours that govern decision-making boundaries and human oversight of autonomous systems.","safety:autonomousBehavior:acceptsOverride":"The entity yields to human command.","safety:autonomousBehavior:enforcesHumanInLoop":"The entity requires human involvement.","safety:autonomousBehavior:explainsDecision":"The entity provides rationale for its action.","safety:autonomousBehavior:requestsGuidance":"The entity asks for human direction.","safety:autonomousBehavior:respectsDecisionBoundary":"The entity stays within authorised decision scope.","safety:contentSafety":"Behaviours that detect and filter harmful or inappropriate content.","safety:contentSafety:detectsHarmfulContent":"The entity identifies potentially harmful content.","safety:contentSafety:detectsMisinformation":"The entity identifies false or misleading content.","safety:contentSafety:enforcesAgeRestriction":"The entity limits access by user age.","safety:contentSafety:filtersContent":"The entity blocks or restricts content.","safety:contentSafety:labelsContent":"The entity marks content with warnings or ratings.","safety:harmPrevention":"Behaviours that actively protect users and bystanders from physical or psychological harm.","safety:harmPrevention:preventsEnvironmentalHarm":"The entity acts to protect the environment.","safety:harmPrevention:preventsPropertyDamage":"The entity acts to protect physical property.","safety:harmPrevention:preventsUserHarm":"The entity acts to protect users from injury.","safety:harmPrevention:protectsBystanders":"The entity considers safety of non-users.","safety:hazardManagement":"Behaviours that identify and mitigate potentially dangerous conditions.","safety:hazardManagement:assessesRisk":"The entity evaluates severity and likelihood of harm.","safety:hazardManagement:identifiesHazard":"The entity detects a potentially harmful condition.","safety:hazardManagement:mitigatesHazard":"The entity reduces hazard severity or likelihood.","safety:hazardManagement:reportsHazard":"The entity communicates a hazardous condition.","safety:humanInteraction":"Behaviours that manage communication and interaction with human operators.","safety:humanInteraction:adaptsForAccessibility":"The entity adjusts for users with disabilities.","safety:humanInteraction:managesCognitiveLoad":"The entity limits information to prevent overwhelm.","safety:humanInteraction:requestsConfirmation":"The entity requires human approval for action.","safety:humanInteraction:warnsOperator":"The entity alerts human to abnormal condition.","safety:operationalSafety":"Behaviours that enforce safe operating limits and conditions.","safety:operationalSafety:acceptsManualOverride":"The entity yields control to human operator.","safety:operationalSafety:enforcesInterlock":"The entity prevents unsafe operation combinations.","safety:operationalSafety:enforcesOperatingLimits":"The entity prevents operation outside safe bounds.","safety:operationalSafety:executesEmergencyStop":"The entity immediately halts dangerous operation.","safety:operationalSafety:monitorsWatchdog":"The entity checks for uncontrolled operation.","safety:operationalSafety:validatesSafetyCondition":"The entity confirms safe operating state.","security":"Behaviours relating to the protection of systems and data from unauthorised access and threats.","security:auditing":"Behaviours that record security-relevant events for accountability and forensic analysis.","security:auditing:logsEvent":"The entity records an occurrence.","security:auditing:logsSecurityEvent":"The entity records a security-relevant occurrence.","security:auditing:protectsAuditLog":"The entity prevents tampering with log records.","security:auditing:purgesLog":"The entity deletes old log records.","security:auditing:rotatesLog":"The entity archives and starts new log files.","security:auditing:signsLogEntry":"The entity cryptographically signs audit records.","security:auditing:timestampsEvent":"The entity records when an event occurred.","security:auditing:transmitsLog":"The entity sends log data to a remote destination.","security:authentication":"Behaviours that verify the identity of users and entities.","security:authentication:authenticatesDevice":"The entity confirms device identity.","security:authentication:authenticatesService":"The entity confirms service identity.","security:authentication:authenticatesUser":"The entity confirms user identity.","security:authentication:bypassesAuthentication":"The entity permits access without authentication.","security:authentication:capturesBiometric":"The entity collects biometric data for authentication.","security:authentication:delegatesAuthentication":"The entity relies on external identity provider.","security:authentication:failsAuthentication":"The entity rejects invalid credentials.","security:authentication:locksAccount":"The entity prevents further authentication attempts.","security:authentication:performsMultiFactorAuthentication":"The entity requires multiple authentication factors.","security:authentication:promptsForCredentials":"The entity requests authentication information.","security:authentication:unlocksAccount":"The entity restores authentication capability.","security:authentication:validatesBiometric":"The entity verifies biometric data.","security:authentication:validatesCredentials":"The entity verifies supplied credentials.","security:authorization":"Behaviours that determine and enforce access permissions.","security:authorization:checksPermission":"The entity verifies access rights.","security:authorization:delegatesAuthority":"The entity transfers access rights to another.","security:authorization:deniesAccess":"The entity refuses a requested action.","security:authorization:enforcesRole":"The entity restricts actions based on assigned role.","security:authorization:escalatesPrivilege":"The entity gains elevated permissions.","security:authorization:evaluatesAttributes":"The entity uses attributes for access decisions.","security:authorization:evaluatesPolicy":"The entity applies rules to make access decisions.","security:authorization:grantsAccess":"The entity permits a requested action.","security:authorization:grantsImpersonation":"The entity permits another to act within its security context.","security:authorization:impersonatesUser":"The entity performs actions within another user's security context.","security:authorization:requestsImpersonation":"The entity initiates a request to act as another user.","security:authorization:revokesAccess":"The entity withdraws previously granted permissions.","security:authorization:revokesImpersonation":"The entity terminates another's permission to act on its behalf.","security:cryptography":"Behaviours that employ cryptographic operations to protect data confidentiality and integrity.","security:cryptography:authenticates":"The entity verifies the identity of a user, process, or device.","security:cryptography:checksRevocation":"The entity queries certificate revocation status.","security:cryptography:decryptsData":"The entity restores encrypted data to readable form.","security:cryptography:decryptsDataAtRest":"The entity restores stored encrypted data to readable form.","security:cryptography:decryptsDataInTransit":"The entity restores data received over a network to readable form.","security:cryptography:decryptsDisk":"The entity unlocks and decrypts contents of an encrypted disk.","security:cryptography:decryptsSecret":"The entity retrieves and decrypts a secured credential or metadata.","security:cryptography:destroysKey":"The entity securely erases a key.","security:cryptography:encryptsData":"The entity transforms data to prevent unauthorised reading.","security:cryptography:encryptsDataAtRest":"The entity protects stored data by converting it to unreadable form.","security:cryptography:encryptsDataInTransit":"The entity protects data moving across a network.","security:cryptography:encryptsDisk":"The entity applies full-disk encryption to protect all data on a drive.","security:cryptography:encryptsSecret":"The entity secures sensitive credentials or metadata.","security:cryptography:ensuresAccountability":"The entity ensures actions can be traced to a specific individual or process.","security:cryptography:ensuresConfidentiality":"The entity protects sensitive information from unauthorised access.","security:cryptography:ensuresIntegrity":"The entity guarantees that data has not been altered or tampered with.","security:cryptography:ensuresNonRepudiation":"The entity provides proof of origin and integrity to prevent denial.","security:cryptography:exchangesKey":"The entity shares a key with another party.","security:cryptography:generatesKey":"The entity creates a cryptographic key.","security:cryptography:generatesRandomValue":"The entity produces a cryptographically secure random value.","security:cryptography:hashesData":"The entity generates a cryptographic hash.","security:cryptography:hashesPassword":"The entity applies a cryptographic hash function to a password.","security:cryptography:identifies":"The entity establishes a unique identity for an actor within the system.","security:cryptography:issuesCertificate":"The entity creates and signs a digital certificate.","security:cryptography:preservesPrivacy":"The entity protects personally identifiable information and user data.","security:cryptography:presentsClientCertificate":"The entity provides a client certificate for authentication.","security:cryptography:presentsServerCertificate":"The entity provides a server certificate for authentication.","security:cryptography:retrievesKey":"The entity obtains a stored key.","security:cryptography:revokesCertificate":"The entity invalidates a certificate.","security:cryptography:rotatesKey":"The entity replaces a key with a new one.","security:cryptography:signsCode":"The entity applies a digital signature to executable code.","security:cryptography:signsData":"The entity creates a digital signature.","security:cryptography:signsDocument":"The entity applies a digital signature to a document.","security:cryptography:storesKey":"The entity saves a key securely.","security:cryptography:usesIdentity":"The entity utilises established identity credentials for operations.","security:cryptography:validatesCertificate":"The entity verifies certificate authenticity.","security:cryptography:validatesToken":"The entity verifies the authenticity and expiration of a security token.","security:cryptography:verifiesCodeSignature":"The entity validates a digital signature on executable code.","security:cryptography:verifiesDataSignature":"The entity validates a digital signature on data.","security:cryptography:verifiesDocumentSignature":"The entity validates a digital signature on a document.","security:cryptography:verifiesHash":"The entity validates data against a hash.","security:cryptography:verifiesSignature":"The entity validates a digital signature.","security:cryptography:wrapsKey":"The entity encrypts a key for secure storage or transport.","security:errorHandling":"Behaviours that manage error conditions to prevent information disclosure.","security:errorHandling:catchesException":"The entity intercepts an error condition.","security:errorHandling:disclosesErrorDetails":"The entity reveals internal information in error messages.","security:errorHandling:failsClosed":"The entity denies access when controls fail.","security:errorHandling:failsOpen":"The entity permits access when controls fail.","security:errorHandling:generatesError":"The entity produces an error condition.","security:errorHandling:logsError":"The entity records an error condition.","security:errorHandling:propagatesError":"The entity passes an error to caller.","security:errorHandling:returnsGenericError":"The entity provides minimal error information.","security:errorHandling:suppressesError":"The entity hides an error condition.","security:inputHandling":"Behaviours that validate and sanitise input data to prevent injection attacks.","security:inputHandling:escapesInput":"The entity encodes special characters in input.","security:inputHandling:normalizesInput":"The entity converts input to standard form.","security:inputHandling:rejectsInvalidInput":"The entity refuses malformed or dangerous input.","security:inputHandling:sanitizesInput":"The entity removes potentially harmful content from input.","security:inputHandling:truncatesInput":"The entity shortens input to acceptable length.","security:inputHandling:validatesFormat":"The entity verifies input conforms to expected format.","security:inputHandling:validatesRange":"The entity ensures values fall within acceptable bounds.","security:inputHandling:validatesSchema":"The entity checks input against a defined schema.","security:integrity":"Behaviours that verify and protect the integrity of data and code.","security:integrity:attestsIntegrity":"The entity provides evidence of its own integrity.","security:integrity:detectsTampering":"The entity identifies modification attempts.","security:integrity:respondsToTampering":"The entity reacts to detected tampering.","security:integrity:validatesComponent":"The entity verifies authenticity of a dependency.","security:integrity:verifiesIntegrity":"The entity confirms data or code has not been altered.","security:integrity:verifiesProvenance":"The entity confirms origin and history.","security:outputHandling":"Behaviours that encode and filter output data to prevent information leakage.","security:outputHandling:encodesOutput":"The entity transforms output to prevent injection.","security:outputHandling:enforcesContentPolicy":"The entity restricts content sources.","security:outputHandling:escapesOutput":"The entity encodes special characters in output.","security:outputHandling:filtersOutput":"The entity removes sensitive content from output.","security:outputHandling:masksOutput":"The entity obscures sensitive data in output.","security:outputHandling:setsSecurityHeader":"The entity adds security-related HTTP headers.","security:session":"Behaviours that manage authenticated user sessions.","security:session:createsSession":"The entity establishes an authenticated session.","security:session:detectsSessionHijacking":"The entity identifies unauthorised session use.","security:session:invalidatesSession":"The entity revokes session validity.","security:session:refreshesSession":"The entity extends session lifetime.","security:session:regeneratesSessionId":"The entity creates a new session identifier.","security:session:terminatesSession":"The entity ends an authenticated session.","security:session:validatesSession":"The entity verifies session validity.","security:threatResponse":"Behaviours that detect and respond to security threats and incidents.","security:threatResponse:blocksRequest":"The entity refuses a suspicious request.","security:threatResponse:blocksSource":"The entity prevents further requests from a source.","security:threatResponse:collectsForensicData":"The entity gathers evidence for investigation.","security:threatResponse:detectsAnomaly":"The entity recognises deviation from normal patterns.","security:threatResponse:detectsIntrusion":"The entity identifies a potential security breach.","security:threatResponse:initiatesIncidentResponse":"The entity triggers security response procedures.","security:threatResponse:quarantinesElement":"The entity isolates a suspicious item.","security:threatResponse:raisesAlert":"The entity notifies of a security event.","system":"Behaviours relating to operating system interactions and the management of computational resources.","system:configuration":"Behaviours that read and modify system configuration settings.","system:configuration:deletesRegistryKey":"The entity removes entries from the registry.","system:configuration:modifiesGroupPolicy":"The entity changes group policy settings.","system:configuration:readsConfigurationFile":"The entity loads settings from a configuration file.","system:configuration:readsEnvironmentVariable":"The entity retrieves an environment variable value.","system:configuration:readsGroupPolicy":"The entity retrieves group policy settings.","system:configuration:readsRegistry":"The entity retrieves values from the system registry.","system:configuration:setsEnvironmentVariable":"The entity modifies an environment variable.","system:configuration:writesConfigurationFile":"The entity saves settings to a configuration file.","system:configuration:writesRegistry":"The entity stores values in the system registry.","system:informationGathering":"Behaviours that collect information about the host system and its configuration.","system:informationGathering:detectsOsVersion":"The entity determines the operating system version.","system:informationGathering:gathersSystemInformation":"The entity collects system configuration details.","system:informationGathering:queriesHardwareInformation":"The entity retrieves hardware specifications.","system:informationGathering:retrievesHostname":"The entity obtains the system hostname.","system:kernelInteraction":"Behaviours that interact directly with the operating system kernel.","system:kernelInteraction:hooksKernelFunction":"The entity intercepts kernel-level calls.","system:kernelInteraction:installsDriver":"The entity loads a kernel-mode driver.","system:kernelInteraction:readsKernelMemory":"The entity accesses kernel memory space.","system:kernelInteraction:writesKernelMemory":"The entity modifies kernel memory space.","system:lifecycle":"Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.","system:lifecycle:appliesUpdate":"The entity installs software or firmware updates.","system:lifecycle:decommissions":"The entity securely retires from service.","system:lifecycle:initializes":"The entity performs start-up routines and loads configuration.","system:lifecycle:performsSelfTest":"The entity verifies its own operational readiness.","system:lifecycle:provisions":"The entity configures itself for deployment.","system:lifecycle:rollsBack":"The entity reverts to a previous known-good state.","system:lifecycle:shutsDown":"The entity executes orderly cessation of operations.","system:operationalState":"Behaviours that govern an entity's functional status and mode of operation.","system:operationalState:entersFailSafeState":"The entity transitions to a known safe state upon detecting a fault.","system:operationalState:entersFailSecureState":"The entity denies access or ceases sensitive operations upon detecting a security fault.","system:operationalState:operatesInDegradedMode":"The entity continues operation with reduced functionality.","system:operationalState:operatesNormally":"The entity performs its intended functions within designed parameters.","system:operationalState:performsEmergencyShutdown":"The entity immediately halts to prevent harm or damage.","system:persistence":"Behaviours that establish mechanisms for an entity to survive system restarts.","system:persistence:createsScheduledTask":"The entity schedules itself for recurring execution.","system:persistence:installsAsService":"The entity registers itself as a system service.","system:persistence:loadsAsKernelModule":"The entity loads itself into the kernel.","system:persistence:registersForStartup":"The entity configures itself to execute at system boot.","system:persistence:removesPersistence":"The entity removes its persistence mechanism.","system:processControl":"Behaviours that create and manipulate operating system processes.","system:processControl:createsProcess":"The entity starts a new process.","system:processControl:dumpsProcessMemory":"The entity extracts memory contents from a process.","system:processControl:enumeratesProcesses":"The entity lists running processes.","system:processControl:hooksFunction":"The entity intercepts and redirects function calls.","system:processControl:injectsCodeIntoProcess":"The entity inserts executable code into another process.","system:processControl:modifiesProcess":"The entity changes attributes of a running process.","system:processControl:resumesProcess":"The entity continues paused process execution.","system:processControl:suspendsProcess":"The entity pauses process execution.","system:processControl:terminatesProcess":"The entity ends a running process.","system:resilience":"Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.","system:resilience:activatesRedundancy":"The entity activates backup systems or alternative processing paths.","system:resilience:degradesGracefully":"The entity progressively reduces functionality rather than failing abruptly.","system:resilience:detectsFault":"The entity identifies an internal fault or anomalous condition.","system:resilience:recoversFromFailure":"The entity restores normal operation following a failure.","system:resilience:toleratesFault":"The entity continues operation despite the presence of a fault.","system:resourceManagement":"Behaviours that allocate and deallocate computational resources such as memory and threads.","system:resourceManagement:allocatesMemory":"The entity reserves memory for use.","system:resourceManagement:deallocatesMemory":"The entity releases previously allocated memory.","system:resourceManagement:handlesResourceExhaustion":"The entity responds to depleted resources.","system:resourceManagement:managesPowerState":"The entity transitions between power consumption states.","system:resourceManagement:readsFromStorage":"The entity retrieves data from persistent storage.","system:resourceManagement:resumesThread":"The entity continues paused thread execution.","system:resourceManagement:spawnsThread":"The entity creates a new execution thread.","system:resourceManagement:suspendsThread":"The entity pauses thread execution.","system:resourceManagement:terminatesThread":"The entity ends an execution thread.","system:resourceManagement:writesToStorage":"The entity saves data to persistent storage.","system:serviceControl":"Behaviours that manage system services and daemons.","system:serviceControl:createsService":"The entity installs a system service or daemon.","system:serviceControl:deletesService":"The entity removes a system service.","system:serviceControl:enumeratesServices":"The entity lists installed services.","system:serviceControl:modifiesService":"The entity changes service configuration.","system:serviceControl:startsService":"The entity initiates service execution.","system:serviceControl:stopsService":"The entity halts service execution.","system:synchronization":"Behaviours that coordinate access to shared resources across concurrent execution contexts.","system:synchronization:acquiresMutex":"The entity obtains exclusive access via mutex.","system:synchronization:releasesMutex":"The entity relinquishes mutex ownership.","system:synchronization:signalsEvent":"The entity triggers a synchronisation event.","system:synchronization:signalsSemaphore":"The entity releases a semaphore.","system:synchronization:waitsOnEvent":"The entity blocks until an event is signalled.","system:synchronization:waitsOnSemaphore":"The entity blocks until semaphore is available.","system:timing":"Behaviours that govern temporal aspects of execution including scheduling and synchronisation.","system:timing:delaysExecution":"The entity postpones an operation.","system:timing:enforcesDeadline":"The entity ensures completion within a timing constraint.","system:timing:executesScheduledTask":"The entity performs a task at a predetermined time.","system:timing:resetsWatchdog":"The entity signals continued operation to a watchdog monitor.","system:timing:synchronizesClock":"The entity aligns its internal clock with an external source.","system:timing:triggersTimeout":"The entity acts upon detecting an unresponsive condition.","system:timing:waits":"The entity pauses execution for a specified duration.","system:userManagement":"Behaviours that create and manipulate user accounts and privileges.","system:userManagement:createsUserAccount":"The entity adds a new user account.","system:userManagement:deletesUserAccount":"The entity removes a user account.","system:userManagement:elevatesPrivileges":"The entity gains higher access permissions.","system:userManagement:enumeratesUsers":"The entity lists user accounts.","system:userManagement:impersonatesUser":"The entity assumes another user's identity.","system:userManagement:modifiesUserAccount":"The entity changes user account properties."}}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","$defs":{"blueprints":{"type":"array","title":"Blueprints","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint"},"description":"A collection of blueprints representing system models that capture the assets, flows, zones, boundaries, and relationships necessary for architectural, threat, risk, privacy, and other forms of modelling and analysis."},"blueprint":{"type":"object","title":"Blueprint","description":"A structured representation of a system model that captures the assets, flows, zones, boundaries, and relationships necessary to support architectural, threat, risk, privacy, and other forms of modelling and analysis.","required":["modelTypes","methodologies"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata"},"modelTypes":{"type":"array","title":"Model Types","minItems":1,"uniqueItems":true,"description":"The types of models being represented","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"methodologies":{"type":"array","title":"Methodologies","minItems":1,"uniqueItems":true,"description":"The modeling methodologies used","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/methodology"}},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model"},"dataStores":{"type":"array","title":"Data Stores","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore"},"description":"Structured description of data stores used in the model"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet"},"description":"Datasets handled by the system, including placements and sensitivity"},"zones":{"type":"array","title":"Zones","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets"},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/actor"},"description":"Human or system actors involved in the model, distinct from assets"},"assumptions":{"type":"array","title":"Assumptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process"},"visualizations":{"type":"array","title":"Visualizations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},{"properties":{"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint assets that are involved in or exercised by this use case"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint flows that are triggered or traversed during the execution of this use case"},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the requirements that are implemented, validated, or addressed by this use case"}}}]},"description":"Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements."},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"Requirements derived from or related to the model"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"modelType":{"type":"object","title":"Model Type","description":"The type of model being represented, either a predefined type or a custom named type.","oneOf":[{"title":"Predefined Model Type","description":"A model type selected from a predefined set of well-known modelling categories.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Model Type","enum":["architecture","behavioral","conceptual","dataFlow","deployment","logical","network","operational","physical","privacy","process","risk","structural","threat"],"meta:enum":{"architecture":"System or software architecture model","behavioral":"System behavior model","conceptual":"High-level conceptual model","dataFlow":"Data flow model showing how data moves through the system","deployment":"Deployment or infrastructure model","logical":"Logical system model","network":"Network topology or connectivity model","operational":"Operational model","physical":"Physical infrastructure model","privacy":"Privacy impact assessment model","process":"Business or system process model","risk":"Risk assessment model","structural":"System structure model","threat":"Security threat model"}}}},{"title":"Custom Model Type","description":"A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom model type name"},"description":{"type":"string","title":"Description","description":"Description of the custom model type"}}}]},"methodology":{"type":"object","title":"Methodology","description":"The modelling methodology used, either a predefined type or a custom named methodology.","oneOf":[{"title":"Predefined Methodology","description":"A modelling methodology selected from a predefined set of well-known frameworks and standards.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Type","enum":["4+1","Archimate","ATFAA","BPMN","C4","DFD","DODAF","ERD","IDEF","LINDDUN","MAESTRO","MITRE-ATTACK","MODAF","NAF","OWASP","PASTA","SABSA","STRIDE","SysML","TOGAF","TRIKE","UML","VAST","Zachman","attackTree"],"meta:enum":{"4+1":"4+1 Architectural View Model","Archimate":"Enterprise architecture modeling language","ATFAA":"Advanced Threat Framework for Autonomous AI Agents","BPMN":"Business Process Model and Notation","C4":"C4 Model for software architecture","DFD":"Data Flow Diagrams","DODAF":"Department of Defense Architecture Framework","ERD":"Entity Relationship Diagrams","IDEF":"Integration Definition Methods","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome","MITRE-ATTACK":"MITRE ATT&CK adversarial tactics, techniques, and procedures framework","MODAF":"Ministry of Defence Architecture Framework","NAF":"NATO Architecture Framework","OWASP":"OWASP threat modelling methodology","PASTA":"Process for Attack Simulation and Threat Analysis","SABSA":"Sherwood Applied Business Security Architecture","STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege","SysML":"Systems Modeling Language","TOGAF":"The Open Group Architecture Framework","TRIKE":"Risk-based threat modelling methodology","UML":"Unified Modeling Language","VAST":"Visual, Agile, and Simple Threat modelling","Zachman":"Zachman Framework","attackTree":"Attack tree methodology for structured threat analysis"}},"version":{"type":"string","title":"Version","description":"Version of the methodology"}}},{"title":"Custom Methodology","description":"A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom methodology name"},"version":{"type":"string","title":"Version","description":"Version of the methodology"},"description":{"type":"string","title":"Description","description":"Description of the custom methodology"},"externalReferences":{"type":"array","title":"External References","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}}]},"blueprintMetadata":{"type":"object","title":"Blueprint Metadata","description":"Metadata about the creation, review, and approval of the blueprint.","additionalProperties":false,"properties":{"timestamp":{"type":"string","title":"Timestamp","format":"date-time","description":"When the blueprint was created or last updated"},"authors":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who created the blueprint"},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who reviewed the blueprint"},"reviewDate":{"type":"string","title":"Review Date","format":"date-time","description":"When the blueprint was reviewed"},"approver":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who approved the blueprint"},"approvalDate":{"type":"string","title":"Approval Date","format":"date-time","description":"When the blueprint was approved"},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","title":"Validity Period","description":"The period during which the blueprint is considered valid.","additionalProperties":false,"properties":{"start":{"type":"string","title":"Start","format":"date-time","description":"When the blueprint becomes valid"},"end":{"type":"string","title":"End","format":"date-time","description":"When the blueprint expires"},"reviewFrequency":{"type":"string","title":"Review Frequency","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)"}}},"scope":{"type":"object","title":"Scope","description":"Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the scope"},"description":{"type":"string","title":"Description","description":"Description of what is included and excluded from the model"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Explicit boundaries of the model"},"includedComponents":{"type":"array","title":"Included Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly included"},"excludedComponents":{"type":"array","title":"Excluded Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly excluded"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","title":"Asset","description":"A component, service, data store, or other element included in the blueprint model.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset"},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the component this asset represents"},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the service this asset represents"},"type":{"type":"string","title":"Asset Type","enum":["actor","agent","api","broker","cache","component","container","data","dataStore","device","endpoint","function","gateway","infrastructure","interface","model","module","network","other","process","queue","resource","service","stream","subsystem","system"],"meta:enum":{"actor":"User, system, or external entity","agent":"Autonomous AI or software agent","api":"API endpoint or interface","broker":"Message broker or event bus infrastructure","cache":"Caching layer or in-memory data store","component":"Software component or application","container":"Container or orchestration unit","data":"Dataset","dataStore":"Database, file system, or data repository","device":"Physical or IoT device","endpoint":"Service endpoint or URL","function":"Serverless function or lambda","gateway":"API gateway, load balancer, or proxy","infrastructure":"Infrastructure component","interface":"System interface or contract","model":"AI or machine learning model","module":"Software module or package","network":"Network segment or resource","other":"Asset type not covered by predefined values","process":"Business or system process","queue":"Message queue or task queue","resource":"Generic resource or artifact","service":"Service or microservice","stream":"Data stream or event stream","subsystem":"Part of a larger system","system":"Complete system or application"}},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the asset"},"description":{"type":"string","title":"Description","description":"Description of the asset's role and purpose"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone containing this asset"},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent asset if this is a sub-component"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"responsibilities":{"type":"array","title":"Responsibilities","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Responsibilities or functions of this asset"},"interfaces":{"type":"array","title":"Interfaces","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset"},"dependencies":{"type":"array","title":"Dependencies","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets this asset depends on"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage."},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"title":"Component Reference Asset","description":"An asset defined by reference to a component declared elsewhere in the BOM.","required":["bom-ref","componentRef"]},{"title":"Service Reference Asset","description":"An asset defined by reference to a service declared elsewhere in the BOM.","required":["bom-ref","serviceRef"]},{"title":"Inline Asset","description":"An asset defined inline within the blueprint with an explicit type and name.","required":["bom-ref","type","name"]}]},"dataStore":{"type":"object","title":"Data Store","description":"A persistent storage system used within the modelled system to hold, retrieve, or manage data.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the data store"},"description":{"type":"string","title":"Description","description":"Purpose and contents of the store"},"type":{"type":"string","title":"Type","enum":["blob","blockchain","cache","columnFamily","custom","dataLake","dataWarehouse","document","eventLog","file","graph","inMemory","keyValue","messageQueue","object","other","registry","search","spatial","sql","timeSeries","vector"],"meta:enum":{"blob":"Binary/blob storage","blockchain":"Distributed ledger or blockchain storage","cache":"Caching tier","columnFamily":"Wide-column or column-family store (e.g., Cassandra, HBase)","custom":"Custom or mixed storage technology","dataLake":"Data lake or lakehouse for raw and semi-structured data","dataWarehouse":"Analytical data warehouse optimised for OLAP workloads","document":"Document database (e.g., MongoDB)","eventLog":"Event log or append-only streaming store (e.g., Kafka)","file":"File system or NAS","graph":"Graph database","inMemory":"In-memory data store used as a primary store","keyValue":"Key-value store","messageQueue":"Message queue or broker with persistent storage","object":"Object storage","other":"Other storage technology not listed","registry":"Configuration or service registry (e.g., etcd, Consul)","search":"Search index or full-text search engine (e.g., Elasticsearch)","spatial":"Spatial or geospatial database","sql":"Relational database","timeSeries":"Time-series database","vector":"Vector database for embeddings and similarity search"}},"vendor":{"type":"string","title":"Vendor","description":"The vendor or publisher of the data store product"},"product":{"type":"string","title":"Product","description":"The name of the data store product"},"version":{"type":"string","title":"Version","description":"The version of the data store product"},"environment":{"type":"string","title":"Environment","description":"Deployment environment (prod, test, etc.)"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the asset resides"},"location":{"type":"string","title":"Location","description":"Physical or logical hosting location"},"technologies":{"type":"array","title":"Technologies","uniqueItems":true,"items":{"type":"string"},"description":"Supporting technologies or services"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to data sets stored here"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataSet":{"type":"object","title":"Data Set","description":"A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.","required":["bom-ref","name","description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the dataset"},"description":{"type":"string","title":"Description","minLength":1,"description":"What information is contained and why it exists"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"recordCount":{"type":"integer","title":"Record Count","description":"Approximate number of records"},"owners":{"type":"array","title":"Owners","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Individuals or organizational entities that own the dataset"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"placements":{"type":"array","title":"Placements","uniqueItems":true,"items":{"type":"object","title":"Placement","description":"Describes where a dataset physically or logically resides and the storage characteristics at that location.","required":["dataStore"],"additionalProperties":false,"properties":{"dataStore":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the store holding this dataset"},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the dataset is encrypted at this location"},"retention":{"type":"string","title":"Retention","description":"Retention policy for this placement"},"replicated":{"type":"boolean","title":"Replicated","description":"Indicates if this placement is a replica"}}},"description":"Where the dataset resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface"},"type":{"type":"string","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"],"description":"Type of interface"},"description":{"type":"string","description":"Description of the interface"},"specification":{"type":"string","description":"Link or reference to interface specification"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed"}}},"zone":{"type":"object","title":"Zone","description":"A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the zone"},"description":{"type":"string","title":"Description","description":"Description of the zone's characteristics"},"type":{"type":"string","title":"Type","enum":["deployment","functional","logical","network","organizational","other","physical","trust"],"meta:enum":{"deployment":"Deployment environment (e.g., dev, staging, prod)","functional":"Functional grouping","logical":"Logical grouping or boundary","network":"Network segmentation zone","organizational":"Organizational or administrative boundary","other":"Other zone type not listed","physical":"Physical location or boundary","trust":"Security trust zone"}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent zone if this is a sub-zone"},"characteristics":{"type":"array","title":"Characteristics","uniqueItems":true,"items":{"type":"string"},"description":"Key characteristics of this zone"},"constraints":{"type":"array","title":"Constraints","uniqueItems":true,"items":{"type":"string"},"description":"Constraints or limitations of this zone"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","title":"Boundary","description":"Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the boundary"},"type":{"type":"string","title":"Type","enum":["data","functional","network","organizational","other","physical","process","trust"],"meta:enum":{"data":"Data classification boundary","functional":"Functional boundary","network":"Network boundary or firewall","organizational":"Organizational boundary","other":"A boundary type not covered by the predefined enumeration","physical":"Physical security boundary","process":"Process or execution boundary","trust":"Trust boundary between different security zones"}},"zones":{"type":"array","title":"Zones","uniqueItems":true,"minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"The zones this boundary connects or separates"},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","title":"Crossing Requirements","description":"Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.","additionalProperties":false,"properties":{"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced at this boundary"},"dataValidation":{"type":"boolean","title":"Data Validation","description":"Whether data is validated when crossing this boundary"},"dataTransformation":{"type":"boolean","title":"Data Transformation","description":"Whether data is transformed when crossing this boundary"},"logging":{"type":"boolean","title":"Logging","description":"Whether crossings are logged"},"monitoring":{"type":"boolean","title":"Monitoring","description":"Whether crossings are monitored"},"rateLimit":{"type":"string","title":"Rate Limit","description":"Rate limiting policy"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Allowed protocols for crossing"}}},"flow":{"type":"object","title":"Flow","description":"Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or description of the flow"},"description":{"type":"string","title":"Description","description":"Detailed description of what flows and why"},"type":{"type":"string","title":"Type","enum":["control","data","dependency","event","interaction","message","other","physical","process","signal"],"meta:enum":{"control":"Control or command flow","data":"Data or information flow","dependency":"Dependency relationship","event":"Event or notification flow","interaction":"User or system interaction","message":"Message or communication flow","other":"A flow type not covered by the predefined enumeration","physical":"Physical movement of goods or materials","process":"Business process flow","signal":"Hardware or system signal"}},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the source asset"},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the destination asset"},"bidirectional":{"type":"boolean","title":"Bidirectional","default":false,"description":"Whether flow occurs in both directions"},"synchronous":{"type":"boolean","title":"Synchronous","description":"Whether the flow is synchronous or asynchronous"},"volume":{"type":"string","title":"Volume","description":"Expected volume or frequency of flow"},"timing":{"type":"string","title":"Timing","description":"Timing characteristics (real-time, batch, scheduled)"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Communication protocols used by this flow"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required for this flow"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced on this flow"},"sequence":{"type":"integer","title":"Sequence","minimum":0,"description":"Ordering hint so flows can be assembled into sequence diagrams"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"actor":{"type":"object","title":"Actor","description":"Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the actor"},"description":{"type":"string","title":"Description","description":"Narrative describing the actor's role and context"},"type":{"type":"string","title":"Type","enum":["administrator","agent","engineer","external","operator","other","system","user"],"meta:enum":{"administrator":"Administrative or privileged operator","agent":"Autonomous AI agent or intelligent software agent","engineer":"Developer or platform/DevOps engineer","external":"Third-party or external entity","operator":"Operational staff running the system","other":"An actor type not covered by the predefined enumeration","system":"Automated system actor or service account","user":"End user of a client application or service"}},"permissions":{"type":"array","title":"Permissions","uniqueItems":true,"items":{"type":"string"},"description":"Permissions, capabilities, or duties the actor holds"},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the actor resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","title":"Assumption","description":"A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies"},"topic":{"type":"string","title":"Topic","enum":["availability","business","compliance","operational","other","performance","security","technical"],"meta:enum":{"availability":"Assumption about system uptime, redundancy, or failover capabilities","business":"Assumption about business requirements, constraints, or organizational context","compliance":"Assumption about regulatory, legal, or policy compliance obligations","operational":"Assumption about operational procedures, staffing, or maintenance practices","other":"An assumption topic not covered by the predefined enumeration","performance":"Assumption about throughput, latency, capacity, or scalability characteristics","security":"Assumption about threat landscape, trust boundaries, or security controls","technical":"Assumption about technology choices, capabilities, or technical constraints"}},"relatedAssets":{"type":"array","title":"Related Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes"},"validity":{"type":"string","title":"Validity","enum":["invalid","unknown","unverified","verified"],"meta:enum":{"invalid":"The assumption has been disproven or is no longer applicable","unknown":"The validity of the assumption has not yet been assessed","unverified":"The assumption has been identified but not yet validated","verified":"The assumption has been confirmed as true through validation"},"default":"unknown","description":"The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound"},"impact":{"type":"string","title":"Impact","description":"A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components"},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model"},"validationMethod":{"type":"string","title":"Validation Method","description":"The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement"},"validationDate":{"type":"string","title":"Validation Date","format":"date-time","description":"The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation"}}},"visualization":{"type":"object","title":"Visualization","description":"A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the visualization"},"description":{"type":"string","title":"Description","description":"Description of what the visualization shows"},"type":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType"},"format":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationFormat"},"content":{"type":"string","title":"Content","description":"The diagram content (source code or base64 encoded image)"},"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL to the diagram if stored externally"},"level":{"type":"string","title":"Level","enum":["detailed","high","medium","overview"],"meta:enum":{"detailed":"Fine-grained view showing implementation-level specifics","high":"High-level view showing major components and relationships","medium":"Intermediate view balancing breadth and depth","overview":"Top-level summary providing a broad perspective of the system"},"description":"Level of detail in the visualization"},"elements":{"type":"array","title":"Elements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to elements shown in this visualization"},"interactive":{"type":"boolean","title":"Interactive","description":"Whether the visualization is interactive"},"layers":{"type":"array","title":"Layers","uniqueItems":true,"items":{"type":"string"},"description":"Layers or views available in the visualization"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"visualizationType":{"type":"object","title":"Visualization Type","description":"The type of diagram or visual representation.","oneOf":[{"title":"Predefined Visualization Type","description":"A visualization type selected from a predefined set of well-known diagram types.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","enum":["activity","architecture","class","code","collaboration","component","container","context","dataFlow","deployment","entity","network","process","sequence","state","useCase"],"meta:enum":{"activity":"Activity or workflow diagram","architecture":"System architecture diagram","class":"Class or object diagram","code":"Code structure diagram","collaboration":"Collaboration diagram","component":"Component diagram","container":"Container diagram (C4)","context":"Context diagram","dataFlow":"Data flow diagram (DFD)","deployment":"Deployment or infrastructure diagram","entity":"Entity relationship diagram","network":"Network topology diagram","process":"Business process diagram","sequence":"Sequence or interaction diagram","state":"State machine diagram","useCase":"Use case diagram"}}}},{"title":"Custom Visualization Type","description":"A custom visualization type not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization type"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization type"}}}]},"visualizationFormat":{"type":"object","title":"Visualization Format","description":"The rendering format or toolchain used to produce the visualization.","oneOf":[{"title":"Predefined Visualization Format","description":"A visualization format selected from a predefined set of well-known diagram formats and tools.","required":["format"],"additionalProperties":false,"properties":{"format":{"type":"string","title":"Format","enum":["archimate","cytoscape","d3","drawio","graphviz","jpeg","mermaid","plantuml","png","svg","visio"],"meta:enum":{"archimate":"ArchiMate model format","cytoscape":"Cytoscape graph format","d3":"D3.js visualization","drawio":"Draw.io/diagrams.net format","graphviz":"GraphViz DOT language","jpeg":"JPEG image format","mermaid":"Mermaid diagram language","plantuml":"PlantUML diagram language","png":"Portable Network Graphics","svg":"Scalable Vector Graphics","visio":"Microsoft Visio format"}}}},{"title":"Custom Visualization Format","description":"A custom visualization format not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization format"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization format"}}}]},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataClassification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"tier":{"type":"string","enum":["tier0","tier1","tier2","tier3","tier4"],"meta:enum":{"tier0":"Mission critical - highest priority","tier1":"Business critical - high priority","tier2":"Business important - medium priority","tier3":"Business supporting - low priority","tier4":"Non-critical - minimal priority"}},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search"}}},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"ownership":{"type":"object","title":"Ownership","description":"Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.","additionalProperties":false,"properties":{"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary owner of the asset"},"steward":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Steward responsible for the asset"},"custodian":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Custodian responsible for protecting the asset"},"users":{"type":"array","title":"Users","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Primary users of the asset"}}},"authenticationType":{"type":"string","title":"Authentication Type","description":"The authentication method or protocol used to verify identity.","enum":["apiKey","basic","bearer","certificate","custom","digest","fido2","jwt","kerberos","ldap","mfa","mTLS","none","ntlm","oauth1","oauth2","oidc","saml","ssh"],"meta:enum":{"apiKey":"API key authentication","basic":"Basic authentication (username/password)","bearer":"Bearer token authentication","certificate":"Certificate-based authentication","custom":"Custom authentication method","digest":"Digest authentication","fido2":"FIDO2/WebAuthn passwordless authentication","jwt":"JSON Web Token authentication","kerberos":"Kerberos authentication","ldap":"LDAP directory authentication","mfa":"Multi-factor authentication","mTLS":"Mutual TLS authentication","none":"No authentication required","ntlm":"NTLM authentication","oauth1":"OAuth 1.0 authentication","oauth2":"OAuth 2.0 authentication","oidc":"OpenID Connect authentication","saml":"SAML authentication","ssh":"SSH key authentication"}},"authorizationType":{"type":"string","title":"Authorization Type","description":"The authorization model used to determine and enforce access permissions.","enum":["abac","acl","cbac","custom","dac","mac","none","other","pbac","rbac","rebac"],"meta:enum":{"abac":"Attribute-Based Access Control","acl":"Access Control Lists","cbac":"Claims-Based Access Control","custom":"Custom authorization model","dac":"Discretionary Access Control","mac":"Mandatory Access Control","none":"No authorization controls","other":"Other authorization model not listed","pbac":"Policy-Based Access Control","rbac":"Role-Based Access Control","rebac":"Relationship-Based Access Control"}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataProfile":{"type":"object","title":"Data Profile","description":"Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data profile"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes."},"description":{"type":"string","title":"Description","description":"A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system."},"sensitivity":{"type":"string","title":"Sensitivity","enum":["confidential","internal","public","restricted"],"description":"Data sensitivity classification","meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access and special protection measures"}},"classification":{"title":"Classification","description":"Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.","oneOf":[{"title":"Predefined Classification","description":"A predefined data classification from the enumeration.","type":"object","additionalProperties":false,"required":["type"],"properties":{"type":{"type":"string","title":"Type","enum":["credentials","financial","intellectualProperty","logs","operational","other","pci","phi","pii","safety","telemetry"],"meta:enum":{"credentials":"Secrets, tokens, or credentials","financial":"Financial statements or transaction data","intellectualProperty":"Intellectual property or trade secrets","logs":"Operational or security log data","operational":"Operational or process data","other":"Other data classification not listed","pci":"Payment card industry data","phi":"Protected health information","pii":"Personally identifiable information","safety":"Safety critical data or signals","telemetry":"System or product telemetry data"}}}},{"title":"Custom Classification","description":"A custom data classification not covered by the predefined enumeration.","type":"object","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of a custom data classification not covered by the predefined enumeration"},"description":{"type":"string","title":"Description","description":"A description of the custom data classification"}}}]},"dataFormats":{"type":"array","title":"Data Formats","uniqueItems":true,"items":{"type":"string"},"description":"Format of data"},"dataTypes":{"type":"array","title":"Data Types","uniqueItems":true,"items":{"type":"string"},"description":"Specific types of data"},"schema":{"type":"array","title":"Schema","uniqueItems":true,"items":{"type":"string","format":"uri"},"description":"Reference to schema contracts or documents describing the data structure."},"access":{"type":"array","title":"Access","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures."},"collection":{"type":"array","title":"Collection","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations."},"disposal":{"type":"array","title":"Disposal","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction."},"handling":{"type":"array","title":"Handling","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations."},"processing":{"type":"array","title":"Processing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions."},"retention":{"type":"array","title":"Retention","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation."},"sharing":{"type":"array","title":"Sharing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataSensitivity":{"type":"string","title":"Data Sensitivity","description":"Classifies the sensitivity of data to indicate the level of protection required.","enum":["confidential","internal","public","restricted"],"meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access"}},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","uniqueItems":true,"description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","uniqueItems":true,"description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","uniqueItems":true,"description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","title":"Data Governance Responsible Party","description":"An organizational entity or individual responsible for a specific data governance role.","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","title":"Data Flow Direction","description":"Specifies the flow direction of the data. Direction is relative to the service.","enum":["bi-directional","inbound","outbound","unknown"],"meta:enum":{"bi-directional":"Data flows in and out of the service.","inbound":"Data that enters a service.","outbound":"Data that exits a service.","unknown":"The directional flow of data is not known."}}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"}},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"}},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"}},"parent":{"type":"string","title":"Parent BOM Reference","description":"The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"externalReferences":{"type":"array","title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the risk assessment elsewhere in the BOM"},"domains":{"type":"array","description":"Risk domains covered by this assessment","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"}},"scenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},"description":"Risk scenarios identified"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risk"},"description":"Documented risks derived from scenarios"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Controls, countermeasures, or mitigations to address identified risks"},"assessments":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Risk assessments and evaluations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}},"$defs":{"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply_chain","technical","project"],"meta:enum":{"security":"Information security and cybersecurity risks","privacy":"Data protection and privacy risks","operational":"Business operations and continuity risks","financial":"Financial loss and economic impact risks","compliance":"Regulatory and legal compliance risks","strategic":"Strategic business and market risks","reputational":"Brand and reputation damage risks","safety":"Human safety and physical security risks","environmental":"Environmental impact and sustainability risks","supply_chain":"Supply chain and third-party risks","technical":"Technical and technology risks","project":"Project delivery and execution risks"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain"}}},"riskAttribute":{"type":"string","description":"A classification of security and privacy attributes that represent potential impact areas when a risk is realized","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data_subject_rights","integrity","minimisation","non-repudiation","possession","privacy","purpose_limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities","authentication":"Verifying the identity of users, devices, or systems before granting access","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified","availability":"Ensuring systems, data, and services are accessible and operational when needed","compliance":"Adherence to applicable laws, regulations, policies, and standards","confidentiality":"Preventing unauthorised access to or disclosure of information","connectivity":"Maintaining secure and reliable communication between systems or components","control":"Enabling individuals to manage how their personal data is used and shared","data_subject_rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorised actors","minimisation":"Limiting data collection and retention to what is strictly necessary for the intended purpose","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications","possession":"Ensuring control or custody over data or assets, regardless of ownership","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards","purpose_limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing","utility":"Ensuring data is usable and in a format suitable for the intended purpose"}},"scenario":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the risk scenario"},"description":{"type":"string","description":"Detailed description of the scenario"},"type":{"type":"string","enum":["threat","vulnerability","weakness","risk","incident","opportunity","hazard"],"meta:enum":{"threat":"Threat scenario","vulnerability":"Exploitable vulnerability","weakness":"System or design weakness","risk":"General risk scenario","incident":"Potential incident scenario","opportunity":"Positive risk (opportunity)","hazard":"Safety hazard scenario"}},"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected by this scenario"},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to affected assets"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations that address this scenario"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"compliance":{"type":"array","items":{"type":"object","required":["framework","controlId"],"additionalProperties":false,"properties":{"framework":{"type":"string","description":"Name of the compliance program or framework"},"controlId":{"type":"string","description":"Identifier of the control within the framework"},"reference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference","description":"Link or citation to the requirement or control documentation"},"description":{"type":"string","description":"Optional notes describing the mapping"}}},"description":"Compliance frameworks and control references this mitigation supports"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"risk":{"type":"object","required":["bom-ref","name","statement"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier for the risk"},"statement":{"type":"string","description":"Structured risk statement describing source, event, and impact"},"description":{"type":"string","description":"Additional narrative about the risk"},"domains":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"description":"Risk domains impacted"},"scenarios":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this risk addresses"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"}},"responses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskResponse"},"description":"Risk responses or mitigation plans applied to this risk"},"relatedThreats":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatScenario"},"description":"Related threat scenarios informing this risk"},"status":{"type":"string","enum":["identified","assessed","mitigated","accepted","transferred","retired"],"meta:enum":{"identified":"Risk has been identified but not yet evaluated","assessed":"Risk has been assessed and prioritized","mitigated":"Mitigations are in place reducing this risk","accepted":"Risk has been formally accepted","transferred":"Risk has been transferred to another party","retired":"Risk no longer applies"}},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Owner or accountable party for this risk"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"Almost certain to occur (> 90% probability).","high":"Likely to occur (60-90% probability).","low":"Unlikely to occur (10-30% probability).","medium":"Possible to occur (30-60% probability).","veryHigh":"Very likely to occur (75-90% probability).","veryLow":"Very unlikely to occur (< 10% probability)."}},"score":{"type":"number","minimum":0,"maximum":5,"description":"Numeric likelihood score"},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal (0-1)"},"factors":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor"},"description":"Factors considered when determining the likelihood level"},"rationale":{"type":"string","description":"Justification for the likelihood rating"}}},"likelihoodFactor":{"type":"object","title":"Likelihood Factor","description":"An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.","minLength":1},"type":{"title":"Type","description":"The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","oneOf":[{"title":"Predefined Likelihood Factor Type","description":"A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.","type":"string","additionalProperties":false,"enum":["attackVector","controlEffectiveness","exploitMaturity","exposure","motivation","opportunity","other","threatCapability","vulnerability"],"meta:enum":{"attackVector":"Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.","controlEffectiveness":"Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.","exploitMaturity":"Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.","exposure":"Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.","motivation":"Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.","opportunity":"Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.","other":"A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.","threatCapability":"Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.","vulnerability":"Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor."}},{"title":"Custom Likelihood Factor Type","description":"A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the custom likelihood factor type.","minLength":1},"description":{"type":"string","title":"Description","description":"A description of the custom likelihood factor type and how it contributes to likelihood assessment."}}}]},"level":{"type":"string","title":"Level","description":"The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"This factor almost certainly contributes to risk realization (> 90% influence).","high":"This factor strongly contributes to risk realization (60-90% influence).","low":"This factor has limited contribution to risk realization (10-30% influence).","medium":"This factor moderately contributes to risk realization (30-60% influence).","veryHigh":"This factor very strongly contributes to risk realization (75-90% influence).","veryLow":"This factor has minimal contribution to risk realization (< 10% influence)."}},"score":{"type":"number","title":"Score","description":"A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.","minimum":0,"maximum":5},"weight":{"type":"number","title":"Weight","description":"The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.","minimum":0,"maximum":1},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","major","catastrophic"],"description":"Impact severity level","meta:enum":{"negligible":"Minimal impact with no significant consequences","low":"Minor impact with limited consequences","moderate":"Moderate impact affecting some operations","major":"Significant impact with serious consequences","catastrophic":"Catastrophic impact with existential consequences"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric impact score"},"categories":{"type":"array","items":{"type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic"],"meta:enum":{"confidentiality":"Impact on data confidentiality","integrity":"Impact on data or system integrity","availability":"Impact on service availability","financial":"Financial loss or impact","reputation":"Reputational damage","regulatory":"Regulatory compliance impact","safety":"Human safety impact","privacy":"Privacy violation impact","operational":"Operational disruption","strategic":"Strategic business impact"}},"description":"Categories of impact"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected"},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"Description of the potential impact"}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"Estimated financial loss in currency units"},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"ISO 4217 currency code"},"affectedUsers":{"type":"integer","description":"Number of affected users"},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Expected downtime as ISO 8601 duration"},"dataRecords":{"type":"integer","description":"Number of data records affected"},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Recovery time as ISO 8601 duration"}}},"riskScore":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Overall risk level","meta:enum":{"info":"Informational - no immediate action required","low":"Low risk - monitor and address in normal cycle","medium":"Medium risk - plan mitigation activities","high":"High risk - prioritize mitigation efforts","critical":"Critical risk - immediate action required"}},"score":{"type":"number","minimum":1,"description":"Numeric risk score"},"vector":{"type":"string","description":"Risk scoring vector (e.g., L:H/I:M)"},"methodology":{"type":"string","description":"Risk scoring methodology used"}}},"riskResponse":{"type":"object","required":["bom-ref","mitigations","mitigationPlan"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Mitigations applied to this risk response"},"mitigationPlan":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigationPlan"}}},"mitigation":{"type":"object","required":["bom-ref","reference"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this mitigation entry so it can be referenced by a plan"},"reference":{"description":"Reference to a mitigation/control implementing the response.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"strategy":{"type":"string","enum":["prevent","detect","respond","recover"],"meta:enum":{"prevent":"Prevents the risk from occurring","detect":"Detects when the risk occurs","respond":"Responds to the risk when detected","recover":"Recovers from the impact"}},"type":{"type":"string","enum":["control","countermeasure","procedure","removal"],"meta:enum":{"control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","procedure":"Documented procedure","removal":"Removing a risky component or asset"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"effectiveness":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/effectiveness"},"cost":{"type":"string","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort","low":"Low cost and effort","medium":"Moderate cost and effort","high":"High cost and significant effort","extreme":"Extreme cost and major effort"}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this plan addresses"},"implementedBy":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets that implement this plan"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"mitigationPlan":{"type":"object","required":["name","type","status","mitigations"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the mitigation plan"},"description":{"type":"string","description":"Description of what the plan covers"},"type":{"type":"string","enum":["avoid","reduce","transfer","accept","control","countermeasure","safeguard","practice","procedure"],"meta:enum":{"avoid":"Avoid the risk entirely","reduce":"Reduce likelihood or impact","transfer":"Transfer risk to another party","accept":"Accept the risk","control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","safeguard":"Safeguards mitigating adverse events","practice":"Operational or governance practice","procedure":"Documented procedure"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"List of mitigation bom-refs chosen for this plan"}}},"effectiveness":{"type":"object","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":1,"description":"Effectiveness as decimal"},"rating":{"type":"string","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk","marginal":"Slightly reduces risk","adequate":"Adequately reduces risk","good":"Significantly reduces risk","excellent":"Nearly eliminates risk"}}}},"assessment":{"type":"object","required":["bom-ref","type","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"type":{"type":"string","enum":["initial","periodic","continuous","triggered"],"meta:enum":{"initial":"Initial risk assessment","periodic":"Scheduled periodic assessment","continuous":"Continuous monitoring assessment","triggered":"Event-triggered assessment"}},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed"},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who performed the assessment"},"summary":{"type":"string","description":"Executive summary of the assessment"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to risk entries evaluated in this assessment"},"overallRisk":{"type":"object","required":["method","score"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["sum","average","custom"],"description":"Aggregation method used to derive the overall risk"},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"description":{"type":"string","description":"Optional explanation for custom aggregation approaches"}},"description":"Aggregated risk result for this assessment"},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment"},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level","meta:enum":{"none":"No priority assigned","low":"Low priority - address when convenient","medium":"Medium priority - address in normal cycle","high":"High priority - address soon","critical":"Critical priority - address immediately"}},"severity":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Severity level","meta:enum":{"info":"Informational finding","low":"Low severity issue","medium":"Medium severity issue","high":"High severity issue","critical":"Critical severity issue"}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level","meta:enum":{"minimal":"Minimal impact on business operations","low":"Low impact with minor inconvenience","moderate":"Moderate impact affecting some operations","high":"High impact affecting critical operations","critical":"Critical impact with severe business consequences"}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threatScenario":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},{"properties":{"threatCategory":{"type":"string","description":"Threat category based on methodology (e.g., STRIDE category)"},"threatActor":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"attackPattern":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference"},"abuseCases":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/abuseCase"},"description":"Abuse or misuse cases that illustrate how this threat can be exercised"},"weakness":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"killChainPhase":{"type":"string","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target","weaponization":"Creating malicious payloads","delivery":"Transmitting weapon to target","exploitation":"Exploiting vulnerabilities","installation":"Installing malware or backdoors","command-and-control":"Establishing C2 channel","actions-on-objectives":"Achieving attack goals"}},"technicalImpact":{"type":"array","items":{"type":"string","enum":["unauthorized-access","data-breach","data-corruption","service-disruption","privilege-escalation","code-execution","information-disclosure","denial-of-service"]}}}}]},"threatActor":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier of the threat actor"},"description":{"type":"string","description":"Description of the threat actor"},"type":{"type":"string","enum":["individual","group","organization","nation-state","unknown"],"meta:enum":{"individual":"Individual threat actor","group":"Organized group or collective","organization":"Corporate or criminal organization","nation-state":"Nation-state sponsored actor","unknown":"Unknown threat actor type"}},"aliases":{"type":"array","items":{"type":"string"},"description":"Known aliases or alternative names"},"profile":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"observedTTPs":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/ttp"},"description":"Observed tactics, techniques, and procedures"},"attributedAttacks":{"type":"array","items":{"type":"string"},"description":"Attacks attributed to this actor"},"targeting":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/targeting"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"threatActorProfile":{"type":"object","additionalProperties":false,"properties":{"sophistication":{"type":"string","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication","minimal":"Script kiddie level","intermediate":"Intermediate technical skills","advanced":"Advanced persistent threat","expert":"Nation-state level capabilities"}},"motivation":{"type":"array","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"]},"description":"Primary motivations"},"intent":{"type":"string","enum":["accidental","opportunistic","targeted","persistent"],"description":"Intent level"},"resources":{"type":"string","enum":["minimal","limited","moderate","substantial","unlimited"],"description":"Resource availability"},"accessLevel":{"type":"string","enum":["none","external","internal","privileged","physical"],"description":"Level of access to target systems"},"skillSet":{"type":"array","items":{"type":"string"},"description":"Specific skills possessed"}}},"attackVector":{"type":"object","additionalProperties":false,"properties":{"type":{"type":"string","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via network","adjacent":"Exploitable from adjacent network","local":"Requires local access","physical":"Requires physical access"}},"complexity":{"type":"string","enum":["low","high"],"description":"Attack complexity"},"privileges":{"type":"string","enum":["none","low","high"],"description":"Privileges required"},"userInteraction":{"type":"string","enum":["none","required"],"description":"User interaction requirement"},"scope":{"type":"string","enum":["unchanged","changed"],"description":"Scope impact"}}},"abuseCase":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the abuse case"},"description":{"type":"string","description":"Narrative describing how the system can be misused or abused"},"abuser":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference (bom-ref) to a threat actor involved in the abuse case"},"targets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References (bom-refs) to assets or flows targeted in this abuse case"},"steps":{"type":"array","items":{"type":"string"},"description":"Ordered steps the abuser follows"}}},"attackPattern":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"capecId":{"type":"integer","description":"CAPEC (Common Attack Pattern Enumeration and Classification) ID"},"name":{"type":"string","description":"Name of the attack pattern"},"description":{"type":"string","description":"Description of the attack pattern"},"prerequisites":{"type":"array","items":{"type":"string"},"description":"Prerequisites for the attack"},"techniques":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"Techniques used in the attack"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations"},"examples":{"type":"array","items":{"type":"string"},"description":"Real-world examples"}}},"attackPatternReference":{"type":"object","additionalProperties":false,"properties":{"patternRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to attack pattern"},"capecId":{"type":"integer","description":"CAPEC ID if not referencing internal pattern"},"customization":{"type":"string","description":"How this pattern is customized for the specific scenario"}}},"technique":{"type":"object","additionalProperties":false,"properties":{"id":{"type":"string","description":"Technique ID (e.g., MITRE ATT&CK ID)"},"name":{"type":"string","description":"Name of the technique"},"tactic":{"type":"string","description":"Associated tactic"},"procedure":{"type":"string","description":"Specific procedure"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools used with this technique"}}},"weakness":{"type":"object","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"cweId":{"type":"integer","description":"CWE (Common Weakness Enumeration) ID"},"name":{"type":"string","description":"Name of the weakness"},"description":{"type":"string","description":"Description of the weakness"},"abstraction":{"type":"string","enum":["pillar","class","base","variant","compound"],"meta:enum":{"pillar":"Most abstract type of weakness","class":"Weakness described in generic terms","base":"Weakness described in abstract terms","variant":"Weakness specific to a resource/technology","compound":"Combination of two or more weaknesses"}},"ordinality":{"type":"string","enum":["primary","resultant","indirect"],"meta:enum":{"primary":"Weakness exists independent of other weaknesses","resultant":"Weakness is caused by another weakness","indirect":"Weakness is indirectly caused by another weakness"}},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this weakness"},"exploitationDifficulty":{"type":"string","enum":["trivial","easy","moderate","difficult","impractical"],"description":"Difficulty of exploiting this weakness"},"detectionMethods":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod"},"description":"Methods for detecting this weakness"}}},"weaknessReference":{"type":"object","additionalProperties":false,"properties":{"weaknessRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to weakness"},"cweId":{"type":"integer","description":"CWE ID if not referencing internal weakness"},"instance":{"type":"string","description":"Specific instance or manifestation of the weakness"}}},"exploitability":{"type":"object","additionalProperties":false,"properties":{"level":{"type":"string","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Theoretically possible but not demonstrated","proof-of-concept":"Proof of concept exists","functional":"Functional exploit exists","weaponized":"Weaponized exploit in the wild"}},"complexity":{"type":"string","enum":["trivial","low","medium","high","very-high"],"description":"Complexity to exploit"},"skillRequired":{"type":"string","enum":["none","basic","intermediate","advanced","expert"],"description":"Skill level required"},"toolsRequired":{"type":"array","items":{"type":"string"},"description":"Tools required for exploitation"},"timeRequired":{"type":"string","description":"Estimated time to develop exploit"},"reliability":{"type":"string","enum":["unreliable","occasional","reliable","highly-reliable"],"description":"Reliability of exploitation"},"automatable":{"type":"boolean","description":"Whether exploitation can be automated"}}},"indicators":{"type":"object","additionalProperties":false,"properties":{"compromise":{"type":"array","items":{"type":"string"},"description":"Indicators of compromise"},"attack":{"type":"array","items":{"type":"string"},"description":"Indicators of attack"},"behavioral":{"type":"array","items":{"type":"string"},"description":"Behavioral indicators"},"signatures":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"Detection signatures"}}},"signature":{"type":"object","required":["type","value"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["yara","snort","regex","hash","behavior"],"description":"Type of signature"},"value":{"type":"string","description":"Signature value or pattern"},"description":{"type":"string","description":"Description of what the signature detects"},"confidence":{"type":"string","enum":["low","medium","high"],"description":"Confidence level of detection"}}},"ttp":{"type":"object","additionalProperties":false,"properties":{"tactic":{"type":"string","description":"High-level tactic"},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"procedure":{"type":"string","description":"Specific implementation"},"tools":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/tool"},"description":"Tools used"},"infrastructure":{"type":"array","items":{"type":"string"},"description":"Infrastructure used"}}},"tool":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Tool name"},"type":{"type":"string","enum":["exploit","scanner","fuzzer","proxy","framework","custom"],"description":"Type of tool"},"version":{"type":"string","description":"Tool version"},"capabilities":{"type":"array","items":{"type":"string"},"description":"Tool capabilities"}}},"targeting":{"type":"object","additionalProperties":false,"properties":{"sectors":{"type":"array","items":{"type":"string"},"description":"Targeted sectors or industries"},"regions":{"type":"array","items":{"type":"string"},"description":"Targeted geographic regions"},"technologies":{"type":"array","items":{"type":"string"},"description":"Targeted technologies or platforms"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Types of data targeted"}}},"detectionMethod":{"type":"object","required":["method"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["static-analysis","dynamic-analysis","penetration-test","code-review","architecture-review","automated-scan"],"description":"Detection method type"},"description":{"type":"string","description":"Description of the detection method"},"effectiveness":{"type":"string","enum":["low","medium","high"],"description":"Effectiveness of the method"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools that implement this method"}}},"securityPolicy":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Policy name"},"type":{"type":"string","enum":["access-control","data-protection","network-security","application-security","operational-security","compliance"],"description":"Type of security policy"},"description":{"type":"string","description":"Policy description"},"requirements":{"type":"array","items":{"type":"string"},"description":"Policy requirements"},"enforcement":{"type":"string","enum":["mandatory","recommended","optional"],"description":"Enforcement level"},"appliesTo":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this policy applies to"},"exceptions":{"type":"array","items":{"type":"string"},"description":"Policy exceptions"}}},"trustBoundary":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},{"properties":{"trustLevel":{"type":"string","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"description":"Trust level differential"},"securityRequirements":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements"},"threatsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Threats that could exploit this boundary"},"controlsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Controls implemented at this boundary"}}}]},"boundarySecurityRequirements":{"type":"object","additionalProperties":false,"properties":{"authenticationStrength":{"type":"string","enum":["none","weak","moderate","strong","very-strong"],"description":"Required authentication strength"},"authorizationGranularity":{"type":"string","enum":["coarse","medium","fine","very-fine"],"description":"Authorization granularity required"},"integrityVerification":{"type":"boolean","description":"Whether integrity verification is required"},"confidentialityProtection":{"type":"boolean","description":"Whether confidentiality protection is required"},"auditingLevel":{"type":"string","enum":["none","basic","detailed","comprehensive"],"description":"Level of auditing required"},"dataValidationRules":{"type":"array","items":{"type":"string"},"description":"Data validation rules at boundary"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","$defs":{"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},"description":"A collection of use cases that describe how actors interact with the system to achieve specific goals."},"useCase":{"type":"object","title":"Use Case","description":"A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')."},"description":{"type":"string","title":"Description","description":"A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases."},"postconditions":{"type":"array","title":"Postconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced."},"mainFlow":{"type":"array","title":"Main Flow","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome."},"alternativeFlows":{"type":"array","title":"Alternative Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"},"description":"Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome."},"exceptions":{"type":"array","title":"Exceptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"},"description":"Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully."},"successCriteria":{"type":"array","title":"Success Criteria","uniqueItems":true,"items":{"type":"string"},"description":"Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off."},"notes":{"type":"array","title":"Notes","uniqueItems":true,"items":{"type":"string"},"description":"Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","title":"Step","description":"A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.","required":["number","description"],"additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","minimum":1,"description":"The sequence number indicating the ordinal position of this step within its flow, starting at 1."},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design."}}},"flow":{"type":"object","title":"Flow","description":"An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')."},"description":{"type":"string","title":"Description","description":"A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path."},"steps":{"type":"array","title":"Steps","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps."}}},"exception":{"type":"object","title":"Exception","description":"An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')."},"description":{"type":"string","title":"Description","description":"A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific error condition, system state, or external event that triggers this exception during the execution of the use case."},"handling":{"type":"string","title":"Handling","description":"The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support."}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file +{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-behavior-2.0":{"type":"null","title":"CycloneDX Behavior Model","$defs":{"behaviors":{"type":"object","title":"Behaviors","description":"Behaviors performed by objects within the BOM.","additionalProperties":false,"properties":{"instances":{"type":"array","title":"Instances","description":"Individual behavior instances.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance"}},"flows":{"type":"array","title":"Flows","description":"Behavior flows that organise behaviors into operational patterns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorFlow"}}}},"behaviorInstance":{"type":"object","title":"Behavior Instance","description":"A behavior performed by one or more objects within the BOM.","additionalProperties":false,"required":["bom-ref","behavior"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"The behavior from the taxonomy."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}},"trigger":{"type":"string","title":"Trigger","description":"The condition or event that initiates a behavior.","enum":["startup","shutdown","scheduled","event-driven","user-initiated","api-call","signal","condition-based","continuous","on-demand","unknown"],"meta:enum":{"startup":"Triggered during system or component initialisation.","shutdown":"Triggered during system or component termination.","scheduled":"Triggered at predetermined times or intervals.","event-driven":"Triggered in response to a specific event.","user-initiated":"Triggered by explicit user action.","api-call":"Triggered by an API invocation.","signal":"Triggered by a system or inter-process signal.","condition-based":"Triggered when specific conditions are met.","continuous":"Runs continuously during normal operation.","on-demand":"Triggered on demand as needed.","unknown":"The trigger mechanism is not known."}},"ordering":{"type":"string","title":"Ordering","description":"Execution semantics for steps within a flow.","default":"sequential","enum":["sequential","unordered","parallel","conditional"],"meta:enum":{"sequential":"Steps execute in ordinal order. Each completes before the next begins.","unordered":"All steps execute, but order is not guaranteed.","parallel":"Steps may execute concurrently.","conditional":"Step execution is determined by runtime conditions."}},"acknowledgment":{"type":"array","title":"Acknowledgment","description":"Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.","uniqueItems":true,"items":{"type":"string","enum":["declared","observed"],"meta:enum":{"declared":"The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.","observed":"The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis."}}},"behaviorFlow":{"type":"object","title":"Behavior Flow","description":"An organised collection of behaviors forming a coherent process.","additionalProperties":false,"required":["bom-ref","steps"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"ordering":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/ordering"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"steps":{"type":"array","title":"Steps","description":"The steps that comprise this flow.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/flowStep"}}},"allOf":[{"if":{"anyOf":[{"properties":{"ordering":{"const":"sequential"}},"required":["ordering"]},{"not":{"required":["ordering"]}}]},"then":{"properties":{"steps":{"items":{"required":["ordinal"]}}}}}]},"flowStep":{"type":"object","title":"Flow Step","description":"A single step within a behavior flow.","additionalProperties":false,"properties":{"ordinal":{"type":"integer","title":"Ordinal","description":"Position within the flow. Required when ordering is 'sequential' or omitted.","minimum":1},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'."},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Behavior Reference","description":"Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'."},"flow":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Flow Reference","description":"Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'."},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}},"oneOf":[{"required":["behavior"]},{"required":["ref"]},{"required":["flow"]}]}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","$defs":{"blueprints":{"type":"array","title":"Blueprints","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint"},"description":"A collection of blueprints, each supporting a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling."},"blueprint":{"type":"object","title":"Blueprint","description":"A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.","required":["name","modelTypes","methodologies"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the blueprint, used to identify this model within the BOM and distinguish it from other blueprints.","minLength":1},"description":{"type":"string","title":"Description","description":"A detailed explanation of the blueprint, including its scope, the system or subsystem it represents, and any relevant context about the modelling objectives or intended audience."},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/metadata"},"modelTypes":{"type":"array","title":"Model Types","minItems":1,"uniqueItems":true,"description":"The types of models being represented","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"methodologies":{"type":"array","title":"Methodologies","uniqueItems":true,"description":"The modeling methodologies used","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/methodology"}},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model"},"behaviors":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviors"},"dataStores":{"type":"array","title":"Data Stores","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore"},"description":"Structured description of data stores used in the model"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet"},"description":"Datasets handled by the system, including placements and sensitivity"},"zones":{"type":"array","title":"Zones","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets"},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/actor"},"description":"Human or system actors involved in the model, distinct from assets"},"assumptions":{"type":"array","title":"Assumptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process"},"visualizations":{"type":"array","title":"Visualizations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},{"properties":{"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint assets that are involved in or exercised by this use case"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint flows that are triggered or traversed during the execution of this use case"},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the requirements that are implemented, validated, or addressed by this use case"}}}]},"description":"Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements."},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"Requirements derived from or related to the model"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"modelType":{"type":"object","title":"Model Type","description":"The type of model being represented, either a predefined type or a custom named type.","oneOf":[{"title":"Predefined Model Type","description":"A model type selected from a predefined set of well-known modelling categories.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Model Type","enum":["architecture","behavioral","conceptual","dataFlow","deployment","logical","network","operational","physical","privacy","process","risk","structural","threat"],"meta:enum":{"architecture":"System or software architecture model","behavioral":"System behavior model","conceptual":"High-level conceptual model","dataFlow":"Data flow model showing how data moves through the system","deployment":"Deployment or infrastructure model","logical":"Logical system model","network":"Network topology or connectivity model","operational":"Operational model","physical":"Physical infrastructure model","privacy":"Privacy impact assessment model","process":"Business or system process model","risk":"Risk assessment model","structural":"System structure model","threat":"Security threat model"}}}},{"title":"Custom Model Type","description":"A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom model type name"},"description":{"type":"string","title":"Description","description":"Description of the custom model type"}}}]},"methodology":{"type":"object","title":"Methodology","description":"The modelling methodology used, either a predefined type or a custom named methodology.","oneOf":[{"title":"Predefined Methodology","description":"A modelling methodology selected from a predefined set of well-known frameworks and standards.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Type","enum":["4+1","Archimate","ATFAA","BPMN","C4","DFD","DODAF","ERD","IDEF","LINDDUN","MAESTRO","MITRE-ATTACK","MODAF","NAF","OWASP","PASTA","SABSA","STRIDE","SysML","TOGAF","TRIKE","UML","VAST","Zachman","attackTree"],"meta:enum":{"4+1":"4+1 Architectural View Model","Archimate":"Enterprise architecture modeling language","ATFAA":"Advanced Threat Framework for Autonomous AI Agents","BPMN":"Business Process Model and Notation","C4":"C4 Model for software architecture","DFD":"Data Flow Diagrams","DODAF":"Department of Defense Architecture Framework","ERD":"Entity Relationship Diagrams","IDEF":"Integration Definition Methods","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome","MITRE-ATTACK":"MITRE ATT&CK adversarial tactics, techniques, and procedures framework","MODAF":"Ministry of Defence Architecture Framework","NAF":"NATO Architecture Framework","OWASP":"OWASP threat modelling methodology","PASTA":"Process for Attack Simulation and Threat Analysis","SABSA":"Sherwood Applied Business Security Architecture","STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege","SysML":"Systems Modeling Language","TOGAF":"The Open Group Architecture Framework","TRIKE":"Risk-based threat modelling methodology","UML":"Unified Modeling Language","VAST":"Visual, Agile, and Simple Threat modelling","Zachman":"Zachman Framework","attackTree":"Attack tree methodology for structured threat analysis"}},"version":{"type":"string","title":"Version","description":"Version of the methodology"}}},{"title":"Custom Methodology","description":"A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom methodology name"},"version":{"type":"string","title":"Version","description":"Version of the methodology"},"description":{"type":"string","title":"Description","description":"Description of the custom methodology"},"externalReferences":{"type":"array","title":"External References","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}}]},"metadata":{"type":"object","title":"Blueprint Metadata","description":"Metadata about the creation, review, and approval of the blueprint.","additionalProperties":false,"properties":{"timestamp":{"type":"string","title":"Timestamp","format":"date-time","description":"When the blueprint was created or last updated"},"authors":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who created the blueprint"},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who reviewed the blueprint"},"reviewDate":{"type":"string","title":"Review Date","format":"date-time","description":"When the blueprint was reviewed"},"approver":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who approved the blueprint"},"approvalDate":{"type":"string","title":"Approval Date","format":"date-time","description":"When the blueprint was approved"},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","title":"Validity Period","description":"The period during which the blueprint is considered valid.","additionalProperties":false,"properties":{"start":{"type":"string","title":"Start","format":"date-time","description":"When the blueprint becomes valid"},"end":{"type":"string","title":"End","format":"date-time","description":"When the blueprint expires"},"reviewFrequency":{"type":"string","title":"Review Frequency","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)"}}},"scope":{"type":"object","title":"Scope","description":"Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the scope"},"description":{"type":"string","title":"Description","description":"Description of what is included and excluded from the model"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Explicit boundaries of the model"},"includedComponents":{"type":"array","title":"Included Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly included"},"excludedComponents":{"type":"array","title":"Excluded Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly excluded"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","title":"Asset","description":"A component, service, data store, or other element included in the blueprint model.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset"},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the component this asset represents"},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the service this asset represents"},"type":{"type":"string","title":"Asset Type","enum":["actor","agent","api","broker","cache","component","container","data","dataStore","device","endpoint","function","gateway","infrastructure","interface","model","module","network","other","process","queue","resource","service","stream","subsystem","system"],"meta:enum":{"actor":"User, system, or external entity","agent":"Autonomous AI or software agent","api":"API endpoint or interface","broker":"Message broker or event bus infrastructure","cache":"Caching layer or in-memory data store","component":"Software component or application","container":"Container or orchestration unit","data":"Dataset","dataStore":"Database, file system, or data repository","device":"Physical or IoT device","endpoint":"Service endpoint or URL","function":"Serverless function or lambda","gateway":"API gateway, load balancer, or proxy","infrastructure":"Infrastructure component","interface":"System interface or contract","model":"AI or machine learning model","module":"Software module or package","network":"Network segment or resource","other":"Asset type not covered by predefined values","process":"Business or system process","queue":"Message queue or task queue","resource":"Generic resource or artifact","service":"Service or microservice","stream":"Data stream or event stream","subsystem":"Part of a larger system","system":"Complete system or application"}},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the asset"},"description":{"type":"string","title":"Description","description":"Description of the asset's role and purpose"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone containing this asset"},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent asset if this is a sub-component"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"responsibilities":{"type":"array","title":"Responsibilities","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Responsibilities or functions of this asset"},"interfaces":{"type":"array","title":"Interfaces","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset"},"dependencies":{"type":"array","title":"Dependencies","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets this asset depends on"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage."},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"title":"Component Reference Asset","description":"An asset defined by reference to a component declared elsewhere in the BOM.","required":["bom-ref","componentRef"]},{"title":"Service Reference Asset","description":"An asset defined by reference to a service declared elsewhere in the BOM.","required":["bom-ref","serviceRef"]},{"title":"Inline Asset","description":"An asset defined inline within the blueprint with an explicit type and name.","required":["bom-ref","type","name"]}]},"dataStore":{"type":"object","title":"Data Store","description":"A persistent storage system used within the modelled system to hold, retrieve, or manage data.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the data store"},"description":{"type":"string","title":"Description","description":"Purpose and contents of the store"},"type":{"type":"string","title":"Type","enum":["blob","blockchain","cache","columnFamily","custom","dataLake","dataWarehouse","document","eventLog","file","graph","inMemory","keyValue","messageQueue","object","other","registry","search","spatial","sql","timeSeries","vector"],"meta:enum":{"blob":"Binary/blob storage","blockchain":"Distributed ledger or blockchain storage","cache":"Caching tier","columnFamily":"Wide-column or column-family store (e.g., Cassandra, HBase)","custom":"Custom or mixed storage technology","dataLake":"Data lake or lakehouse for raw and semi-structured data","dataWarehouse":"Analytical data warehouse optimised for OLAP workloads","document":"Document database (e.g., MongoDB)","eventLog":"Event log or append-only streaming store (e.g., Kafka)","file":"File system or NAS","graph":"Graph database","inMemory":"In-memory data store used as a primary store","keyValue":"Key-value store","messageQueue":"Message queue or broker with persistent storage","object":"Object storage","other":"Other storage technology not listed","registry":"Configuration or service registry (e.g., etcd, Consul)","search":"Search index or full-text search engine (e.g., Elasticsearch)","spatial":"Spatial or geospatial database","sql":"Relational database","timeSeries":"Time-series database","vector":"Vector database for embeddings and similarity search"}},"vendor":{"type":"string","title":"Vendor","description":"The vendor or publisher of the data store product"},"product":{"type":"string","title":"Product","description":"The name of the data store product"},"version":{"type":"string","title":"Version","description":"The version of the data store product"},"environment":{"type":"string","title":"Environment","description":"Deployment environment (prod, test, etc.)"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the asset resides"},"location":{"type":"string","title":"Location","description":"Physical or logical hosting location"},"technologies":{"type":"array","title":"Technologies","uniqueItems":true,"items":{"type":"string"},"description":"Supporting technologies or services"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to data sets stored here"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataSet":{"type":"object","title":"Data Set","description":"A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.","required":["bom-ref","name","description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the dataset"},"description":{"type":"string","title":"Description","minLength":1,"description":"What information is contained and why it exists"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"recordCount":{"type":"integer","title":"Record Count","description":"Approximate number of records"},"owners":{"type":"array","title":"Owners","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Individuals or organizational entities that own the dataset"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"placements":{"type":"array","title":"Placements","uniqueItems":true,"items":{"type":"object","title":"Placement","description":"Describes where a dataset physically or logically resides and the storage characteristics at that location.","required":["dataStore"],"additionalProperties":false,"properties":{"dataStore":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the store holding this dataset"},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the dataset is encrypted at this location"},"retention":{"type":"string","title":"Retention","description":"Retention policy for this placement"},"replicated":{"type":"boolean","title":"Replicated","description":"Indicates if this placement is a replica"}}},"description":"Where the dataset resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface"},"type":{"type":"string","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"],"description":"Type of interface"},"description":{"type":"string","description":"Description of the interface"},"specification":{"type":"string","description":"Link or reference to interface specification"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed"}}},"zone":{"type":"object","title":"Zone","description":"A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the zone"},"description":{"type":"string","title":"Description","description":"Description of the zone's characteristics"},"type":{"type":"string","title":"Type","enum":["deployment","functional","logical","network","organizational","other","physical","trust"],"meta:enum":{"deployment":"Deployment environment (e.g., dev, staging, prod)","functional":"Functional grouping","logical":"Logical grouping or boundary","network":"Network segmentation zone","organizational":"Organizational or administrative boundary","other":"Other zone type not listed","physical":"Physical location or boundary","trust":"Security trust zone"}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent zone if this is a sub-zone"},"characteristics":{"type":"array","title":"Characteristics","uniqueItems":true,"items":{"type":"string"},"description":"Key characteristics of this zone"},"constraints":{"type":"array","title":"Constraints","uniqueItems":true,"items":{"type":"string"},"description":"Constraints or limitations of this zone"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","title":"Boundary","description":"Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the boundary"},"type":{"type":"string","title":"Type","enum":["data","functional","network","organizational","other","physical","process","trust"],"meta:enum":{"data":"Data classification boundary","functional":"Functional boundary","network":"Network boundary or firewall","organizational":"Organizational boundary","other":"A boundary type not covered by the predefined enumeration","physical":"Physical security boundary","process":"Process or execution boundary","trust":"Trust boundary between different security zones"}},"zones":{"type":"array","title":"Zones","uniqueItems":true,"minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"The zones this boundary connects or separates"},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","title":"Crossing Requirements","description":"Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.","additionalProperties":false,"properties":{"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced at this boundary"},"dataValidation":{"type":"boolean","title":"Data Validation","description":"Whether data is validated when crossing this boundary"},"dataTransformation":{"type":"boolean","title":"Data Transformation","description":"Whether data is transformed when crossing this boundary"},"logging":{"type":"boolean","title":"Logging","description":"Whether crossings are logged"},"monitoring":{"type":"boolean","title":"Monitoring","description":"Whether crossings are monitored"},"rateLimit":{"type":"string","title":"Rate Limit","description":"Rate limiting policy"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Allowed protocols for crossing"}}},"flow":{"type":"object","title":"Flow","description":"Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or description of the flow"},"description":{"type":"string","title":"Description","description":"Detailed description of what flows and why"},"type":{"type":"string","title":"Type","enum":["control","data","dependency","event","interaction","message","other","physical","process","signal"],"meta:enum":{"control":"Control or command flow","data":"Data or information flow","dependency":"Dependency relationship","event":"Event or notification flow","interaction":"User or system interaction","message":"Message or communication flow","other":"A flow type not covered by the predefined enumeration","physical":"Physical movement of goods or materials","process":"Business process flow","signal":"Hardware or system signal"}},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the source asset"},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the destination asset"},"bidirectional":{"type":"boolean","title":"Bidirectional","default":false,"description":"Whether flow occurs in both directions"},"synchronous":{"type":"boolean","title":"Synchronous","description":"Whether the flow is synchronous or asynchronous"},"volume":{"type":"string","title":"Volume","description":"Expected volume or frequency of flow"},"timing":{"type":"string","title":"Timing","description":"Timing characteristics (real-time, batch, scheduled)"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Communication protocols used by this flow"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required for this flow"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced on this flow"},"sequence":{"type":"integer","title":"Sequence","minimum":0,"description":"Ordering hint so flows can be assembled into sequence diagrams"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"actor":{"type":"object","title":"Actor","description":"Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the actor"},"description":{"type":"string","title":"Description","description":"Narrative describing the actor's role and context"},"type":{"type":"string","title":"Type","enum":["administrator","agent","engineer","external","operator","other","system","user"],"meta:enum":{"administrator":"Administrative or privileged operator","agent":"Autonomous AI agent or intelligent software agent","engineer":"Developer or platform/DevOps engineer","external":"Third-party or external entity","operator":"Operational staff running the system","other":"An actor type not covered by the predefined enumeration","system":"Automated system actor or service account","user":"End user of a client application or service"}},"permissions":{"type":"array","title":"Permissions","uniqueItems":true,"items":{"type":"string"},"description":"Permissions, capabilities, or duties the actor holds"},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the actor resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","title":"Assumption","description":"A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies"},"topic":{"type":"string","title":"Topic","enum":["availability","business","compliance","operational","other","performance","security","technical"],"meta:enum":{"availability":"Assumption about system uptime, redundancy, or failover capabilities","business":"Assumption about business requirements, constraints, or organizational context","compliance":"Assumption about regulatory, legal, or policy compliance obligations","operational":"Assumption about operational procedures, staffing, or maintenance practices","other":"An assumption topic not covered by the predefined enumeration","performance":"Assumption about throughput, latency, capacity, or scalability characteristics","security":"Assumption about threat landscape, trust boundaries, or security controls","technical":"Assumption about technology choices, capabilities, or technical constraints"}},"relatedAssets":{"type":"array","title":"Related Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes"},"validity":{"type":"string","title":"Validity","enum":["invalid","unknown","unverified","verified"],"meta:enum":{"invalid":"The assumption has been disproven or is no longer applicable","unknown":"The validity of the assumption has not yet been assessed","unverified":"The assumption has been identified but not yet validated","verified":"The assumption has been confirmed as true through validation"},"default":"unknown","description":"The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound"},"impact":{"type":"string","title":"Impact","description":"A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components"},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model"},"validationMethod":{"type":"string","title":"Validation Method","description":"The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement"},"validationDate":{"type":"string","title":"Validation Date","format":"date-time","description":"The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation"}}},"visualization":{"type":"object","title":"Visualization","description":"A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the visualization"},"description":{"type":"string","title":"Description","description":"Description of what the visualization shows"},"type":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType"},"format":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationFormat"},"content":{"type":"string","title":"Content","description":"The diagram content (source code or base64 encoded image)"},"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL to the diagram if stored externally"},"level":{"type":"string","title":"Level","enum":["detailed","high","medium","overview"],"meta:enum":{"detailed":"Fine-grained view showing implementation-level specifics","high":"High-level view showing major components and relationships","medium":"Intermediate view balancing breadth and depth","overview":"Top-level summary providing a broad perspective of the system"},"description":"Level of detail in the visualization"},"elements":{"type":"array","title":"Elements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to elements shown in this visualization"},"interactive":{"type":"boolean","title":"Interactive","description":"Whether the visualization is interactive"},"layers":{"type":"array","title":"Layers","uniqueItems":true,"items":{"type":"string"},"description":"Layers or views available in the visualization"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"visualizationType":{"type":"object","title":"Visualization Type","description":"The type of diagram or visual representation.","oneOf":[{"title":"Predefined Visualization Type","description":"A visualization type selected from a predefined set of well-known diagram types.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","enum":["activity","architecture","class","code","collaboration","component","container","context","dataFlow","deployment","entity","network","process","sequence","state","useCase"],"meta:enum":{"activity":"Activity or workflow diagram","architecture":"System architecture diagram","class":"Class or object diagram","code":"Code structure diagram","collaboration":"Collaboration diagram","component":"Component diagram","container":"Container diagram (C4)","context":"Context diagram","dataFlow":"Data flow diagram (DFD)","deployment":"Deployment or infrastructure diagram","entity":"Entity relationship diagram","network":"Network topology diagram","process":"Business process diagram","sequence":"Sequence or interaction diagram","state":"State machine diagram","useCase":"Use case diagram"}}}},{"title":"Custom Visualization Type","description":"A custom visualization type not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization type"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization type"}}}]},"visualizationFormat":{"type":"object","title":"Visualization Format","description":"The rendering format or toolchain used to produce the visualization.","oneOf":[{"title":"Predefined Visualization Format","description":"A visualization format selected from a predefined set of well-known diagram formats and tools.","required":["format"],"additionalProperties":false,"properties":{"format":{"type":"string","title":"Format","enum":["archimate","cytoscape","d3","drawio","graphviz","jpeg","mermaid","plantuml","png","svg","visio"],"meta:enum":{"archimate":"ArchiMate model format","cytoscape":"Cytoscape graph format","d3":"D3.js visualization","drawio":"Draw.io/diagrams.net format","graphviz":"GraphViz DOT language","jpeg":"JPEG image format","mermaid":"Mermaid diagram language","plantuml":"PlantUML diagram language","png":"Portable Network Graphics","svg":"Scalable Vector Graphics","visio":"Microsoft Visio format"}}}},{"title":"Custom Visualization Format","description":"A custom visualization format not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization format"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization format"}}}]},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataClassification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"tier":{"type":"string","enum":["tier0","tier1","tier2","tier3","tier4"],"meta:enum":{"tier0":"Mission critical - highest priority","tier1":"Business critical - high priority","tier2":"Business important - medium priority","tier3":"Business supporting - low priority","tier4":"Non-critical - minimal priority"}},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search"}}},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"ownership":{"type":"object","title":"Ownership","description":"Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.","additionalProperties":false,"properties":{"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary owner of the asset"},"steward":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Steward responsible for the asset"},"custodian":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Custodian responsible for protecting the asset"},"users":{"type":"array","title":"Users","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Primary users of the asset"}}},"authenticationType":{"type":"string","title":"Authentication Type","description":"The authentication method or protocol used to verify identity.","enum":["apiKey","basic","bearer","certificate","custom","digest","fido2","jwt","kerberos","ldap","mfa","mTLS","none","ntlm","oauth1","oauth2","oidc","saml","ssh"],"meta:enum":{"apiKey":"API key authentication","basic":"Basic authentication (username/password)","bearer":"Bearer token authentication","certificate":"Certificate-based authentication","custom":"Custom authentication method","digest":"Digest authentication","fido2":"FIDO2/WebAuthn passwordless authentication","jwt":"JSON Web Token authentication","kerberos":"Kerberos authentication","ldap":"LDAP directory authentication","mfa":"Multi-factor authentication","mTLS":"Mutual TLS authentication","none":"No authentication required","ntlm":"NTLM authentication","oauth1":"OAuth 1.0 authentication","oauth2":"OAuth 2.0 authentication","oidc":"OpenID Connect authentication","saml":"SAML authentication","ssh":"SSH key authentication"}},"authorizationType":{"type":"string","title":"Authorization Type","description":"The authorization model used to determine and enforce access permissions.","enum":["abac","acl","cbac","custom","dac","mac","none","other","pbac","rbac","rebac"],"meta:enum":{"abac":"Attribute-Based Access Control","acl":"Access Control Lists","cbac":"Claims-Based Access Control","custom":"Custom authorization model","dac":"Discretionary Access Control","mac":"Mandatory Access Control","none":"No authorization controls","other":"Other authorization model not listed","pbac":"Policy-Based Access Control","rbac":"Role-Based Access Control","rebac":"Relationship-Based Access Control"}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataProfile":{"type":"object","title":"Data Profile","description":"Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data profile"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes.","examples":["Customer PII Dataset","Transaction Logs","Employee Health Records"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system."},"sensitivity":{"type":"string","title":"Sensitivity","enum":["confidential","internal","public","restricted","classified"],"description":"Data sensitivity classification.","meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access and special protection measures","classified":"Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations"}},"classification":{"title":"Classification","description":"Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.","oneOf":[{"title":"Predefined Classification","description":"A predefined data classification from the enumeration.","type":"object","additionalProperties":false,"required":["type"],"properties":{"type":{"type":"string","title":"Type","enum":["credentials","financial","intellectualProperty","logs","operational","other","pci","phi","pii","safety","telemetry"],"meta:enum":{"credentials":"Secrets, tokens, or credentials","financial":"Financial statements or transaction data","intellectualProperty":"Intellectual property or trade secrets","logs":"Operational or security log data","operational":"Operational or process data","other":"Other data classification not listed","pci":"Payment card industry data","phi":"Protected health information","pii":"Personally identifiable information","safety":"Safety critical data or signals","telemetry":"System or product telemetry data"}}}},{"title":"Custom Classification","description":"A custom data classification not covered by the predefined enumeration.","type":"object","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of a custom data classification not covered by the predefined enumeration"},"description":{"type":"string","title":"Description","description":"A description of the custom data classification"}}}]},"subjects":{"type":"array","title":"Subjects","description":"The entities, groups, categories, or things that the data is about or pertains to. Identifying data subjects is essential for determining applicable privacy regulations, handling requirements, and protected class obligations.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/subject"},"examples":[[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR","IT"],"regulations":["GDPR"]},{"name":"Pediatric Patients","type":"group","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]}]]},"purposes":{"type":"array","title":"Purposes","description":"The stated purposes for which this data is collected, processed, or retained. Under the principle of purpose limitation, data must only be used for purposes compatible with those originally specified. Capturing purposes explicitly enables automated compliance checking and compatibility analysis across the data lifecycle.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/purpose"},"examples":[[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"}]]},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply to this data based on its nature, classification, or how it is processed and stored. See also subject.jurisdictions for jurisdictions that apply because of who the data is about."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply to this data based on its nature, classification, or processing context. See also subject.regulations for regulations that apply because of who the data is about."},"dataFormats":{"type":"array","title":"Data Formats","uniqueItems":true,"items":{"type":"string"},"description":"The formats in which the data is stored or transmitted.","examples":[["JSON","CSV","Parquet"]]},"dataTypes":{"type":"array","title":"Data Types","uniqueItems":true,"items":{"type":"string"},"description":"The specific types of data elements contained within this dataset.","examples":[["email address","date of birth","IP address"]]},"schema":{"type":"array","title":"Schema","uniqueItems":true,"items":{"type":"string","format":"uri"},"description":"References to schema contracts or documents describing the data structure.","examples":[["https://example.com/schemas/customer-v2.json"]]},"access":{"type":"array","title":"Access","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures."},"collection":{"type":"array","title":"Collection","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations."},"disposal":{"type":"array","title":"Disposal","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction."},"handling":{"type":"array","title":"Handling","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations."},"processing":{"type":"array","title":"Processing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions."},"retention":{"type":"array","title":"Retention","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation."},"sharing":{"type":"array","title":"Sharing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"subject":{"type":"object","title":"Subject","description":"An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. Subjects may include named individuals, organizations, demographic groups, protected classes, technologies, devices, locations, or any other identifiable topic of the data.","required":["name","type"],"additionalProperties":false,"examples":[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR"],"regulations":["GDPR"]},{"name":"Pediatric Patients","type":"group","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]},{"name":"GPT-4 Model","type":"technology","protectedClass":false}],"properties":{"name":{"type":"string","title":"Name","description":"The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor.","minLength":1,"examples":["EU Residents","Pediatric Patients","Fleet Vehicles"]},"type":{"type":"string","title":"Type","description":"A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices.","minLength":1,"examples":["individual","group","technology"]},"protectedClass":{"type":"boolean","title":"Protected Class","description":"Indicates whether this subject represents or includes a legally protected class under applicable regulations. Protected classes are groups defined by characteristics such as race, ethnicity, religion, gender, age, disability, sexual orientation, national origin, or genetic information. When true, additional regulatory obligations may apply to the collection, processing, and sharing of data about this subject, including GDPR special category data provisions, US civil rights protections, COPPA requirements for children, and HIPAA protections for health information."},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply specifically because of this subject. See also dataProfile.jurisdictions for jurisdictions that apply to the data itself."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply specifically because of this subject. See also dataProfile.regulations for regulations that apply to the data itself."},"description":{"type":"string","title":"Description","description":"A narrative explanation of the subject, its relationship to the data, and any special handling considerations. This may include why the subject is relevant, what aspects of the subject the data captures, and any known sensitivities or regulatory implications."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"jurisdictions":{"type":"array","title":"Jurisdictions","description":"The geographic or political jurisdictions whose laws and regulations apply. Values should use ISO 3166-1 alpha-2 country codes or ISO 3166-2 subdivision codes for subnational jurisdictions.","uniqueItems":true,"items":{"type":"string","minLength":2,"examples":["US","GB","US-CA"]},"examples":[["US","GB","DE"]]},"regulations":{"type":"array","title":"Regulations","description":"The specific laws, regulations, or compliance frameworks that apply.","uniqueItems":true,"items":{"type":"string","minLength":1,"examples":["GDPR","HIPAA","PCI-DSS"]},"examples":[["GDPR","CCPA","PCI-DSS"]]},"purpose":{"type":"object","title":"Purpose","description":"The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.","required":["name"],"additionalProperties":false,"examples":[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"},{"name":"Marketing Analytics","legalBasis":"consent"}],"properties":{"name":{"type":"string","title":"Name","description":"The name of the purpose for which data is collected or processed.","minLength":1,"examples":["Service Delivery","Fraud Prevention","Marketing Analytics"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the purpose, how the data serves it, and any constraints on use. This narrative should be specific enough to evaluate whether subsequent processing activities are compatible with the original stated purpose."},"legalBasis":{"type":"string","title":"Legal Basis","description":"The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.","minLength":1,"examples":["consent","contract","legitimate interest"]},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataSensitivity":{"type":"string","title":"Data Sensitivity","description":"Classifies the sensitivity of data to indicate the level of protection required.","enum":["confidential","internal","public","restricted"],"meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access"}},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","uniqueItems":true,"description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","uniqueItems":true,"description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","uniqueItems":true,"description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","title":"Data Governance Responsible Party","description":"An organizational entity or individual responsible for a specific data governance role.","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","title":"Data Flow Direction","description":"Specifies the flow direction of the data. Direction is relative to the service.","enum":["bi-directional","inbound","outbound","unknown"],"meta:enum":{"bi-directional":"Data flows in and out of the service.","inbound":"Data that enters a service.","outbound":"Data that exits a service.","unknown":"The directional flow of data is not known."}}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"}},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"}},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"}},"parent":{"type":"string","title":"Parent BOM Reference","description":"The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"externalReferences":{"type":"array","title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the risk assessment elsewhere in the BOM"},"domains":{"type":"array","description":"Risk domains covered by this assessment","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"}},"scenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},"description":"Risk scenarios identified"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risk"},"description":"Documented risks derived from scenarios"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Controls, countermeasures, or mitigations to address identified risks"},"assessments":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Risk assessments and evaluations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}},"$defs":{"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply_chain","technical","project"],"meta:enum":{"security":"Information security and cybersecurity risks","privacy":"Data protection and privacy risks","operational":"Business operations and continuity risks","financial":"Financial loss and economic impact risks","compliance":"Regulatory and legal compliance risks","strategic":"Strategic business and market risks","reputational":"Brand and reputation damage risks","safety":"Human safety and physical security risks","environmental":"Environmental impact and sustainability risks","supply_chain":"Supply chain and third-party risks","technical":"Technical and technology risks","project":"Project delivery and execution risks"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain"}}},"riskAttribute":{"type":"string","description":"A classification of security and privacy attributes that represent potential impact areas when a risk is realized","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data_subject_rights","integrity","minimisation","non-repudiation","possession","privacy","purpose_limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities","authentication":"Verifying the identity of users, devices, or systems before granting access","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified","availability":"Ensuring systems, data, and services are accessible and operational when needed","compliance":"Adherence to applicable laws, regulations, policies, and standards","confidentiality":"Preventing unauthorised access to or disclosure of information","connectivity":"Maintaining secure and reliable communication between systems or components","control":"Enabling individuals to manage how their personal data is used and shared","data_subject_rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorised actors","minimisation":"Limiting data collection and retention to what is strictly necessary for the intended purpose","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications","possession":"Ensuring control or custody over data or assets, regardless of ownership","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards","purpose_limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing","utility":"Ensuring data is usable and in a format suitable for the intended purpose"}},"scenario":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the risk scenario"},"description":{"type":"string","description":"Detailed description of the scenario"},"type":{"type":"string","enum":["threat","vulnerability","weakness","risk","incident","opportunity","hazard"],"meta:enum":{"threat":"Threat scenario","vulnerability":"Exploitable vulnerability","weakness":"System or design weakness","risk":"General risk scenario","incident":"Potential incident scenario","opportunity":"Positive risk (opportunity)","hazard":"Safety hazard scenario"}},"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected by this scenario"},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to affected assets"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations that address this scenario"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"compliance":{"type":"array","items":{"type":"object","required":["framework","controlId"],"additionalProperties":false,"properties":{"framework":{"type":"string","description":"Name of the compliance program or framework"},"controlId":{"type":"string","description":"Identifier of the control within the framework"},"reference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference","description":"Link or citation to the requirement or control documentation"},"description":{"type":"string","description":"Optional notes describing the mapping"}}},"description":"Compliance frameworks and control references this mitigation supports"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"risk":{"type":"object","required":["bom-ref","name","statement"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier for the risk"},"statement":{"type":"string","description":"Structured risk statement describing source, event, and impact"},"description":{"type":"string","description":"Additional narrative about the risk"},"domains":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"description":"Risk domains impacted"},"scenarios":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this risk addresses"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"}},"responses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskResponse"},"description":"Risk responses or mitigation plans applied to this risk"},"relatedThreats":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatScenario"},"description":"Related threat scenarios informing this risk"},"status":{"type":"string","enum":["identified","assessed","mitigated","accepted","transferred","retired"],"meta:enum":{"identified":"Risk has been identified but not yet evaluated","assessed":"Risk has been assessed and prioritized","mitigated":"Mitigations are in place reducing this risk","accepted":"Risk has been formally accepted","transferred":"Risk has been transferred to another party","retired":"Risk no longer applies"}},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Owner or accountable party for this risk"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"Almost certain to occur (> 90% probability).","high":"Likely to occur (60-90% probability).","low":"Unlikely to occur (10-30% probability).","medium":"Possible to occur (30-60% probability).","veryHigh":"Very likely to occur (75-90% probability).","veryLow":"Very unlikely to occur (< 10% probability)."}},"score":{"type":"number","minimum":0,"maximum":5,"description":"Numeric likelihood score"},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal (0-1)"},"factors":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor"},"description":"Factors considered when determining the likelihood level"},"rationale":{"type":"string","description":"Justification for the likelihood rating"}}},"likelihoodFactor":{"type":"object","title":"Likelihood Factor","description":"An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.","minLength":1},"type":{"title":"Type","description":"The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","oneOf":[{"title":"Predefined Likelihood Factor Type","description":"A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.","type":"string","additionalProperties":false,"enum":["attackVector","controlEffectiveness","exploitMaturity","exposure","motivation","opportunity","other","threatCapability","vulnerability"],"meta:enum":{"attackVector":"Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.","controlEffectiveness":"Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.","exploitMaturity":"Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.","exposure":"Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.","motivation":"Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.","opportunity":"Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.","other":"A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.","threatCapability":"Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.","vulnerability":"Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor."}},{"title":"Custom Likelihood Factor Type","description":"A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the custom likelihood factor type.","minLength":1},"description":{"type":"string","title":"Description","description":"A description of the custom likelihood factor type and how it contributes to likelihood assessment."}}}]},"level":{"type":"string","title":"Level","description":"The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"This factor almost certainly contributes to risk realization (> 90% influence).","high":"This factor strongly contributes to risk realization (60-90% influence).","low":"This factor has limited contribution to risk realization (10-30% influence).","medium":"This factor moderately contributes to risk realization (30-60% influence).","veryHigh":"This factor very strongly contributes to risk realization (75-90% influence).","veryLow":"This factor has minimal contribution to risk realization (< 10% influence)."}},"score":{"type":"number","title":"Score","description":"A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.","minimum":0,"maximum":5},"weight":{"type":"number","title":"Weight","description":"The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.","minimum":0,"maximum":1},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","major","catastrophic"],"description":"Impact severity level","meta:enum":{"negligible":"Minimal impact with no significant consequences","low":"Minor impact with limited consequences","moderate":"Moderate impact affecting some operations","major":"Significant impact with serious consequences","catastrophic":"Catastrophic impact with existential consequences"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric impact score"},"categories":{"type":"array","items":{"type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic"],"meta:enum":{"confidentiality":"Impact on data confidentiality","integrity":"Impact on data or system integrity","availability":"Impact on service availability","financial":"Financial loss or impact","reputation":"Reputational damage","regulatory":"Regulatory compliance impact","safety":"Human safety impact","privacy":"Privacy violation impact","operational":"Operational disruption","strategic":"Strategic business impact"}},"description":"Categories of impact"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected"},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"Description of the potential impact"}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"Estimated financial loss in currency units"},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"ISO 4217 currency code"},"affectedUsers":{"type":"integer","description":"Number of affected users"},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Expected downtime as ISO 8601 duration"},"dataRecords":{"type":"integer","description":"Number of data records affected"},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Recovery time as ISO 8601 duration"}}},"riskScore":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Overall risk level","meta:enum":{"info":"Informational - no immediate action required","low":"Low risk - monitor and address in normal cycle","medium":"Medium risk - plan mitigation activities","high":"High risk - prioritize mitigation efforts","critical":"Critical risk - immediate action required"}},"score":{"type":"number","minimum":1,"description":"Numeric risk score"},"vector":{"type":"string","description":"Risk scoring vector (e.g., L:H/I:M)"},"methodology":{"type":"string","description":"Risk scoring methodology used"}}},"riskResponse":{"type":"object","required":["bom-ref","mitigations","mitigationPlan"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Mitigations applied to this risk response"},"mitigationPlan":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigationPlan"}}},"mitigation":{"type":"object","required":["bom-ref","reference"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this mitigation entry so it can be referenced by a plan"},"reference":{"description":"Reference to a mitigation/control implementing the response.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"strategy":{"type":"string","enum":["prevent","detect","respond","recover"],"meta:enum":{"prevent":"Prevents the risk from occurring","detect":"Detects when the risk occurs","respond":"Responds to the risk when detected","recover":"Recovers from the impact"}},"type":{"type":"string","enum":["control","countermeasure","procedure","removal"],"meta:enum":{"control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","procedure":"Documented procedure","removal":"Removing a risky component or asset"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"effectiveness":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/effectiveness"},"cost":{"type":"string","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort","low":"Low cost and effort","medium":"Moderate cost and effort","high":"High cost and significant effort","extreme":"Extreme cost and major effort"}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this plan addresses"},"implementedBy":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets that implement this plan"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"mitigationPlan":{"type":"object","required":["name","type","status","mitigations"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the mitigation plan"},"description":{"type":"string","description":"Description of what the plan covers"},"type":{"type":"string","enum":["avoid","reduce","transfer","accept","control","countermeasure","safeguard","practice","procedure"],"meta:enum":{"avoid":"Avoid the risk entirely","reduce":"Reduce likelihood or impact","transfer":"Transfer risk to another party","accept":"Accept the risk","control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","safeguard":"Safeguards mitigating adverse events","practice":"Operational or governance practice","procedure":"Documented procedure"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"List of mitigation bom-refs chosen for this plan"}}},"effectiveness":{"type":"object","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":1,"description":"Effectiveness as decimal"},"rating":{"type":"string","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk","marginal":"Slightly reduces risk","adequate":"Adequately reduces risk","good":"Significantly reduces risk","excellent":"Nearly eliminates risk"}}}},"assessment":{"type":"object","required":["bom-ref","type","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"type":{"type":"string","enum":["initial","periodic","continuous","triggered"],"meta:enum":{"initial":"Initial risk assessment","periodic":"Scheduled periodic assessment","continuous":"Continuous monitoring assessment","triggered":"Event-triggered assessment"}},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed"},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who performed the assessment"},"summary":{"type":"string","description":"Executive summary of the assessment"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to risk entries evaluated in this assessment"},"overallRisk":{"type":"object","required":["method","score"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["sum","average","custom"],"description":"Aggregation method used to derive the overall risk"},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"description":{"type":"string","description":"Optional explanation for custom aggregation approaches"}},"description":"Aggregated risk result for this assessment"},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment"},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level","meta:enum":{"none":"No priority assigned","low":"Low priority - address when convenient","medium":"Medium priority - address in normal cycle","high":"High priority - address soon","critical":"Critical priority - address immediately"}},"severity":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Severity level","meta:enum":{"info":"Informational finding","low":"Low severity issue","medium":"Medium severity issue","high":"High severity issue","critical":"Critical severity issue"}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level","meta:enum":{"minimal":"Minimal impact on business operations","low":"Low impact with minor inconvenience","moderate":"Moderate impact affecting some operations","high":"High impact affecting critical operations","critical":"Critical impact with severe business consequences"}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threatScenario":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},{"properties":{"threatCategory":{"type":"string","description":"Threat category based on methodology (e.g., STRIDE category)"},"threatActor":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"attackPattern":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference"},"abuseCases":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/abuseCase"},"description":"Abuse or misuse cases that illustrate how this threat can be exercised"},"weakness":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"killChainPhase":{"type":"string","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target","weaponization":"Creating malicious payloads","delivery":"Transmitting weapon to target","exploitation":"Exploiting vulnerabilities","installation":"Installing malware or backdoors","command-and-control":"Establishing C2 channel","actions-on-objectives":"Achieving attack goals"}},"technicalImpact":{"type":"array","items":{"type":"string","enum":["unauthorized-access","data-breach","data-corruption","service-disruption","privilege-escalation","code-execution","information-disclosure","denial-of-service"]}}}}]},"threatActor":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier of the threat actor"},"description":{"type":"string","description":"Description of the threat actor"},"type":{"type":"string","enum":["individual","group","organization","nation-state","unknown"],"meta:enum":{"individual":"Individual threat actor","group":"Organized group or collective","organization":"Corporate or criminal organization","nation-state":"Nation-state sponsored actor","unknown":"Unknown threat actor type"}},"aliases":{"type":"array","items":{"type":"string"},"description":"Known aliases or alternative names"},"profile":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"observedTTPs":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/ttp"},"description":"Observed tactics, techniques, and procedures"},"attributedAttacks":{"type":"array","items":{"type":"string"},"description":"Attacks attributed to this actor"},"targeting":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/targeting"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"threatActorProfile":{"type":"object","additionalProperties":false,"properties":{"sophistication":{"type":"string","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication","minimal":"Script kiddie level","intermediate":"Intermediate technical skills","advanced":"Advanced persistent threat","expert":"Nation-state level capabilities"}},"motivation":{"type":"array","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"]},"description":"Primary motivations"},"intent":{"type":"string","enum":["accidental","opportunistic","targeted","persistent"],"description":"Intent level"},"resources":{"type":"string","enum":["minimal","limited","moderate","substantial","unlimited"],"description":"Resource availability"},"accessLevel":{"type":"string","enum":["none","external","internal","privileged","physical"],"description":"Level of access to target systems"},"skillSet":{"type":"array","items":{"type":"string"},"description":"Specific skills possessed"}}},"attackVector":{"type":"object","additionalProperties":false,"properties":{"type":{"type":"string","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via network","adjacent":"Exploitable from adjacent network","local":"Requires local access","physical":"Requires physical access"}},"complexity":{"type":"string","enum":["low","high"],"description":"Attack complexity"},"privileges":{"type":"string","enum":["none","low","high"],"description":"Privileges required"},"userInteraction":{"type":"string","enum":["none","required"],"description":"User interaction requirement"},"scope":{"type":"string","enum":["unchanged","changed"],"description":"Scope impact"}}},"abuseCase":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the abuse case"},"description":{"type":"string","description":"Narrative describing how the system can be misused or abused"},"abuser":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference (bom-ref) to a threat actor involved in the abuse case"},"targets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References (bom-refs) to assets or flows targeted in this abuse case"},"steps":{"type":"array","items":{"type":"string"},"description":"Ordered steps the abuser follows"}}},"attackPattern":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"capecId":{"type":"integer","description":"CAPEC (Common Attack Pattern Enumeration and Classification) ID"},"name":{"type":"string","description":"Name of the attack pattern"},"description":{"type":"string","description":"Description of the attack pattern"},"prerequisites":{"type":"array","items":{"type":"string"},"description":"Prerequisites for the attack"},"techniques":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"Techniques used in the attack"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations"},"examples":{"type":"array","items":{"type":"string"},"description":"Real-world examples"}}},"attackPatternReference":{"type":"object","additionalProperties":false,"properties":{"patternRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to attack pattern"},"capecId":{"type":"integer","description":"CAPEC ID if not referencing internal pattern"},"customization":{"type":"string","description":"How this pattern is customized for the specific scenario"}}},"technique":{"type":"object","additionalProperties":false,"properties":{"id":{"type":"string","description":"Technique ID (e.g., MITRE ATT&CK ID)"},"name":{"type":"string","description":"Name of the technique"},"tactic":{"type":"string","description":"Associated tactic"},"procedure":{"type":"string","description":"Specific procedure"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools used with this technique"}}},"weakness":{"type":"object","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"cweId":{"type":"integer","description":"CWE (Common Weakness Enumeration) ID"},"name":{"type":"string","description":"Name of the weakness"},"description":{"type":"string","description":"Description of the weakness"},"abstraction":{"type":"string","enum":["pillar","class","base","variant","compound"],"meta:enum":{"pillar":"Most abstract type of weakness","class":"Weakness described in generic terms","base":"Weakness described in abstract terms","variant":"Weakness specific to a resource/technology","compound":"Combination of two or more weaknesses"}},"ordinality":{"type":"string","enum":["primary","resultant","indirect"],"meta:enum":{"primary":"Weakness exists independent of other weaknesses","resultant":"Weakness is caused by another weakness","indirect":"Weakness is indirectly caused by another weakness"}},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this weakness"},"exploitationDifficulty":{"type":"string","enum":["trivial","easy","moderate","difficult","impractical"],"description":"Difficulty of exploiting this weakness"},"detectionMethods":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod"},"description":"Methods for detecting this weakness"}}},"weaknessReference":{"type":"object","additionalProperties":false,"properties":{"weaknessRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to weakness"},"cweId":{"type":"integer","description":"CWE ID if not referencing internal weakness"},"instance":{"type":"string","description":"Specific instance or manifestation of the weakness"}}},"exploitability":{"type":"object","additionalProperties":false,"properties":{"level":{"type":"string","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Theoretically possible but not demonstrated","proof-of-concept":"Proof of concept exists","functional":"Functional exploit exists","weaponized":"Weaponized exploit in the wild"}},"complexity":{"type":"string","enum":["trivial","low","medium","high","very-high"],"description":"Complexity to exploit"},"skillRequired":{"type":"string","enum":["none","basic","intermediate","advanced","expert"],"description":"Skill level required"},"toolsRequired":{"type":"array","items":{"type":"string"},"description":"Tools required for exploitation"},"timeRequired":{"type":"string","description":"Estimated time to develop exploit"},"reliability":{"type":"string","enum":["unreliable","occasional","reliable","highly-reliable"],"description":"Reliability of exploitation"},"automatable":{"type":"boolean","description":"Whether exploitation can be automated"}}},"indicators":{"type":"object","additionalProperties":false,"properties":{"compromise":{"type":"array","items":{"type":"string"},"description":"Indicators of compromise"},"attack":{"type":"array","items":{"type":"string"},"description":"Indicators of attack"},"behavioral":{"type":"array","items":{"type":"string"},"description":"Behavioral indicators"},"signatures":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"Detection signatures"}}},"signature":{"type":"object","required":["type","value"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["yara","snort","regex","hash","behavior"],"description":"Type of signature"},"value":{"type":"string","description":"Signature value or pattern"},"description":{"type":"string","description":"Description of what the signature detects"},"confidence":{"type":"string","enum":["low","medium","high"],"description":"Confidence level of detection"}}},"ttp":{"type":"object","additionalProperties":false,"properties":{"tactic":{"type":"string","description":"High-level tactic"},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"procedure":{"type":"string","description":"Specific implementation"},"tools":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/tool"},"description":"Tools used"},"infrastructure":{"type":"array","items":{"type":"string"},"description":"Infrastructure used"}}},"tool":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Tool name"},"type":{"type":"string","enum":["exploit","scanner","fuzzer","proxy","framework","custom"],"description":"Type of tool"},"version":{"type":"string","description":"Tool version"},"capabilities":{"type":"array","items":{"type":"string"},"description":"Tool capabilities"}}},"targeting":{"type":"object","additionalProperties":false,"properties":{"sectors":{"type":"array","items":{"type":"string"},"description":"Targeted sectors or industries"},"regions":{"type":"array","items":{"type":"string"},"description":"Targeted geographic regions"},"technologies":{"type":"array","items":{"type":"string"},"description":"Targeted technologies or platforms"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Types of data targeted"}}},"detectionMethod":{"type":"object","required":["method"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["static-analysis","dynamic-analysis","penetration-test","code-review","architecture-review","automated-scan"],"description":"Detection method type"},"description":{"type":"string","description":"Description of the detection method"},"effectiveness":{"type":"string","enum":["low","medium","high"],"description":"Effectiveness of the method"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools that implement this method"}}},"securityPolicy":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Policy name"},"type":{"type":"string","enum":["access-control","data-protection","network-security","application-security","operational-security","compliance"],"description":"Type of security policy"},"description":{"type":"string","description":"Policy description"},"requirements":{"type":"array","items":{"type":"string"},"description":"Policy requirements"},"enforcement":{"type":"string","enum":["mandatory","recommended","optional"],"description":"Enforcement level"},"appliesTo":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this policy applies to"},"exceptions":{"type":"array","items":{"type":"string"},"description":"Policy exceptions"}}},"trustBoundary":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},{"properties":{"trustLevel":{"type":"string","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"description":"Trust level differential"},"securityRequirements":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements"},"threatsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Threats that could exploit this boundary"},"controlsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Controls implemented at this boundary"}}}]},"boundarySecurityRequirements":{"type":"object","additionalProperties":false,"properties":{"authenticationStrength":{"type":"string","enum":["none","weak","moderate","strong","very-strong"],"description":"Required authentication strength"},"authorizationGranularity":{"type":"string","enum":["coarse","medium","fine","very-fine"],"description":"Authorization granularity required"},"integrityVerification":{"type":"boolean","description":"Whether integrity verification is required"},"confidentialityProtection":{"type":"boolean","description":"Whether confidentiality protection is required"},"auditingLevel":{"type":"string","enum":["none","basic","detailed","comprehensive"],"description":"Level of auditing required"},"dataValidationRules":{"type":"array","items":{"type":"string"},"description":"Data validation rules at boundary"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","$defs":{"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},"description":"A collection of use cases that describe how actors interact with the system to achieve specific goals."},"useCase":{"type":"object","title":"Use Case","description":"A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')."},"description":{"type":"string","title":"Description","description":"A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases."},"postconditions":{"type":"array","title":"Postconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced."},"mainFlow":{"type":"array","title":"Main Flow","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome."},"alternativeFlows":{"type":"array","title":"Alternative Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"},"description":"Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome."},"exceptions":{"type":"array","title":"Exceptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"},"description":"Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully."},"successCriteria":{"type":"array","title":"Success Criteria","uniqueItems":true,"items":{"type":"string"},"description":"Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off."},"notes":{"type":"array","title":"Notes","uniqueItems":true,"items":{"type":"string"},"description":"Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","title":"Step","description":"A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.","required":["number","description"],"additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","minimum":1,"description":"The sequence number indicating the ordinal position of this step within its flow, starting at 1."},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design."}}},"flow":{"type":"object","title":"Flow","description":"An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')."},"description":{"type":"string","title":"Description","description":"A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path."},"steps":{"type":"array","title":"Steps","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps."}}},"exception":{"type":"object","title":"Exception","description":"An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')."},"description":{"type":"string","title":"Description","description":"A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific error condition, system state, or external event that triggers this exception during the execution of the use case."},"handling":{"type":"string","title":"Handling","description":"The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support."}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file diff --git a/schema/2.0/cyclonedx-2.0-bundled.schema.json b/schema/2.0/cyclonedx-2.0-bundled.schema.json index 2c8c06987..74ac6881e 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.schema.json @@ -783,78 +783,7 @@ "cyclonedx-behavior-2.0": { "type": "null", "title": "CycloneDX Behavior Model", - "properties": { - "behaviors": { - "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviors" - } - }, "$defs": { - "trigger": { - "type": "string", - "title": "Trigger", - "description": "The condition or event that initiates a behavior.", - "enum": [ - "startup", - "shutdown", - "scheduled", - "event-driven", - "user-initiated", - "api-call", - "signal", - "condition-based", - "continuous", - "on-demand", - "unknown" - ], - "meta:enum": { - "startup": "Triggered during system or component initialisation.", - "shutdown": "Triggered during system or component termination.", - "scheduled": "Triggered at predetermined times or intervals.", - "event-driven": "Triggered in response to a specific event.", - "user-initiated": "Triggered by explicit user action.", - "api-call": "Triggered by an API invocation.", - "signal": "Triggered by a system or inter-process signal.", - "condition-based": "Triggered when specific conditions are met.", - "continuous": "Runs continuously during normal operation.", - "on-demand": "Triggered on demand as needed.", - "unknown": "The trigger mechanism is not known." - } - }, - "ordering": { - "type": "string", - "title": "Ordering", - "description": "Execution semantics for steps within a flow.", - "default": "sequential", - "enum": [ - "sequential", - "unordered", - "parallel", - "conditional" - ], - "meta:enum": { - "sequential": "Steps execute in ordinal order. Each completes before the next begins.", - "unordered": "All steps execute, but order is not guaranteed.", - "parallel": "Steps may execute concurrently.", - "conditional": "Step execution is determined by runtime conditions." - } - }, - "acknowledgment": { - "type": "array", - "title": "Acknowledgment", - "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", - "uniqueItems": true, - "items": { - "type": "string", - "enum": [ - "declared", - "observed" - ], - "meta:enum": { - "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", - "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." - } - } - }, "behaviors": { "type": "object", "title": "Behaviors", @@ -895,7 +824,7 @@ "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "behavior": { - "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behavior", + "$ref": "../behavior-taxonomy.schema.json", "title": "Behavior", "description": "The behavior from the taxonomy." }, @@ -925,6 +854,72 @@ } } }, + "trigger": { + "type": "string", + "title": "Trigger", + "description": "The condition or event that initiates a behavior.", + "enum": [ + "startup", + "shutdown", + "scheduled", + "event-driven", + "user-initiated", + "api-call", + "signal", + "condition-based", + "continuous", + "on-demand", + "unknown" + ], + "meta:enum": { + "startup": "Triggered during system or component initialisation.", + "shutdown": "Triggered during system or component termination.", + "scheduled": "Triggered at predetermined times or intervals.", + "event-driven": "Triggered in response to a specific event.", + "user-initiated": "Triggered by explicit user action.", + "api-call": "Triggered by an API invocation.", + "signal": "Triggered by a system or inter-process signal.", + "condition-based": "Triggered when specific conditions are met.", + "continuous": "Runs continuously during normal operation.", + "on-demand": "Triggered on demand as needed.", + "unknown": "The trigger mechanism is not known." + } + }, + "ordering": { + "type": "string", + "title": "Ordering", + "description": "Execution semantics for steps within a flow.", + "default": "sequential", + "enum": [ + "sequential", + "unordered", + "parallel", + "conditional" + ], + "meta:enum": { + "sequential": "Steps execute in ordinal order. Each completes before the next begins.", + "unordered": "All steps execute, but order is not guaranteed.", + "parallel": "Steps may execute concurrently.", + "conditional": "Step execution is determined by runtime conditions." + } + }, + "acknowledgment": { + "type": "array", + "title": "Acknowledgment", + "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", + "uniqueItems": true, + "items": { + "type": "string", + "enum": [ + "declared", + "observed" + ], + "meta:enum": { + "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", + "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." + } + } + }, "behaviorFlow": { "type": "object", "title": "Behavior Flow", @@ -1007,7 +1002,7 @@ "minimum": 1 }, "behavior": { - "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behavior", + "$ref": "../behavior-taxonomy.schema.json", "title": "Behavior", "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'." }, @@ -1060,1495 +1055,6 @@ ] } ] - }, - "behavior": { - "type": "string", - "title": "Behavior", - "description": "Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.", - "enum": [ - "ai", - "ai:agent", - "ai:agent:actsOnBehalfOfUser", - "ai:agent:coordinatesAgents", - "ai:agent:delegatesTask", - "ai:agent:executesAction", - "ai:agent:invokesTool", - "ai:agent:observesResult", - "ai:agent:plansAction", - "ai:agent:receivesHumanDelegation", - "ai:agent:reflectsOnResult", - "ai:agent:reportsDelegatedAction", - "ai:agent:requestsUserApproval", - "ai:agent:returnsDelegation", - "ai:agent:revisesPlan", - "ai:explainability", - "ai:explainability:attributesFeatures", - "ai:explainability:documentsModel", - "ai:explainability:explainsDecision", - "ai:explainability:tracesPrediction", - "ai:explainability:visualizesModel", - "ai:fairness", - "ai:fairness:auditsModelFairness", - "ai:fairness:calculatesFairnessMetric", - "ai:fairness:detectsBias", - "ai:fairness:handlesProtectedAttribute", - "ai:fairness:mitigatesBias", - "ai:generative", - "ai:generative:citesSource", - "ai:generative:filtersOutput", - "ai:generative:generatesAudio", - "ai:generative:generatesCode", - "ai:generative:generatesEmbedding", - "ai:generative:generatesImage", - "ai:generative:generatesText", - "ai:generative:mitigatesHallucination", - "ai:generative:processesPrompt", - "ai:generative:streamsResponse", - "ai:inference", - "ai:inference:appliesThreshold", - "ai:inference:batchesInference", - "ai:inference:cachesPrediction", - "ai:inference:ensemblesModels", - "ai:inference:generatesPrediction", - "ai:inference:infersInRealTime", - "ai:inference:ranksResults", - "ai:inference:scoresConfidence", - "ai:management", - "ai:management:comparesModels", - "ai:management:deploysModel", - "ai:management:loadsModel", - "ai:management:monitorsModel", - "ai:management:retiresModel", - "ai:management:rollsBackModel", - "ai:management:unloadsModel", - "ai:management:versionsModel", - "ai:quality", - "ai:quality:detectsConceptDrift", - "ai:quality:detectsDataDrift", - "ai:quality:detectsOutlier", - "ai:quality:engineersFeatures", - "ai:quality:selectsFeatures", - "ai:quality:validatesInputData", - "ai:robustness", - "ai:robustness:defendsAgainstAdversarial", - "ai:robustness:detectsAdversarialInput", - "ai:robustness:detectsOutOfDistribution", - "ai:robustness:estimatesUncertainty", - "ai:robustness:validatesRobustness", - "ai:training", - "ai:training:appliesTransferLearning", - "ai:training:checkpointsModel", - "ai:training:fineTunesModel", - "ai:training:ingestsTrainingData", - "ai:training:preprocessesTrainingData", - "ai:training:trainsFederatedly", - "ai:training:trainsModel", - "ai:training:tunesHyperparameters", - "ai:training:validatesModel", - "ai:training:validatesTrainingData", - "application", - "application:codeExecution", - "application:codeExecution:compilesCode", - "application:codeExecution:evaluatesExpression", - "application:codeExecution:executesNativeCommand", - "application:codeExecution:executesScript", - "application:codeExecution:interpretsCode", - "application:codeExecution:invokesViaReflection", - "application:codeExecution:loadsCodeDynamically", - "application:configuration", - "application:configuration:detectsEnvironment", - "application:configuration:evaluatesFeatureFlag", - "application:configuration:loadsConfiguration", - "application:configuration:reloadsConfiguration", - "application:controlFlow", - "application:controlFlow:awaitsAsyncResult", - "application:controlFlow:catchesException", - "application:controlFlow:emitsEvent", - "application:controlFlow:handlesEvent", - "application:controlFlow:invokesCallback", - "application:controlFlow:invokesHandler", - "application:controlFlow:invokesMiddleware", - "application:controlFlow:schedulesAsyncOperation", - "application:controlFlow:throwsException", - "application:dependencyManagement", - "application:dependencyManagement:closesCircuitBreaker", - "application:dependencyManagement:fallsBack", - "application:dependencyManagement:injectsDependency", - "application:dependencyManagement:opensCircuitBreaker", - "application:dependencyManagement:resolvesDependency", - "application:externalIntegration", - "application:externalIntegration:callsExternalService", - "application:externalIntegration:consumesEvent", - "application:externalIntegration:publishesEvent", - "application:externalIntegration:receivesWebhook", - "application:observability", - "application:observability:emitsTelemetry", - "application:observability:logsOperation", - "application:observability:recordsMetric", - "application:observability:reportsHealth", - "application:observability:tracesRequest", - "application:requestHandling", - "application:requestHandling:authenticatesRequest", - "application:requestHandling:authorizesRequest", - "application:requestHandling:bindsParameters", - "application:requestHandling:parsesRequest", - "application:requestHandling:receivesHttpRequest", - "application:requestHandling:rejectsRequest", - "application:requestHandling:routesRequest", - "application:requestHandling:validatesRequest", - "application:responseGeneration", - "application:responseGeneration:generatesResponse", - "application:responseGeneration:readsCookie", - "application:responseGeneration:redirectsRequest", - "application:responseGeneration:returnsError", - "application:responseGeneration:returnsSuccess", - "application:responseGeneration:sendsHttpResponse", - "application:responseGeneration:setsCookie", - "application:responseGeneration:setsHeader", - "application:stateManagement", - "application:stateManagement:acquiresLock", - "application:stateManagement:beginsTransaction", - "application:stateManagement:commitsTransaction", - "application:stateManagement:createsSessionState", - "application:stateManagement:destroysSessionState", - "application:stateManagement:readsSessionState", - "application:stateManagement:releasesLock", - "application:stateManagement:rollsBackTransaction", - "application:stateManagement:synchronizesState", - "application:stateManagement:updatesSessionState", - "data", - "data:encoding", - "data:encoding:appliesXor", - "data:encoding:decodesBaseSixtyFour", - "data:encoding:decodesUrl", - "data:encoding:encodesBaseSixtyFour", - "data:encoding:encodesUrl", - "data:ingestion", - "data:ingestion:pollsSource", - "data:ingestion:readsFile", - "data:ingestion:readsStream", - "data:ingestion:receivesInput", - "data:ingestion:receivesMessage", - "data:ingestion:receivesRequest", - "data:ingestion:subscribesToFeed", - "data:output", - "data:output:formatsResponse", - "data:output:producesOutput", - "data:output:publishesMessage", - "data:output:rendersTemplate", - "data:output:sendsResponse", - "data:output:serializesObject", - "data:output:streamsOutput", - "data:output:writesFile", - "data:parsing", - "data:parsing:decodesData", - "data:parsing:deserializesObject", - "data:parsing:extractsFields", - "data:parsing:parsesData", - "data:parsing:parsesHtml", - "data:parsing:parsesJson", - "data:parsing:parsesXml", - "data:query", - "data:query:executesLdapQuery", - "data:query:executesNoSqlQuery", - "data:query:executesSearch", - "data:query:executesSql", - "data:query:executesXPath", - "data:query:queriesData", - "data:storage", - "data:storage:cachesData", - "data:storage:deletesData", - "data:storage:flushesCache", - "data:storage:invalidatesCache", - "data:storage:retrievesData", - "data:storage:storesData", - "data:storage:updatesData", - "data:transformation", - "data:transformation:aggregatesData", - "data:transformation:compressesData", - "data:transformation:decompressesData", - "data:transformation:encodesData", - "data:transformation:enrichesData", - "data:transformation:filtersData", - "data:transformation:joinsData", - "data:transformation:mapsData", - "data:transformation:normalizesData", - "data:transformation:sortsData", - "data:transformation:transformsData", - "evasion", - "evasion:analysisResistance", - "evasion:analysisResistance:detectsAnalysisTool", - "evasion:analysisResistance:detectsDebugger", - "evasion:analysisResistance:detectsEmulator", - "evasion:analysisResistance:detectsSandbox", - "evasion:analysisResistance:detectsVirtualMachine", - "evasion:analysisResistance:evadesDebugger", - "evasion:analysisResistance:evadesEmulator", - "evasion:analysisResistance:evadesSandbox", - "evasion:analysisResistance:evadesVirtualMachine", - "evasion:analysisResistance:usesTimingEvasion", - "evasion:antiSecurity", - "evasion:antiSecurity:detectsAntivirus", - "evasion:antiSecurity:disablesSecuritySoftware", - "evasion:antiSecurity:evadesAntivirus", - "evasion:antiSecurity:terminatesSecurityProcess", - "evasion:indirection", - "evasion:indirection:resolvesApiDynamically", - "evasion:indirection:usesIndirectCalls", - "evasion:indirection:usesProxyExecution", - "evasion:obfuscation", - "evasion:obfuscation:obfuscatesCode", - "evasion:obfuscation:obfuscatesControlFlow", - "evasion:obfuscation:obfuscatesData", - "evasion:obfuscation:obfuscatesStrings", - "evasion:obfuscation:packsCode", - "evasion:obfuscation:unpacksAtRuntime", - "file", - "file:directory", - "file:directory:changesDirectory", - "file:directory:createsDirectory", - "file:directory:deletesDirectory", - "file:directory:listsDirectory", - "file:directory:traversesDirectory", - "file:disk", - "file:disk:decryptsVolume", - "file:disk:encryptsVolume", - "file:disk:formatsVolume", - "file:disk:mountsVolume", - "file:disk:unmountsVolume", - "file:disk:wipesDisk", - "file:operations", - "file:operations:appendsToFile", - "file:operations:checksFileExistence", - "file:operations:closesFile", - "file:operations:copiesFile", - "file:operations:createsFile", - "file:operations:deletesFile", - "file:operations:getsFileAttributes", - "file:operations:movesFile", - "file:operations:opensFile", - "file:operations:readsFile", - "file:operations:renamesFile", - "file:operations:setsFileAttributes", - "file:operations:setsFilePermissions", - "file:operations:writesFile", - "gui", - "gui:display", - "gui:display:displaysData", - "gui:display:monitorsDisplay", - "gui:display:updatesDisplay", - "gui:session", - "gui:session:displaysLogin", - "gui:session:interactsWithSession", - "gui:session:switchesSession", - "gui:window", - "gui:window:capturesWindow", - "gui:window:createsWindow", - "gui:window:destroysWindow", - "gui:window:enumeratesWindows", - "gui:window:interactsWithTaskbar", - "gui:window:modifiesWindow", - "hardware", - "hardware:actuator", - "hardware:actuator:calibratesActuator", - "hardware:actuator:controlsBattery", - "hardware:actuator:controlsHeating", - "hardware:actuator:controlsLed", - "hardware:actuator:controlsMotor", - "hardware:actuator:controlsPower", - "hardware:actuator:controlsPump", - "hardware:actuator:controlsTemperature", - "hardware:boot", - "hardware:boot:entersRecoveryMode", - "hardware:boot:executesSecureBoot", - "hardware:boot:locksBootConfiguration", - "hardware:boot:modifiesBootConfiguration", - "hardware:boot:readsBootConfiguration", - "hardware:boot:recordsBootMeasurement", - "hardware:boot:verifiesBootLoader", - "hardware:firmware", - "hardware:firmware:monitorsFirmwareIntegrity", - "hardware:firmware:preventsFirmwareRollback", - "hardware:firmware:readsFirmwareVersion", - "hardware:firmware:updatesFirmware", - "hardware:firmware:verifiesFirmwareSignature", - "hardware:memory", - "hardware:memory:encryptsMemory", - "hardware:memory:isolatesMemory", - "hardware:memory:protectsStack", - "hardware:memory:randomizesAddressSpace", - "hardware:memory:readsProtectedMemory", - "hardware:memory:writesProtectedMemory", - "hardware:peripheral", - "hardware:peripheral:accessesCamera", - "hardware:peripheral:accessesDisplay", - "hardware:peripheral:accessesGpio", - "hardware:peripheral:accessesJtag", - "hardware:peripheral:accessesKeyboard", - "hardware:peripheral:accessesStorageDevice", - "hardware:peripheral:accessesUsbDevice", - "hardware:peripheral:configuresDma", - "hardware:peripheral:protectsDma", - "hardware:physicalSecurity", - "hardware:physicalSecurity:detectsPhysicalTamper", - "hardware:physicalSecurity:disablesDebugInterface", - "hardware:physicalSecurity:enablesDebugInterface", - "hardware:physicalSecurity:monitorsEnclosure", - "hardware:physicalSecurity:respondsToTamper", - "hardware:physicalSecurity:zeroizesKeys", - "hardware:security", - "hardware:security:anchorsInHardwareRoot", - "hardware:security:executesInTee", - "hardware:security:generatesPufResponse", - "hardware:security:usesHsm", - "hardware:security:usesSecureElement", - "hardware:sensor", - "hardware:sensor:calibratesSensor", - "hardware:sensor:readsBatteryStatus", - "hardware:sensor:readsBloodOxygen", - "hardware:sensor:readsBloodPressure", - "hardware:sensor:readsCoTwoLevel", - "hardware:sensor:readsEcg", - "hardware:sensor:readsPowerStatus", - "hardware:sensor:readsTemperature", - "hardware:sideChannelDefense", - "hardware:sideChannelDefense:controlsEmEmissions", - "hardware:sideChannelDefense:resistsFaultInjection", - "hardware:sideChannelDefense:resistsPowerAnalysis", - "hardware:sideChannelDefense:resistsTimingAnalysis", - "network", - "network:connection", - "network:connection:acceptsConnection", - "network:connection:detectsConnectionLoss", - "network:connection:establishesConnection", - "network:connection:reconnects", - "network:connection:reusesConnection", - "network:connection:sendsHeartbeat", - "network:connection:terminatesConnection", - "network:discovery", - "network:discovery:advertisesService", - "network:discovery:discoversService", - "network:discovery:enumeratesInterfaces", - "network:discovery:probesPort", - "network:discovery:queriesDns", - "network:discovery:resolvesName", - "network:discovery:scansNetwork", - "network:protocol", - "network:protocol:downgradesProtocol", - "network:protocol:framesMessage", - "network:protocol:negotiatesProtocol", - "network:protocol:parsesMessage", - "network:protocol:retransmitsMessage", - "network:protocol:upgradesProtocol", - "network:protocol:validatesMessage", - "network:remoteInteraction", - "network:remoteInteraction:accessesRemoteDesktop", - "network:remoteInteraction:accessesRemoteShell", - "network:remoteInteraction:executesRemoteCommand", - "network:remoteInteraction:invokesRemoteProcedure", - "network:remoteInteraction:sendsEmail", - "network:remoteInteraction:sendsSms", - "network:remoteInteraction:transfersFile", - "network:routing", - "network:routing:configuresProxy", - "network:routing:forwardsPacket", - "network:routing:redirectsTraffic", - "network:routing:routesTraffic", - "network:routing:tunnelsTraffic", - "network:trafficControl", - "network:trafficControl:balancesLoad", - "network:trafficControl:filtersTraffic", - "network:trafficControl:inspectsTraffic", - "network:trafficControl:interceptsTraffic", - "network:trafficControl:limitsRate", - "network:trafficControl:modifiesTraffic", - "network:trafficControl:shapesTraffic", - "network:transmission", - "network:transmission:broadcastsData", - "network:transmission:multicastsData", - "network:transmission:receivesData", - "network:transmission:sendsData", - "network:transmission:streamsData", - "privacy", - "privacy:collection", - "privacy:collection:capturesAudio", - "privacy:collection:capturesKeystrokes", - "privacy:collection:capturesScreen", - "privacy:collection:capturesVideo", - "privacy:collection:collectsBehavioralData", - "privacy:collection:collectsBiometricData", - "privacy:collection:collectsCommunicationContent", - "privacy:collection:collectsDeviceInformation", - "privacy:collection:collectsFinancialData", - "privacy:collection:collectsHealthData", - "privacy:collection:collectsInBackground", - "privacy:collection:collectsLocationData", - "privacy:collection:collectsPersonalData", - "privacy:collection:collectsSilently", - "privacy:collection:readsBrowserHistory", - "privacy:collection:readsClipboard", - "privacy:deletion", - "privacy:deletion:clearsCache", - "privacy:deletion:deletesPersonalData", - "privacy:deletion:erasesSecurely", - "privacy:deletion:purgesFromBackup", - "privacy:deletion:redactsData", - "privacy:inference", - "privacy:inference:correlatesData", - "privacy:inference:createsProfile", - "privacy:inference:fingerprintsDevice", - "privacy:inference:infersPersonalInformation", - "privacy:inference:linksIdentities", - "privacy:inference:tracksUser", - "privacy:minimization", - "privacy:minimization:aggregatesData", - "privacy:minimization:anonymizesData", - "privacy:minimization:filtersData", - "privacy:minimization:generalizesData", - "privacy:minimization:limitsCollection", - "privacy:minimization:limitsProcessing", - "privacy:minimization:pseudonymizesData", - "privacy:privacyEnhancement", - "privacy:privacyEnhancement:addsDifferentialPrivacy", - "privacy:privacyEnhancement:computesMultiparty", - "privacy:privacyEnhancement:processesHomomorphically", - "privacy:privacyEnhancement:processesLocally", - "privacy:retention", - "privacy:retention:archivesData", - "privacy:retention:backsUpData", - "privacy:retention:enforcesRetentionPeriod", - "privacy:retention:retainsBeyondPurpose", - "privacy:retention:retainsInCache", - "privacy:retention:retainsInLog", - "privacy:retention:storesPersonalData", - "privacy:sharing", - "privacy:sharing:disclosesToThirdParty", - "privacy:sharing:exportsData", - "privacy:sharing:publishesData", - "privacy:sharing:sellsData", - "privacy:sharing:sharesWithAffiliate", - "privacy:sharing:transfersCrossBorder", - "privacy:subjectRights", - "privacy:subjectRights:correctsData", - "privacy:subjectRights:exportsDataPortably", - "privacy:subjectRights:honorsErasureRequest", - "privacy:subjectRights:honorsObjection", - "privacy:subjectRights:providesDataAccess", - "privacy:subjectRights:restrictsProcessing", - "privacy:transparency", - "privacy:transparency:disclosesProcessing", - "privacy:transparency:displaysPrivacyNotice", - "privacy:transparency:explainsAutomatedDecision", - "privacy:transparency:recordsConsent", - "privacy:transparency:requestsConsent", - "privacy:transparency:withdrawsConsent", - "safety", - "safety:autonomousBehavior", - "safety:autonomousBehavior:acceptsOverride", - "safety:autonomousBehavior:enforcesHumanInLoop", - "safety:autonomousBehavior:explainsDecision", - "safety:autonomousBehavior:requestsGuidance", - "safety:autonomousBehavior:respectsDecisionBoundary", - "safety:contentSafety", - "safety:contentSafety:detectsHarmfulContent", - "safety:contentSafety:detectsMisinformation", - "safety:contentSafety:enforcesAgeRestriction", - "safety:contentSafety:filtersContent", - "safety:contentSafety:labelsContent", - "safety:harmPrevention", - "safety:harmPrevention:preventsEnvironmentalHarm", - "safety:harmPrevention:preventsPropertyDamage", - "safety:harmPrevention:preventsUserHarm", - "safety:harmPrevention:protectsBystanders", - "safety:hazardManagement", - "safety:hazardManagement:assessesRisk", - "safety:hazardManagement:identifiesHazard", - "safety:hazardManagement:mitigatesHazard", - "safety:hazardManagement:reportsHazard", - "safety:humanInteraction", - "safety:humanInteraction:adaptsForAccessibility", - "safety:humanInteraction:managesCognitiveLoad", - "safety:humanInteraction:requestsConfirmation", - "safety:humanInteraction:warnsOperator", - "safety:operationalSafety", - "safety:operationalSafety:acceptsManualOverride", - "safety:operationalSafety:enforcesInterlock", - "safety:operationalSafety:enforcesOperatingLimits", - "safety:operationalSafety:executesEmergencyStop", - "safety:operationalSafety:monitorsWatchdog", - "safety:operationalSafety:validatesSafetyCondition", - "security", - "security:auditing", - "security:auditing:logsEvent", - "security:auditing:logsSecurityEvent", - "security:auditing:protectsAuditLog", - "security:auditing:purgesLog", - "security:auditing:rotatesLog", - "security:auditing:signsLogEntry", - "security:auditing:timestampsEvent", - "security:auditing:transmitsLog", - "security:authentication", - "security:authentication:authenticatesDevice", - "security:authentication:authenticatesService", - "security:authentication:authenticatesUser", - "security:authentication:bypassesAuthentication", - "security:authentication:capturesBiometric", - "security:authentication:delegatesAuthentication", - "security:authentication:failsAuthentication", - "security:authentication:locksAccount", - "security:authentication:performsMultiFactorAuthentication", - "security:authentication:promptsForCredentials", - "security:authentication:unlocksAccount", - "security:authentication:validatesBiometric", - "security:authentication:validatesCredentials", - "security:authorization", - "security:authorization:checksPermission", - "security:authorization:delegatesAuthority", - "security:authorization:deniesAccess", - "security:authorization:enforcesRole", - "security:authorization:escalatesPrivilege", - "security:authorization:evaluatesAttributes", - "security:authorization:evaluatesPolicy", - "security:authorization:grantsAccess", - "security:authorization:grantsImpersonation", - "security:authorization:impersonatesUser", - "security:authorization:requestsImpersonation", - "security:authorization:revokesAccess", - "security:authorization:revokesImpersonation", - "security:cryptography", - "security:cryptography:authenticates", - "security:cryptography:checksRevocation", - "security:cryptography:decryptsData", - "security:cryptography:decryptsDataAtRest", - "security:cryptography:decryptsDataInTransit", - "security:cryptography:decryptsDisk", - "security:cryptography:decryptsSecret", - "security:cryptography:destroysKey", - "security:cryptography:encryptsData", - "security:cryptography:encryptsDataAtRest", - "security:cryptography:encryptsDataInTransit", - "security:cryptography:encryptsDisk", - "security:cryptography:encryptsSecret", - "security:cryptography:ensuresAccountability", - "security:cryptography:ensuresConfidentiality", - "security:cryptography:ensuresIntegrity", - "security:cryptography:ensuresNonRepudiation", - "security:cryptography:exchangesKey", - "security:cryptography:generatesKey", - "security:cryptography:generatesRandomValue", - "security:cryptography:hashesData", - "security:cryptography:hashesPassword", - "security:cryptography:identifies", - "security:cryptography:issuesCertificate", - "security:cryptography:preservesPrivacy", - "security:cryptography:presentsClientCertificate", - "security:cryptography:presentsServerCertificate", - "security:cryptography:retrievesKey", - "security:cryptography:revokesCertificate", - "security:cryptography:rotatesKey", - "security:cryptography:signsCode", - "security:cryptography:signsData", - "security:cryptography:signsDocument", - "security:cryptography:storesKey", - "security:cryptography:usesIdentity", - "security:cryptography:validatesCertificate", - "security:cryptography:validatesToken", - "security:cryptography:verifiesCodeSignature", - "security:cryptography:verifiesDataSignature", - "security:cryptography:verifiesDocumentSignature", - "security:cryptography:verifiesHash", - "security:cryptography:verifiesSignature", - "security:cryptography:wrapsKey", - "security:errorHandling", - "security:errorHandling:catchesException", - "security:errorHandling:disclosesErrorDetails", - "security:errorHandling:failsClosed", - "security:errorHandling:failsOpen", - "security:errorHandling:generatesError", - "security:errorHandling:logsError", - "security:errorHandling:propagatesError", - "security:errorHandling:returnsGenericError", - "security:errorHandling:suppressesError", - "security:inputHandling", - "security:inputHandling:escapesInput", - "security:inputHandling:normalizesInput", - "security:inputHandling:rejectsInvalidInput", - "security:inputHandling:sanitizesInput", - "security:inputHandling:truncatesInput", - "security:inputHandling:validatesFormat", - "security:inputHandling:validatesRange", - "security:inputHandling:validatesSchema", - "security:integrity", - "security:integrity:attestsIntegrity", - "security:integrity:detectsTampering", - "security:integrity:respondsToTampering", - "security:integrity:validatesComponent", - "security:integrity:verifiesIntegrity", - "security:integrity:verifiesProvenance", - "security:outputHandling", - "security:outputHandling:encodesOutput", - "security:outputHandling:enforcesContentPolicy", - "security:outputHandling:escapesOutput", - "security:outputHandling:filtersOutput", - "security:outputHandling:masksOutput", - "security:outputHandling:setsSecurityHeader", - "security:session", - "security:session:createsSession", - "security:session:detectsSessionHijacking", - "security:session:invalidatesSession", - "security:session:refreshesSession", - "security:session:regeneratesSessionId", - "security:session:terminatesSession", - "security:session:validatesSession", - "security:threatResponse", - "security:threatResponse:blocksRequest", - "security:threatResponse:blocksSource", - "security:threatResponse:collectsForensicData", - "security:threatResponse:detectsAnomaly", - "security:threatResponse:detectsIntrusion", - "security:threatResponse:initiatesIncidentResponse", - "security:threatResponse:quarantinesElement", - "security:threatResponse:raisesAlert", - "system", - "system:configuration", - "system:configuration:deletesRegistryKey", - "system:configuration:modifiesGroupPolicy", - "system:configuration:readsConfigurationFile", - "system:configuration:readsEnvironmentVariable", - "system:configuration:readsGroupPolicy", - "system:configuration:readsRegistry", - "system:configuration:setsEnvironmentVariable", - "system:configuration:writesConfigurationFile", - "system:configuration:writesRegistry", - "system:informationGathering", - "system:informationGathering:detectsOsVersion", - "system:informationGathering:gathersSystemInformation", - "system:informationGathering:queriesHardwareInformation", - "system:informationGathering:retrievesHostname", - "system:kernelInteraction", - "system:kernelInteraction:hooksKernelFunction", - "system:kernelInteraction:installsDriver", - "system:kernelInteraction:readsKernelMemory", - "system:kernelInteraction:writesKernelMemory", - "system:lifecycle", - "system:lifecycle:appliesUpdate", - "system:lifecycle:decommissions", - "system:lifecycle:initializes", - "system:lifecycle:performsSelfTest", - "system:lifecycle:provisions", - "system:lifecycle:rollsBack", - "system:lifecycle:shutsDown", - "system:operationalState", - "system:operationalState:entersFailSafeState", - "system:operationalState:entersFailSecureState", - "system:operationalState:operatesInDegradedMode", - "system:operationalState:operatesNormally", - "system:operationalState:performsEmergencyShutdown", - "system:persistence", - "system:persistence:createsScheduledTask", - "system:persistence:installsAsService", - "system:persistence:loadsAsKernelModule", - "system:persistence:registersForStartup", - "system:persistence:removesPersistence", - "system:processControl", - "system:processControl:createsProcess", - "system:processControl:dumpsProcessMemory", - "system:processControl:enumeratesProcesses", - "system:processControl:hooksFunction", - "system:processControl:injectsCodeIntoProcess", - "system:processControl:modifiesProcess", - "system:processControl:resumesProcess", - "system:processControl:suspendsProcess", - "system:processControl:terminatesProcess", - "system:resilience", - "system:resilience:activatesRedundancy", - "system:resilience:degradesGracefully", - "system:resilience:detectsFault", - "system:resilience:recoversFromFailure", - "system:resilience:toleratesFault", - "system:resourceManagement", - "system:resourceManagement:allocatesMemory", - "system:resourceManagement:deallocatesMemory", - "system:resourceManagement:handlesResourceExhaustion", - "system:resourceManagement:managesPowerState", - "system:resourceManagement:readsFromStorage", - "system:resourceManagement:resumesThread", - "system:resourceManagement:spawnsThread", - "system:resourceManagement:suspendsThread", - "system:resourceManagement:terminatesThread", - "system:resourceManagement:writesToStorage", - "system:serviceControl", - "system:serviceControl:createsService", - "system:serviceControl:deletesService", - "system:serviceControl:enumeratesServices", - "system:serviceControl:modifiesService", - "system:serviceControl:startsService", - "system:serviceControl:stopsService", - "system:synchronization", - "system:synchronization:acquiresMutex", - "system:synchronization:releasesMutex", - "system:synchronization:signalsEvent", - "system:synchronization:signalsSemaphore", - "system:synchronization:waitsOnEvent", - "system:synchronization:waitsOnSemaphore", - "system:timing", - "system:timing:delaysExecution", - "system:timing:enforcesDeadline", - "system:timing:executesScheduledTask", - "system:timing:resetsWatchdog", - "system:timing:synchronizesClock", - "system:timing:triggersTimeout", - "system:timing:waits", - "system:userManagement", - "system:userManagement:createsUserAccount", - "system:userManagement:deletesUserAccount", - "system:userManagement:elevatesPrivileges", - "system:userManagement:enumeratesUsers", - "system:userManagement:impersonatesUser", - "system:userManagement:modifiesUserAccount" - ], - "meta:enum": { - "ai": "Behaviours relating to artificial intelligence and machine learning operations.", - "ai:agent": "Behaviours that enable autonomous agents to plan and execute tasks.", - "ai:agent:actsOnBehalfOfUser": "The entity performs actions within a delegated user context.", - "ai:agent:coordinatesAgents": "The entity orchestrates multiple agents.", - "ai:agent:delegatesTask": "The entity assigns work to another agent.", - "ai:agent:executesAction": "The entity performs planned step.", - "ai:agent:invokesTool": "The entity calls external capability.", - "ai:agent:observesResult": "The entity captures action outcome.", - "ai:agent:plansAction": "The entity determines steps to achieve goal.", - "ai:agent:receivesHumanDelegation": "The entity accepts authority delegated by a human user.", - "ai:agent:reflectsOnResult": "The entity evaluates action effectiveness.", - "ai:agent:reportsDelegatedAction": "The entity notifies the delegating user of actions taken.", - "ai:agent:requestsUserApproval": "The entity seeks explicit user authorisation before acting.", - "ai:agent:returnsDelegation": "The entity relinquishes delegated authority.", - "ai:agent:revisesPlan": "The entity modifies approach based on results.", - "ai:explainability": "Behaviours that provide interpretable explanations for model decisions.", - "ai:explainability:attributesFeatures": "The entity identifies influential inputs.", - "ai:explainability:documentsModel": "The entity records model design and behaviour.", - "ai:explainability:explainsDecision": "The entity provides human-readable rationale.", - "ai:explainability:tracesPrediction": "The entity records basis for output.", - "ai:explainability:visualizesModel": "The entity renders model behaviour graphically.", - "ai:fairness": "Behaviours that detect and mitigate bias in machine learning models.", - "ai:fairness:auditsModelFairness": "The entity evaluates model for bias.", - "ai:fairness:calculatesFairnessMetric": "The entity measures outcome equality.", - "ai:fairness:detectsBias": "The entity identifies unfair model behaviour.", - "ai:fairness:handlesProtectedAttribute": "The entity manages sensitive attributes.", - "ai:fairness:mitigatesBias": "The entity reduces unfair treatment.", - "ai:generative": "Behaviours that produce content using generative models.", - "ai:generative:citesSource": "The entity attributes generated content.", - "ai:generative:filtersOutput": "The entity screens generated content.", - "ai:generative:generatesAudio": "The entity produces sound content.", - "ai:generative:generatesCode": "The entity produces executable code.", - "ai:generative:generatesEmbedding": "The entity produces vector representation.", - "ai:generative:generatesImage": "The entity produces visual content.", - "ai:generative:generatesText": "The entity produces natural language.", - "ai:generative:mitigatesHallucination": "The entity reduces false content generation.", - "ai:generative:processesPrompt": "The entity interprets user instruction.", - "ai:generative:streamsResponse": "The entity delivers output incrementally.", - "ai:inference": "Behaviours that generate predictions using trained models.", - "ai:inference:appliesThreshold": "The entity uses decision boundary.", - "ai:inference:batchesInference": "The entity processes multiple inputs together.", - "ai:inference:cachesPrediction": "The entity stores prediction for reuse.", - "ai:inference:ensemblesModels": "The entity combines multiple model outputs.", - "ai:inference:generatesPrediction": "The entity produces model output.", - "ai:inference:infersInRealTime": "The entity generates prediction with low latency.", - "ai:inference:ranksResults": "The entity orders predictions by relevance.", - "ai:inference:scoresConfidence": "The entity assigns certainty to prediction.", - "ai:management": "Behaviours that deploy and manage machine learning models throughout their lifecycle.", - "ai:management:comparesModels": "The entity evaluates relative model performance.", - "ai:management:deploysModel": "The entity places model into service.", - "ai:management:loadsModel": "The entity retrieves model for use.", - "ai:management:monitorsModel": "The entity observes model performance.", - "ai:management:retiresModel": "The entity removes model from service.", - "ai:management:rollsBackModel": "The entity reverts to previous version.", - "ai:management:unloadsModel": "The entity removes model from memory.", - "ai:management:versionsModel": "The entity tracks model versions.", - "ai:quality": "Behaviours that monitor and maintain model and data quality.", - "ai:quality:detectsConceptDrift": "The entity identifies input-output relationship change.", - "ai:quality:detectsDataDrift": "The entity identifies input distribution change.", - "ai:quality:detectsOutlier": "The entity identifies anomalous input.", - "ai:quality:engineersFeatures": "The entity transforms raw data for model.", - "ai:quality:selectsFeatures": "The entity chooses relevant input features.", - "ai:quality:validatesInputData": "The entity checks inference input quality.", - "ai:robustness": "Behaviours that defend against adversarial attacks and handle uncertain inputs.", - "ai:robustness:defendsAgainstAdversarial": "The entity resists adversarial manipulation.", - "ai:robustness:detectsAdversarialInput": "The entity identifies crafted malicious input.", - "ai:robustness:detectsOutOfDistribution": "The entity identifies unfamiliar input.", - "ai:robustness:estimatesUncertainty": "The entity quantifies prediction confidence.", - "ai:robustness:validatesRobustness": "The entity tests model resilience.", - "ai:training": "Behaviours that prepare data and train machine learning models.", - "ai:training:appliesTransferLearning": "The entity adapts pre-trained model.", - "ai:training:checkpointsModel": "The entity saves model state during training.", - "ai:training:fineTunesModel": "The entity refines model for specific task.", - "ai:training:ingestsTrainingData": "The entity acquires data for training.", - "ai:training:preprocessesTrainingData": "The entity prepares data for training.", - "ai:training:trainsFederatedly": "The entity trains on distributed data.", - "ai:training:trainsModel": "The entity adjusts model parameters.", - "ai:training:tunesHyperparameters": "The entity optimises configuration parameters.", - "ai:training:validatesModel": "The entity evaluates model during training.", - "ai:training:validatesTrainingData": "The entity checks training data quality.", - "application": "Behaviours relating to application-level request processing and business logic.", - "application:codeExecution": "Behaviours that dynamically load and execute code at runtime.", - "application:codeExecution:compilesCode": "The entity transforms source to executable form.", - "application:codeExecution:evaluatesExpression": "The entity interprets and executes an expression.", - "application:codeExecution:executesNativeCommand": "The entity runs an operating system command.", - "application:codeExecution:executesScript": "The entity runs script code.", - "application:codeExecution:interpretsCode": "The entity executes code without compilation.", - "application:codeExecution:invokesViaReflection": "The entity calls method through reflection.", - "application:codeExecution:loadsCodeDynamically": "The entity loads executable code at runtime.", - "application:configuration": "Behaviours that load and manage application configuration settings.", - "application:configuration:detectsEnvironment": "The entity determines deployment context.", - "application:configuration:evaluatesFeatureFlag": "The entity checks feature toggle state.", - "application:configuration:loadsConfiguration": "The entity reads configuration settings.", - "application:configuration:reloadsConfiguration": "The entity refreshes configuration dynamically.", - "application:controlFlow": "Behaviours that manage the execution sequence and event handling within an application.", - "application:controlFlow:awaitsAsyncResult": "The entity waits for asynchronous completion.", - "application:controlFlow:catchesException": "The entity handles an error condition.", - "application:controlFlow:emitsEvent": "The entity triggers an event.", - "application:controlFlow:handlesEvent": "The entity responds to an event.", - "application:controlFlow:invokesCallback": "The entity executes a callback function.", - "application:controlFlow:invokesHandler": "The entity calls a request handler.", - "application:controlFlow:invokesMiddleware": "The entity executes middleware component.", - "application:controlFlow:schedulesAsyncOperation": "The entity queues work for later execution.", - "application:controlFlow:throwsException": "The entity raises an error condition.", - "application:dependencyManagement": "Behaviours that resolve and manage dependencies on other components.", - "application:dependencyManagement:closesCircuitBreaker": "The entity resumes calls to recovered dependency.", - "application:dependencyManagement:fallsBack": "The entity uses alternative when primary fails.", - "application:dependencyManagement:injectsDependency": "The entity provides component to dependent.", - "application:dependencyManagement:opensCircuitBreaker": "The entity stops calls to failing dependency.", - "application:dependencyManagement:resolvesDependency": "The entity locates required component.", - "application:externalIntegration": "Behaviours that communicate with external services and systems.", - "application:externalIntegration:callsExternalService": "The entity invokes an external API.", - "application:externalIntegration:consumesEvent": "The entity receives event from external system.", - "application:externalIntegration:publishesEvent": "The entity sends event to external system.", - "application:externalIntegration:receivesWebhook": "The entity accepts callback from external service.", - "application:observability": "Behaviours that emit telemetry for monitoring and debugging purposes.", - "application:observability:emitsTelemetry": "The entity transmits operational data.", - "application:observability:logsOperation": "The entity records an operational event.", - "application:observability:recordsMetric": "The entity captures a quantitative measurement.", - "application:observability:reportsHealth": "The entity communicates operational status.", - "application:observability:tracesRequest": "The entity tracks request across services.", - "application:requestHandling": "Behaviours that receive and process incoming requests.", - "application:requestHandling:authenticatesRequest": "The entity verifies requestor identity.", - "application:requestHandling:authorizesRequest": "The entity verifies requestor permissions.", - "application:requestHandling:bindsParameters": "The entity maps request data to parameters.", - "application:requestHandling:parsesRequest": "The entity interprets incoming request.", - "application:requestHandling:receivesHttpRequest": "The entity accepts an HTTP request.", - "application:requestHandling:rejectsRequest": "The entity refuses to process request.", - "application:requestHandling:routesRequest": "The entity directs request to appropriate handler.", - "application:requestHandling:validatesRequest": "The entity verifies request validity.", - "application:responseGeneration": "Behaviours that construct and transmit responses to requests.", - "application:responseGeneration:generatesResponse": "The entity creates a response.", - "application:responseGeneration:readsCookie": "The entity retrieves cookie value.", - "application:responseGeneration:redirectsRequest": "The entity sends client to different location.", - "application:responseGeneration:returnsError": "The entity indicates failure.", - "application:responseGeneration:returnsSuccess": "The entity indicates successful completion.", - "application:responseGeneration:sendsHttpResponse": "The entity transmits an HTTP response.", - "application:responseGeneration:setsCookie": "The entity creates or modifies a cookie.", - "application:responseGeneration:setsHeader": "The entity adds HTTP header to response.", - "application:stateManagement": "Behaviours that maintain and synchronise application state across requests.", - "application:stateManagement:acquiresLock": "The entity obtains exclusive access to resource.", - "application:stateManagement:beginsTransaction": "The entity starts an atomic operation group.", - "application:stateManagement:commitsTransaction": "The entity finalises transaction changes.", - "application:stateManagement:createsSessionState": "The entity initialises session data.", - "application:stateManagement:destroysSessionState": "The entity removes session data.", - "application:stateManagement:readsSessionState": "The entity retrieves session data.", - "application:stateManagement:releasesLock": "The entity relinquishes exclusive access.", - "application:stateManagement:rollsBackTransaction": "The entity undoes transaction changes.", - "application:stateManagement:synchronizesState": "The entity maintains consistency across replicas.", - "application:stateManagement:updatesSessionState": "The entity modifies session data.", - "data": "Behaviours relating to the ingestion and transformation of structured and unstructured data.", - "data:encoding": "Behaviours that apply specific encoding schemes to data.", - "data:encoding:appliesXor": "The entity transforms data using XOR operation.", - "data:encoding:decodesBaseSixtyFour": "The entity converts Base64 to original form.", - "data:encoding:decodesUrl": "The entity converts URL-encoded data.", - "data:encoding:encodesBaseSixtyFour": "The entity converts data to Base64.", - "data:encoding:encodesUrl": "The entity converts data for URL inclusion.", - "data:ingestion": "Behaviours that acquire data from external sources.", - "data:ingestion:pollsSource": "The entity periodically checks for new data.", - "data:ingestion:readsFile": "The entity retrieves data from a file.", - "data:ingestion:readsStream": "The entity consumes data from a continuous source.", - "data:ingestion:receivesInput": "The entity accepts data from an external source.", - "data:ingestion:receivesMessage": "The entity accepts a message from a queue.", - "data:ingestion:receivesRequest": "The entity accepts an incoming request.", - "data:ingestion:subscribesToFeed": "The entity registers to receive updates.", - "data:output": "Behaviours that produce and transmit data to external consumers.", - "data:output:formatsResponse": "The entity structures data for delivery.", - "data:output:producesOutput": "The entity generates data for consumption.", - "data:output:publishesMessage": "The entity sends a message to a queue.", - "data:output:rendersTemplate": "The entity generates output from a template.", - "data:output:sendsResponse": "The entity transmits a reply.", - "data:output:serializesObject": "The entity converts object to transmittable form.", - "data:output:streamsOutput": "The entity continuously produces data.", - "data:output:writesFile": "The entity saves data to a file.", - "data:parsing": "Behaviours that interpret and extract information from structured data formats.", - "data:parsing:decodesData": "The entity converts encoded data to original form.", - "data:parsing:deserializesObject": "The entity reconstructs object from serialised form.", - "data:parsing:extractsFields": "The entity isolates specific data elements.", - "data:parsing:parsesData": "The entity interprets structured data.", - "data:parsing:parsesHtml": "The entity interprets HTML content.", - "data:parsing:parsesJson": "The entity interprets JSON-formatted data.", - "data:parsing:parsesXml": "The entity interprets XML-formatted data.", - "data:query": "Behaviours that retrieve data based on specified criteria.", - "data:query:executesLdapQuery": "The entity queries an LDAP directory.", - "data:query:executesNoSqlQuery": "The entity queries a NoSQL database.", - "data:query:executesSearch": "The entity performs full-text or indexed search.", - "data:query:executesSql": "The entity runs a SQL statement.", - "data:query:executesXPath": "The entity evaluates an XPath expression.", - "data:query:queriesData": "The entity retrieves data matching criteria.", - "data:storage": "Behaviours that persist and retrieve data from storage systems.", - "data:storage:cachesData": "The entity stores data for quick retrieval.", - "data:storage:deletesData": "The entity removes stored data.", - "data:storage:flushesCache": "The entity writes cached data to persistent storage.", - "data:storage:invalidatesCache": "The entity marks cached data as stale.", - "data:storage:retrievesData": "The entity fetches stored data.", - "data:storage:storesData": "The entity saves data persistently.", - "data:storage:updatesData": "The entity modifies stored data.", - "data:transformation": "Behaviours that convert data from one form or structure to another.", - "data:transformation:aggregatesData": "The entity combines multiple values.", - "data:transformation:compressesData": "The entity reduces data size.", - "data:transformation:decompressesData": "The entity restores compressed data.", - "data:transformation:encodesData": "The entity converts data to encoded form.", - "data:transformation:enrichesData": "The entity adds information from external sources.", - "data:transformation:filtersData": "The entity removes unwanted elements.", - "data:transformation:joinsData": "The entity combines data from multiple sources.", - "data:transformation:mapsData": "The entity converts between data structures.", - "data:transformation:normalizesData": "The entity converts to standard form.", - "data:transformation:sortsData": "The entity orders data elements.", - "data:transformation:transformsData": "The entity converts data from one form to another.", - "evasion": "Behaviours relating to techniques that avoid detection and analysis.", - "evasion:analysisResistance": "Behaviours that detect and evade analysis environments.", - "evasion:analysisResistance:detectsAnalysisTool": "The entity identifies analysis software.", - "evasion:analysisResistance:detectsDebugger": "The entity identifies debugger presence.", - "evasion:analysisResistance:detectsEmulator": "The entity identifies emulation environment.", - "evasion:analysisResistance:detectsSandbox": "The entity identifies sandbox environment.", - "evasion:analysisResistance:detectsVirtualMachine": "The entity identifies VM environment.", - "evasion:analysisResistance:evadesDebugger": "The entity modifies behaviour under debugging.", - "evasion:analysisResistance:evadesEmulator": "The entity modifies behaviour under emulation.", - "evasion:analysisResistance:evadesSandbox": "The entity modifies behaviour in sandbox.", - "evasion:analysisResistance:evadesVirtualMachine": "The entity modifies behaviour in VM.", - "evasion:analysisResistance:usesTimingEvasion": "The entity uses delays to evade analysis.", - "evasion:antiSecurity": "Behaviours that detect and disable security software.", - "evasion:antiSecurity:detectsAntivirus": "The entity identifies AV software.", - "evasion:antiSecurity:disablesSecuritySoftware": "The entity deactivates security tools.", - "evasion:antiSecurity:evadesAntivirus": "The entity avoids AV detection.", - "evasion:antiSecurity:terminatesSecurityProcess": "The entity kills security software processes.", - "evasion:indirection": "Behaviours that use indirect methods to execute code.", - "evasion:indirection:resolvesApiDynamically": "The entity finds API addresses at runtime.", - "evasion:indirection:usesIndirectCalls": "The entity invokes functions indirectly.", - "evasion:indirection:usesProxyExecution": "The entity executes through intermediary.", - "evasion:obfuscation": "Behaviours that obscure code and data to hinder analysis.", - "evasion:obfuscation:obfuscatesCode": "The entity makes code difficult to analyse.", - "evasion:obfuscation:obfuscatesControlFlow": "The entity obscures execution paths.", - "evasion:obfuscation:obfuscatesData": "The entity hides data structures.", - "evasion:obfuscation:obfuscatesStrings": "The entity hides string contents.", - "evasion:obfuscation:packsCode": "The entity compresses or encrypts executable.", - "evasion:obfuscation:unpacksAtRuntime": "The entity decompresses code during execution.", - "file": "Behaviours relating to file system operations and disk management.", - "file:directory": "Behaviours that create and navigate directory structures.", - "file:directory:changesDirectory": "The entity sets current working directory.", - "file:directory:createsDirectory": "The entity creates a new directory.", - "file:directory:deletesDirectory": "The entity removes a directory.", - "file:directory:listsDirectory": "The entity enumerates directory contents.", - "file:directory:traversesDirectory": "The entity recursively explores directories.", - "file:disk": "Behaviours that manage storage volumes and disk-level operations.", - "file:disk:decryptsVolume": "The entity decrypts a storage volume.", - "file:disk:encryptsVolume": "The entity encrypts a storage volume.", - "file:disk:formatsVolume": "The entity prepares storage for use.", - "file:disk:mountsVolume": "The entity attaches a storage volume.", - "file:disk:unmountsVolume": "The entity detaches a storage volume.", - "file:disk:wipesDisk": "The entity securely erases disk contents.", - "file:operations": "Behaviours that create and manipulate files.", - "file:operations:appendsToFile": "The entity adds data to end of file.", - "file:operations:checksFileExistence": "The entity verifies whether a file exists.", - "file:operations:closesFile": "The entity releases file access.", - "file:operations:copiesFile": "The entity duplicates a file.", - "file:operations:createsFile": "The entity creates a new file.", - "file:operations:deletesFile": "The entity removes a file.", - "file:operations:getsFileAttributes": "The entity retrieves file metadata.", - "file:operations:movesFile": "The entity relocates a file.", - "file:operations:opensFile": "The entity prepares a file for access.", - "file:operations:readsFile": "The entity retrieves file contents.", - "file:operations:renamesFile": "The entity changes a file name.", - "file:operations:setsFileAttributes": "The entity modifies file metadata.", - "file:operations:setsFilePermissions": "The entity modifies file access permissions.", - "file:operations:writesFile": "The entity modifies file contents.", - "gui": "Behaviours relating to graphical user interface interactions.", - "gui:display": "Behaviours that render and monitor visual output.", - "gui:display:displaysData": "The entity renders information visually.", - "gui:display:monitorsDisplay": "The entity observes displayed content.", - "gui:display:updatesDisplay": "The entity refreshes visual presentation.", - "gui:session": "Behaviours that interact with user login sessions.", - "gui:session:displaysLogin": "The entity presents login interface.", - "gui:session:interactsWithSession": "The entity operates within user session.", - "gui:session:switchesSession": "The entity changes active user session.", - "gui:window": "Behaviours that create and manipulate graphical windows.", - "gui:window:capturesWindow": "The entity captures window contents.", - "gui:window:createsWindow": "The entity creates a graphical window.", - "gui:window:destroysWindow": "The entity closes a window.", - "gui:window:enumeratesWindows": "The entity lists open windows.", - "gui:window:interactsWithTaskbar": "The entity modifies taskbar elements.", - "gui:window:modifiesWindow": "The entity changes window properties.", - "hardware": "Behaviours relating to hardware components and physical device interactions.", - "hardware:actuator": "Behaviours that control physical actuators and output devices.", - "hardware:actuator:calibratesActuator": "The entity adjusts actuator accuracy.", - "hardware:actuator:controlsBattery": "The entity manages battery charging.", - "hardware:actuator:controlsHeating": "The entity manages heating element.", - "hardware:actuator:controlsLed": "The entity manages LED indicator.", - "hardware:actuator:controlsMotor": "The entity manages motor operation.", - "hardware:actuator:controlsPower": "The entity manages power distribution.", - "hardware:actuator:controlsPump": "The entity manages fluid pump.", - "hardware:actuator:controlsTemperature": "The entity regulates temperature.", - "hardware:boot": "Behaviours that verify and configure system startup processes.", - "hardware:boot:entersRecoveryMode": "The entity boots via alternative path.", - "hardware:boot:executesSecureBoot": "The entity verifies code integrity at startup.", - "hardware:boot:locksBootConfiguration": "The entity prevents boot setting changes.", - "hardware:boot:modifiesBootConfiguration": "The entity changes boot settings.", - "hardware:boot:readsBootConfiguration": "The entity retrieves boot settings.", - "hardware:boot:recordsBootMeasurement": "The entity logs boot component hashes.", - "hardware:boot:verifiesBootLoader": "The entity validates boot loader authenticity.", - "hardware:firmware": "Behaviours that manage and verify firmware integrity.", - "hardware:firmware:monitorsFirmwareIntegrity": "The entity checks for firmware tampering.", - "hardware:firmware:preventsFirmwareRollback": "The entity blocks reversion to old firmware.", - "hardware:firmware:readsFirmwareVersion": "The entity retrieves firmware version.", - "hardware:firmware:updatesFirmware": "The entity applies firmware changes.", - "hardware:firmware:verifiesFirmwareSignature": "The entity validates firmware authenticity.", - "hardware:memory": "Behaviours that protect and isolate memory regions.", - "hardware:memory:encryptsMemory": "The entity protects memory contents.", - "hardware:memory:isolatesMemory": "The entity separates memory regions.", - "hardware:memory:protectsStack": "The entity defends against stack attacks.", - "hardware:memory:randomizesAddressSpace": "The entity applies ASLR.", - "hardware:memory:readsProtectedMemory": "The entity accesses protected memory region.", - "hardware:memory:writesProtectedMemory": "The entity modifies protected memory region.", - "hardware:peripheral": "Behaviours that interact with peripheral devices and interfaces.", - "hardware:peripheral:accessesCamera": "The entity interacts with camera hardware.", - "hardware:peripheral:accessesDisplay": "The entity interacts with display hardware.", - "hardware:peripheral:accessesGpio": "The entity reads or writes GPIO pins.", - "hardware:peripheral:accessesJtag": "The entity uses JTAG debug interface.", - "hardware:peripheral:accessesKeyboard": "The entity interacts with keyboard hardware.", - "hardware:peripheral:accessesStorageDevice": "The entity interacts with storage hardware.", - "hardware:peripheral:accessesUsbDevice": "The entity interacts with USB peripheral.", - "hardware:peripheral:configuresDma": "The entity sets up direct memory access.", - "hardware:peripheral:protectsDma": "The entity prevents unauthorised DMA.", - "hardware:physicalSecurity": "Behaviours that detect and respond to physical tampering.", - "hardware:physicalSecurity:detectsPhysicalTamper": "The entity identifies physical interference.", - "hardware:physicalSecurity:disablesDebugInterface": "The entity prevents debug access.", - "hardware:physicalSecurity:enablesDebugInterface": "The entity permits debug access.", - "hardware:physicalSecurity:monitorsEnclosure": "The entity detects housing penetration.", - "hardware:physicalSecurity:respondsToTamper": "The entity reacts to physical attack.", - "hardware:physicalSecurity:zeroizesKeys": "The entity destroys keys on tamper detection.", - "hardware:security": "Behaviours that utilise hardware security features and trusted execution environments.", - "hardware:security:anchorsInHardwareRoot": "The entity uses tamper-resistant hardware for trust.", - "hardware:security:executesInTee": "The entity runs in trusted execution environment.", - "hardware:security:generatesPufResponse": "The entity uses physical unclonable function.", - "hardware:security:usesHsm": "The entity employs hardware security module.", - "hardware:security:usesSecureElement": "The entity employs dedicated security hardware.", - "hardware:sensor": "Behaviours that read measurements from hardware sensors.", - "hardware:sensor:calibratesSensor": "The entity adjusts sensor accuracy.", - "hardware:sensor:readsBatteryStatus": "The entity obtains battery state.", - "hardware:sensor:readsBloodOxygen": "The entity obtains SpO2 measurement.", - "hardware:sensor:readsBloodPressure": "The entity obtains blood pressure measurement.", - "hardware:sensor:readsCoTwoLevel": "The entity obtains CO2 measurement.", - "hardware:sensor:readsEcg": "The entity obtains electrocardiogram data.", - "hardware:sensor:readsPowerStatus": "The entity obtains power state.", - "hardware:sensor:readsTemperature": "The entity obtains temperature measurement.", - "hardware:sideChannelDefense": "Behaviours that protect against side-channel attacks.", - "hardware:sideChannelDefense:controlsEmEmissions": "The entity limits electromagnetic leakage.", - "hardware:sideChannelDefense:resistsFaultInjection": "The entity protects against induced faults.", - "hardware:sideChannelDefense:resistsPowerAnalysis": "The entity protects against power-based attacks.", - "hardware:sideChannelDefense:resistsTimingAnalysis": "The entity protects against timing-based attacks.", - "network": "Behaviours relating to network communication and data transmission between systems.", - "network:connection": "Behaviours that establish and manage network connections.", - "network:connection:acceptsConnection": "The entity receives an incoming connection.", - "network:connection:detectsConnectionLoss": "The entity identifies a dropped connection.", - "network:connection:establishesConnection": "The entity initiates a network connection.", - "network:connection:reconnects": "The entity re-establishes a dropped connection.", - "network:connection:reusesConnection": "The entity uses a pooled connection.", - "network:connection:sendsHeartbeat": "The entity transmits a keep-alive signal.", - "network:connection:terminatesConnection": "The entity closes a network connection.", - "network:discovery": "Behaviours that locate and advertise network services and resources.", - "network:discovery:advertisesService": "The entity announces its availability.", - "network:discovery:discoversService": "The entity locates an available service.", - "network:discovery:enumeratesInterfaces": "The entity lists network interfaces.", - "network:discovery:probesPort": "The entity checks if a port is open.", - "network:discovery:queriesDns": "The entity requests DNS resolution.", - "network:discovery:resolvesName": "The entity translates a name to an address.", - "network:discovery:scansNetwork": "The entity probes for active hosts or services.", - "network:protocol": "Behaviours that negotiate and implement communication protocols.", - "network:protocol:downgradesProtocol": "The entity falls back to a less secure protocol version.", - "network:protocol:framesMessage": "The entity structures data for transmission.", - "network:protocol:negotiatesProtocol": "The entity agrees on communication protocol with peer.", - "network:protocol:parsesMessage": "The entity interprets received network data.", - "network:protocol:retransmitsMessage": "The entity resends data after transmission failure.", - "network:protocol:upgradesProtocol": "The entity transitions to a more secure protocol version.", - "network:protocol:validatesMessage": "The entity verifies message format and integrity.", - "network:remoteInteraction": "Behaviours that execute operations on remote systems.", - "network:remoteInteraction:accessesRemoteDesktop": "The entity controls a remote graphical interface.", - "network:remoteInteraction:accessesRemoteShell": "The entity interacts with a remote command line.", - "network:remoteInteraction:executesRemoteCommand": "The entity runs a command on a remote system.", - "network:remoteInteraction:invokesRemoteProcedure": "The entity calls a function on a remote system.", - "network:remoteInteraction:sendsEmail": "The entity transmits an email message.", - "network:remoteInteraction:sendsSms": "The entity transmits a text message.", - "network:remoteInteraction:transfersFile": "The entity sends or receives a file remotely.", - "network:routing": "Behaviours that direct network traffic to its destination.", - "network:routing:configuresProxy": "The entity sets up traffic to route through a proxy.", - "network:routing:forwardsPacket": "The entity passes a packet toward its destination.", - "network:routing:redirectsTraffic": "The entity diverts traffic to a different destination.", - "network:routing:routesTraffic": "The entity directs network traffic to destinations.", - "network:routing:tunnelsTraffic": "The entity encapsulates traffic within another protocol.", - "network:trafficControl": "Behaviours that manage and manipulate network traffic flow.", - "network:trafficControl:balancesLoad": "The entity distributes requests across destinations.", - "network:trafficControl:filtersTraffic": "The entity blocks or allows traffic based on rules.", - "network:trafficControl:inspectsTraffic": "The entity examines traffic contents.", - "network:trafficControl:interceptsTraffic": "The entity captures traffic in transit.", - "network:trafficControl:limitsRate": "The entity restricts traffic volume.", - "network:trafficControl:modifiesTraffic": "The entity alters traffic in transit.", - "network:trafficControl:shapesTraffic": "The entity manages traffic timing and priority.", - "network:transmission": "Behaviours that send and receive data over network connections.", - "network:transmission:broadcastsData": "The entity sends data to multiple recipients.", - "network:transmission:multicastsData": "The entity sends data to a group of recipients.", - "network:transmission:receivesData": "The entity accepts data from the network.", - "network:transmission:sendsData": "The entity transmits data over the network.", - "network:transmission:streamsData": "The entity continuously transmits or receives data.", - "privacy": "Behaviours relating to the collection and processing of personal and sensitive data.", - "privacy:collection": "Behaviours that gather personal or sensitive information from individuals or systems.", - "privacy:collection:capturesAudio": "The entity records sound via microphone.", - "privacy:collection:capturesKeystrokes": "The entity records keyboard input.", - "privacy:collection:capturesScreen": "The entity records display contents.", - "privacy:collection:capturesVideo": "The entity records images via camera.", - "privacy:collection:collectsBehavioralData": "The entity records user actions and patterns.", - "privacy:collection:collectsBiometricData": "The entity captures biometric information.", - "privacy:collection:collectsCommunicationContent": "The entity captures message or call contents.", - "privacy:collection:collectsDeviceInformation": "The entity gathers device identifiers or characteristics.", - "privacy:collection:collectsFinancialData": "The entity gathers payment or financial information.", - "privacy:collection:collectsHealthData": "The entity gathers protected health information.", - "privacy:collection:collectsInBackground": "The entity gathers data without active user engagement.", - "privacy:collection:collectsLocationData": "The entity gathers geographical position information.", - "privacy:collection:collectsPersonalData": "The entity gathers personally identifiable information.", - "privacy:collection:collectsSilently": "The entity gathers data without user awareness.", - "privacy:collection:readsBrowserHistory": "The entity accesses web browsing history.", - "privacy:collection:readsClipboard": "The entity accesses clipboard contents.", - "privacy:deletion": "Behaviours that remove or destroy personal data.", - "privacy:deletion:clearsCache": "The entity removes data from temporary storage.", - "privacy:deletion:deletesPersonalData": "The entity removes personal data.", - "privacy:deletion:erasesSecurely": "The entity irreversibly destroys data.", - "privacy:deletion:purgesFromBackup": "The entity removes data from backup systems.", - "privacy:deletion:redactsData": "The entity removes specific content from records.", - "privacy:inference": "Behaviours that derive personal information through analysis and correlation of data.", - "privacy:inference:correlatesData": "The entity combines data from multiple sources.", - "privacy:inference:createsProfile": "The entity builds a profile from collected data.", - "privacy:inference:fingerprintsDevice": "The entity identifies device via characteristics.", - "privacy:inference:infersPersonalInformation": "The entity derives personal data from other data.", - "privacy:inference:linksIdentities": "The entity associates data across contexts.", - "privacy:inference:tracksUser": "The entity follows user activity across sessions.", - "privacy:minimization": "Behaviours that reduce the amount or sensitivity of personal data processed.", - "privacy:minimization:aggregatesData": "The entity combines records into summaries.", - "privacy:minimization:anonymizesData": "The entity removes identifying information.", - "privacy:minimization:filtersData": "The entity removes unnecessary data elements.", - "privacy:minimization:generalizesData": "The entity reduces data precision.", - "privacy:minimization:limitsCollection": "The entity gathers only necessary data.", - "privacy:minimization:limitsProcessing": "The entity restricts data use to stated purposes.", - "privacy:minimization:pseudonymizesData": "The entity replaces identifiers with pseudonyms.", - "privacy:privacyEnhancement": "Behaviours that employ technical measures to protect privacy during processing.", - "privacy:privacyEnhancement:addsDifferentialPrivacy": "The entity injects noise to protect individuals.", - "privacy:privacyEnhancement:computesMultiparty": "The entity performs joint computation privately.", - "privacy:privacyEnhancement:processesHomomorphically": "The entity computes on encrypted data.", - "privacy:privacyEnhancement:processesLocally": "The entity handles data on-device.", - "privacy:retention": "Behaviours that store personal data over time.", - "privacy:retention:archivesData": "The entity moves data to long-term storage.", - "privacy:retention:backsUpData": "The entity creates copies for recovery.", - "privacy:retention:enforcesRetentionPeriod": "The entity deletes data after specified time.", - "privacy:retention:retainsBeyondPurpose": "The entity keeps data longer than necessary.", - "privacy:retention:retainsInCache": "The entity keeps data in temporary storage.", - "privacy:retention:retainsInLog": "The entity keeps data in log files.", - "privacy:retention:storesPersonalData": "The entity saves personal data persistently.", - "privacy:sharing": "Behaviours that disclose personal data to third parties or across boundaries.", - "privacy:sharing:disclosesToThirdParty": "The entity transmits personal data externally.", - "privacy:sharing:exportsData": "The entity outputs data in portable format.", - "privacy:sharing:publishesData": "The entity makes data publicly available.", - "privacy:sharing:sellsData": "The entity provides data in exchange for value.", - "privacy:sharing:sharesWithAffiliate": "The entity provides data to related entities.", - "privacy:sharing:transfersCrossBorder": "The entity sends data across jurisdictions.", - "privacy:subjectRights": "Behaviours that fulfil data subject rights under privacy regulations.", - "privacy:subjectRights:correctsData": "The entity modifies inaccurate personal data.", - "privacy:subjectRights:exportsDataPortably": "The entity provides data in portable format.", - "privacy:subjectRights:honorsErasureRequest": "The entity deletes data upon request.", - "privacy:subjectRights:honorsObjection": "The entity ceases processing upon objection.", - "privacy:subjectRights:providesDataAccess": "The entity gives individuals their data.", - "privacy:subjectRights:restrictsProcessing": "The entity limits data use upon request.", - "privacy:transparency": "Behaviours that inform individuals about data processing activities.", - "privacy:transparency:disclosesProcessing": "The entity reveals data processing activities.", - "privacy:transparency:displaysPrivacyNotice": "The entity presents privacy information.", - "privacy:transparency:explainsAutomatedDecision": "The entity describes automated decision logic.", - "privacy:transparency:recordsConsent": "The entity stores consent decisions.", - "privacy:transparency:requestsConsent": "The entity asks for processing permission.", - "privacy:transparency:withdrawsConsent": "The entity processes consent revocation.", - "safety": "Behaviours relating to the prevention of harm to users and the environment.", - "safety:autonomousBehavior": "Behaviours that govern decision-making boundaries and human oversight of autonomous systems.", - "safety:autonomousBehavior:acceptsOverride": "The entity yields to human command.", - "safety:autonomousBehavior:enforcesHumanInLoop": "The entity requires human involvement.", - "safety:autonomousBehavior:explainsDecision": "The entity provides rationale for its action.", - "safety:autonomousBehavior:requestsGuidance": "The entity asks for human direction.", - "safety:autonomousBehavior:respectsDecisionBoundary": "The entity stays within authorised decision scope.", - "safety:contentSafety": "Behaviours that detect and filter harmful or inappropriate content.", - "safety:contentSafety:detectsHarmfulContent": "The entity identifies potentially harmful content.", - "safety:contentSafety:detectsMisinformation": "The entity identifies false or misleading content.", - "safety:contentSafety:enforcesAgeRestriction": "The entity limits access by user age.", - "safety:contentSafety:filtersContent": "The entity blocks or restricts content.", - "safety:contentSafety:labelsContent": "The entity marks content with warnings or ratings.", - "safety:harmPrevention": "Behaviours that actively protect users and bystanders from physical or psychological harm.", - "safety:harmPrevention:preventsEnvironmentalHarm": "The entity acts to protect the environment.", - "safety:harmPrevention:preventsPropertyDamage": "The entity acts to protect physical property.", - "safety:harmPrevention:preventsUserHarm": "The entity acts to protect users from injury.", - "safety:harmPrevention:protectsBystanders": "The entity considers safety of non-users.", - "safety:hazardManagement": "Behaviours that identify and mitigate potentially dangerous conditions.", - "safety:hazardManagement:assessesRisk": "The entity evaluates severity and likelihood of harm.", - "safety:hazardManagement:identifiesHazard": "The entity detects a potentially harmful condition.", - "safety:hazardManagement:mitigatesHazard": "The entity reduces hazard severity or likelihood.", - "safety:hazardManagement:reportsHazard": "The entity communicates a hazardous condition.", - "safety:humanInteraction": "Behaviours that manage communication and interaction with human operators.", - "safety:humanInteraction:adaptsForAccessibility": "The entity adjusts for users with disabilities.", - "safety:humanInteraction:managesCognitiveLoad": "The entity limits information to prevent overwhelm.", - "safety:humanInteraction:requestsConfirmation": "The entity requires human approval for action.", - "safety:humanInteraction:warnsOperator": "The entity alerts human to abnormal condition.", - "safety:operationalSafety": "Behaviours that enforce safe operating limits and conditions.", - "safety:operationalSafety:acceptsManualOverride": "The entity yields control to human operator.", - "safety:operationalSafety:enforcesInterlock": "The entity prevents unsafe operation combinations.", - "safety:operationalSafety:enforcesOperatingLimits": "The entity prevents operation outside safe bounds.", - "safety:operationalSafety:executesEmergencyStop": "The entity immediately halts dangerous operation.", - "safety:operationalSafety:monitorsWatchdog": "The entity checks for uncontrolled operation.", - "safety:operationalSafety:validatesSafetyCondition": "The entity confirms safe operating state.", - "security": "Behaviours relating to the protection of systems and data from unauthorised access and threats.", - "security:auditing": "Behaviours that record security-relevant events for accountability and forensic analysis.", - "security:auditing:logsEvent": "The entity records an occurrence.", - "security:auditing:logsSecurityEvent": "The entity records a security-relevant occurrence.", - "security:auditing:protectsAuditLog": "The entity prevents tampering with log records.", - "security:auditing:purgesLog": "The entity deletes old log records.", - "security:auditing:rotatesLog": "The entity archives and starts new log files.", - "security:auditing:signsLogEntry": "The entity cryptographically signs audit records.", - "security:auditing:timestampsEvent": "The entity records when an event occurred.", - "security:auditing:transmitsLog": "The entity sends log data to a remote destination.", - "security:authentication": "Behaviours that verify the identity of users and entities.", - "security:authentication:authenticatesDevice": "The entity confirms device identity.", - "security:authentication:authenticatesService": "The entity confirms service identity.", - "security:authentication:authenticatesUser": "The entity confirms user identity.", - "security:authentication:bypassesAuthentication": "The entity permits access without authentication.", - "security:authentication:capturesBiometric": "The entity collects biometric data for authentication.", - "security:authentication:delegatesAuthentication": "The entity relies on external identity provider.", - "security:authentication:failsAuthentication": "The entity rejects invalid credentials.", - "security:authentication:locksAccount": "The entity prevents further authentication attempts.", - "security:authentication:performsMultiFactorAuthentication": "The entity requires multiple authentication factors.", - "security:authentication:promptsForCredentials": "The entity requests authentication information.", - "security:authentication:unlocksAccount": "The entity restores authentication capability.", - "security:authentication:validatesBiometric": "The entity verifies biometric data.", - "security:authentication:validatesCredentials": "The entity verifies supplied credentials.", - "security:authorization": "Behaviours that determine and enforce access permissions.", - "security:authorization:checksPermission": "The entity verifies access rights.", - "security:authorization:delegatesAuthority": "The entity transfers access rights to another.", - "security:authorization:deniesAccess": "The entity refuses a requested action.", - "security:authorization:enforcesRole": "The entity restricts actions based on assigned role.", - "security:authorization:escalatesPrivilege": "The entity gains elevated permissions.", - "security:authorization:evaluatesAttributes": "The entity uses attributes for access decisions.", - "security:authorization:evaluatesPolicy": "The entity applies rules to make access decisions.", - "security:authorization:grantsAccess": "The entity permits a requested action.", - "security:authorization:grantsImpersonation": "The entity permits another to act within its security context.", - "security:authorization:impersonatesUser": "The entity performs actions within another user's security context.", - "security:authorization:requestsImpersonation": "The entity initiates a request to act as another user.", - "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", - "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", - "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", - "security:cryptography:authenticates": "The entity verifies the identity of a user, process, or device.", - "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", - "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", - "security:cryptography:decryptsDataAtRest": "The entity restores stored encrypted data to readable form.", - "security:cryptography:decryptsDataInTransit": "The entity restores data received over a network to readable form.", - "security:cryptography:decryptsDisk": "The entity unlocks and decrypts contents of an encrypted disk.", - "security:cryptography:decryptsSecret": "The entity retrieves and decrypts a secured credential or metadata.", - "security:cryptography:destroysKey": "The entity securely erases a key.", - "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", - "security:cryptography:encryptsDataAtRest": "The entity protects stored data by converting it to unreadable form.", - "security:cryptography:encryptsDataInTransit": "The entity protects data moving across a network.", - "security:cryptography:encryptsDisk": "The entity applies full-disk encryption to protect all data on a drive.", - "security:cryptography:encryptsSecret": "The entity secures sensitive credentials or metadata.", - "security:cryptography:ensuresAccountability": "The entity ensures actions can be traced to a specific individual or process.", - "security:cryptography:ensuresConfidentiality": "The entity protects sensitive information from unauthorised access.", - "security:cryptography:ensuresIntegrity": "The entity guarantees that data has not been altered or tampered with.", - "security:cryptography:ensuresNonRepudiation": "The entity provides proof of origin and integrity to prevent denial.", - "security:cryptography:exchangesKey": "The entity shares a key with another party.", - "security:cryptography:generatesKey": "The entity creates a cryptographic key.", - "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", - "security:cryptography:hashesData": "The entity generates a cryptographic hash.", - "security:cryptography:hashesPassword": "The entity applies a cryptographic hash function to a password.", - "security:cryptography:identifies": "The entity establishes a unique identity for an actor within the system.", - "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", - "security:cryptography:preservesPrivacy": "The entity protects personally identifiable information and user data.", - "security:cryptography:presentsClientCertificate": "The entity provides a client certificate for authentication.", - "security:cryptography:presentsServerCertificate": "The entity provides a server certificate for authentication.", - "security:cryptography:retrievesKey": "The entity obtains a stored key.", - "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", - "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", - "security:cryptography:signsCode": "The entity applies a digital signature to executable code.", - "security:cryptography:signsData": "The entity creates a digital signature.", - "security:cryptography:signsDocument": "The entity applies a digital signature to a document.", - "security:cryptography:storesKey": "The entity saves a key securely.", - "security:cryptography:usesIdentity": "The entity utilises established identity credentials for operations.", - "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", - "security:cryptography:validatesToken": "The entity verifies the authenticity and expiration of a security token.", - "security:cryptography:verifiesCodeSignature": "The entity validates a digital signature on executable code.", - "security:cryptography:verifiesDataSignature": "The entity validates a digital signature on data.", - "security:cryptography:verifiesDocumentSignature": "The entity validates a digital signature on a document.", - "security:cryptography:verifiesHash": "The entity validates data against a hash.", - "security:cryptography:verifiesSignature": "The entity validates a digital signature.", - "security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport.", - "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", - "security:errorHandling:catchesException": "The entity intercepts an error condition.", - "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", - "security:errorHandling:failsClosed": "The entity denies access when controls fail.", - "security:errorHandling:failsOpen": "The entity permits access when controls fail.", - "security:errorHandling:generatesError": "The entity produces an error condition.", - "security:errorHandling:logsError": "The entity records an error condition.", - "security:errorHandling:propagatesError": "The entity passes an error to caller.", - "security:errorHandling:returnsGenericError": "The entity provides minimal error information.", - "security:errorHandling:suppressesError": "The entity hides an error condition.", - "security:inputHandling": "Behaviours that validate and sanitise input data to prevent injection attacks.", - "security:inputHandling:escapesInput": "The entity encodes special characters in input.", - "security:inputHandling:normalizesInput": "The entity converts input to standard form.", - "security:inputHandling:rejectsInvalidInput": "The entity refuses malformed or dangerous input.", - "security:inputHandling:sanitizesInput": "The entity removes potentially harmful content from input.", - "security:inputHandling:truncatesInput": "The entity shortens input to acceptable length.", - "security:inputHandling:validatesFormat": "The entity verifies input conforms to expected format.", - "security:inputHandling:validatesRange": "The entity ensures values fall within acceptable bounds.", - "security:inputHandling:validatesSchema": "The entity checks input against a defined schema.", - "security:integrity": "Behaviours that verify and protect the integrity of data and code.", - "security:integrity:attestsIntegrity": "The entity provides evidence of its own integrity.", - "security:integrity:detectsTampering": "The entity identifies modification attempts.", - "security:integrity:respondsToTampering": "The entity reacts to detected tampering.", - "security:integrity:validatesComponent": "The entity verifies authenticity of a dependency.", - "security:integrity:verifiesIntegrity": "The entity confirms data or code has not been altered.", - "security:integrity:verifiesProvenance": "The entity confirms origin and history.", - "security:outputHandling": "Behaviours that encode and filter output data to prevent information leakage.", - "security:outputHandling:encodesOutput": "The entity transforms output to prevent injection.", - "security:outputHandling:enforcesContentPolicy": "The entity restricts content sources.", - "security:outputHandling:escapesOutput": "The entity encodes special characters in output.", - "security:outputHandling:filtersOutput": "The entity removes sensitive content from output.", - "security:outputHandling:masksOutput": "The entity obscures sensitive data in output.", - "security:outputHandling:setsSecurityHeader": "The entity adds security-related HTTP headers.", - "security:session": "Behaviours that manage authenticated user sessions.", - "security:session:createsSession": "The entity establishes an authenticated session.", - "security:session:detectsSessionHijacking": "The entity identifies unauthorised session use.", - "security:session:invalidatesSession": "The entity revokes session validity.", - "security:session:refreshesSession": "The entity extends session lifetime.", - "security:session:regeneratesSessionId": "The entity creates a new session identifier.", - "security:session:terminatesSession": "The entity ends an authenticated session.", - "security:session:validatesSession": "The entity verifies session validity.", - "security:threatResponse": "Behaviours that detect and respond to security threats and incidents.", - "security:threatResponse:blocksRequest": "The entity refuses a suspicious request.", - "security:threatResponse:blocksSource": "The entity prevents further requests from a source.", - "security:threatResponse:collectsForensicData": "The entity gathers evidence for investigation.", - "security:threatResponse:detectsAnomaly": "The entity recognises deviation from normal patterns.", - "security:threatResponse:detectsIntrusion": "The entity identifies a potential security breach.", - "security:threatResponse:initiatesIncidentResponse": "The entity triggers security response procedures.", - "security:threatResponse:quarantinesElement": "The entity isolates a suspicious item.", - "security:threatResponse:raisesAlert": "The entity notifies of a security event.", - "system": "Behaviours relating to operating system interactions and the management of computational resources.", - "system:configuration": "Behaviours that read and modify system configuration settings.", - "system:configuration:deletesRegistryKey": "The entity removes entries from the registry.", - "system:configuration:modifiesGroupPolicy": "The entity changes group policy settings.", - "system:configuration:readsConfigurationFile": "The entity loads settings from a configuration file.", - "system:configuration:readsEnvironmentVariable": "The entity retrieves an environment variable value.", - "system:configuration:readsGroupPolicy": "The entity retrieves group policy settings.", - "system:configuration:readsRegistry": "The entity retrieves values from the system registry.", - "system:configuration:setsEnvironmentVariable": "The entity modifies an environment variable.", - "system:configuration:writesConfigurationFile": "The entity saves settings to a configuration file.", - "system:configuration:writesRegistry": "The entity stores values in the system registry.", - "system:informationGathering": "Behaviours that collect information about the host system and its configuration.", - "system:informationGathering:detectsOsVersion": "The entity determines the operating system version.", - "system:informationGathering:gathersSystemInformation": "The entity collects system configuration details.", - "system:informationGathering:queriesHardwareInformation": "The entity retrieves hardware specifications.", - "system:informationGathering:retrievesHostname": "The entity obtains the system hostname.", - "system:kernelInteraction": "Behaviours that interact directly with the operating system kernel.", - "system:kernelInteraction:hooksKernelFunction": "The entity intercepts kernel-level calls.", - "system:kernelInteraction:installsDriver": "The entity loads a kernel-mode driver.", - "system:kernelInteraction:readsKernelMemory": "The entity accesses kernel memory space.", - "system:kernelInteraction:writesKernelMemory": "The entity modifies kernel memory space.", - "system:lifecycle": "Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.", - "system:lifecycle:appliesUpdate": "The entity installs software or firmware updates.", - "system:lifecycle:decommissions": "The entity securely retires from service.", - "system:lifecycle:initializes": "The entity performs start-up routines and loads configuration.", - "system:lifecycle:performsSelfTest": "The entity verifies its own operational readiness.", - "system:lifecycle:provisions": "The entity configures itself for deployment.", - "system:lifecycle:rollsBack": "The entity reverts to a previous known-good state.", - "system:lifecycle:shutsDown": "The entity executes orderly cessation of operations.", - "system:operationalState": "Behaviours that govern an entity's functional status and mode of operation.", - "system:operationalState:entersFailSafeState": "The entity transitions to a known safe state upon detecting a fault.", - "system:operationalState:entersFailSecureState": "The entity denies access or ceases sensitive operations upon detecting a security fault.", - "system:operationalState:operatesInDegradedMode": "The entity continues operation with reduced functionality.", - "system:operationalState:operatesNormally": "The entity performs its intended functions within designed parameters.", - "system:operationalState:performsEmergencyShutdown": "The entity immediately halts to prevent harm or damage.", - "system:persistence": "Behaviours that establish mechanisms for an entity to survive system restarts.", - "system:persistence:createsScheduledTask": "The entity schedules itself for recurring execution.", - "system:persistence:installsAsService": "The entity registers itself as a system service.", - "system:persistence:loadsAsKernelModule": "The entity loads itself into the kernel.", - "system:persistence:registersForStartup": "The entity configures itself to execute at system boot.", - "system:persistence:removesPersistence": "The entity removes its persistence mechanism.", - "system:processControl": "Behaviours that create and manipulate operating system processes.", - "system:processControl:createsProcess": "The entity starts a new process.", - "system:processControl:dumpsProcessMemory": "The entity extracts memory contents from a process.", - "system:processControl:enumeratesProcesses": "The entity lists running processes.", - "system:processControl:hooksFunction": "The entity intercepts and redirects function calls.", - "system:processControl:injectsCodeIntoProcess": "The entity inserts executable code into another process.", - "system:processControl:modifiesProcess": "The entity changes attributes of a running process.", - "system:processControl:resumesProcess": "The entity continues paused process execution.", - "system:processControl:suspendsProcess": "The entity pauses process execution.", - "system:processControl:terminatesProcess": "The entity ends a running process.", - "system:resilience": "Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.", - "system:resilience:activatesRedundancy": "The entity activates backup systems or alternative processing paths.", - "system:resilience:degradesGracefully": "The entity progressively reduces functionality rather than failing abruptly.", - "system:resilience:detectsFault": "The entity identifies an internal fault or anomalous condition.", - "system:resilience:recoversFromFailure": "The entity restores normal operation following a failure.", - "system:resilience:toleratesFault": "The entity continues operation despite the presence of a fault.", - "system:resourceManagement": "Behaviours that allocate and deallocate computational resources such as memory and threads.", - "system:resourceManagement:allocatesMemory": "The entity reserves memory for use.", - "system:resourceManagement:deallocatesMemory": "The entity releases previously allocated memory.", - "system:resourceManagement:handlesResourceExhaustion": "The entity responds to depleted resources.", - "system:resourceManagement:managesPowerState": "The entity transitions between power consumption states.", - "system:resourceManagement:readsFromStorage": "The entity retrieves data from persistent storage.", - "system:resourceManagement:resumesThread": "The entity continues paused thread execution.", - "system:resourceManagement:spawnsThread": "The entity creates a new execution thread.", - "system:resourceManagement:suspendsThread": "The entity pauses thread execution.", - "system:resourceManagement:terminatesThread": "The entity ends an execution thread.", - "system:resourceManagement:writesToStorage": "The entity saves data to persistent storage.", - "system:serviceControl": "Behaviours that manage system services and daemons.", - "system:serviceControl:createsService": "The entity installs a system service or daemon.", - "system:serviceControl:deletesService": "The entity removes a system service.", - "system:serviceControl:enumeratesServices": "The entity lists installed services.", - "system:serviceControl:modifiesService": "The entity changes service configuration.", - "system:serviceControl:startsService": "The entity initiates service execution.", - "system:serviceControl:stopsService": "The entity halts service execution.", - "system:synchronization": "Behaviours that coordinate access to shared resources across concurrent execution contexts.", - "system:synchronization:acquiresMutex": "The entity obtains exclusive access via mutex.", - "system:synchronization:releasesMutex": "The entity relinquishes mutex ownership.", - "system:synchronization:signalsEvent": "The entity triggers a synchronisation event.", - "system:synchronization:signalsSemaphore": "The entity releases a semaphore.", - "system:synchronization:waitsOnEvent": "The entity blocks until an event is signalled.", - "system:synchronization:waitsOnSemaphore": "The entity blocks until semaphore is available.", - "system:timing": "Behaviours that govern temporal aspects of execution including scheduling and synchronisation.", - "system:timing:delaysExecution": "The entity postpones an operation.", - "system:timing:enforcesDeadline": "The entity ensures completion within a timing constraint.", - "system:timing:executesScheduledTask": "The entity performs a task at a predetermined time.", - "system:timing:resetsWatchdog": "The entity signals continued operation to a watchdog monitor.", - "system:timing:synchronizesClock": "The entity aligns its internal clock with an external source.", - "system:timing:triggersTimeout": "The entity acts upon detecting an unresponsive condition.", - "system:timing:waits": "The entity pauses execution for a specified duration.", - "system:userManagement": "Behaviours that create and manipulate user accounts and privileges.", - "system:userManagement:createsUserAccount": "The entity adds a new user account.", - "system:userManagement:deletesUserAccount": "The entity removes a user account.", - "system:userManagement:elevatesPrivileges": "The entity gains higher access permissions.", - "system:userManagement:enumeratesUsers": "The entity lists user accounts.", - "system:userManagement:impersonatesUser": "The entity assumes another user's identity.", - "system:userManagement:modifiesUserAccount": "The entity changes user account properties." - } } } }, @@ -2563,13 +1069,14 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint" }, - "description": "A collection of blueprints representing system models that capture the assets, flows, zones, boundaries, and relationships necessary for architectural, threat, risk, privacy, and other forms of modelling and analysis." + "description": "A collection of blueprints, each supporting a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling." }, "blueprint": { "type": "object", "title": "Blueprint", - "description": "A structured representation of a system model that captures the assets, flows, zones, boundaries, and relationships necessary to support architectural, threat, risk, privacy, and other forms of modelling and analysis.", + "description": "A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.", "required": [ + "name", "modelTypes", "methodologies" ], @@ -2578,8 +1085,19 @@ "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the blueprint, used to identify this model within the BOM and distinguish it from other blueprints.", + "minLength": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the blueprint, including its scope, the system or subsystem it represents, and any relevant context about the modelling objectives or intended audience." + }, "metadata": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata" + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/metadata" }, "modelTypes": { "type": "array", @@ -2594,7 +1112,6 @@ "methodologies": { "type": "array", "title": "Methodologies", - "minItems": 1, "uniqueItems": true, "description": "The modeling methodologies used", "items": { @@ -2613,6 +1130,9 @@ }, "description": "The assets (components, services, data, actors) included in the model" }, + "behaviors": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviors" + }, "dataStores": { "type": "array", "title": "Data Stores", @@ -2933,7 +1453,7 @@ } ] }, - "blueprintMetadata": { + "metadata": { "type": "object", "title": "Blueprint Metadata", "description": "Metadata about the creation, review, and approval of the blueprint.", @@ -7284,7 +5804,12 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes." + "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes.", + "examples": [ + "Customer PII Dataset", + "Transaction Logs", + "Employee Health Records" + ] }, "description": { "type": "string", @@ -7298,14 +5823,16 @@ "confidential", "internal", "public", - "restricted" + "restricted", + "classified" ], - "description": "Data sensitivity classification", + "description": "Data sensitivity classification.", "meta:enum": { "confidential": "Confidential information requiring protection", "internal": "Internal use only within the organization", "public": "Public information that can be freely shared", - "restricted": "Highly restricted information with limited access and special protection measures" + "restricted": "Highly restricted information with limited access and special protection measures", + "classified": "Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations" } }, "classification": { @@ -7377,6 +5904,73 @@ } ] }, + "subjects": { + "type": "array", + "title": "Subjects", + "description": "The entities, groups, categories, or things that the data is about or pertains to. Identifying data subjects is essential for determining applicable privacy regulations, handling requirements, and protected class obligations.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/subject" + }, + "examples": [ + [ + { + "name": "EU Residents", + "type": "group", + "protectedClass": false, + "jurisdictions": [ + "DE", + "FR", + "IT" + ], + "regulations": [ + "GDPR" + ] + }, + { + "name": "Pediatric Patients", + "type": "group", + "protectedClass": true, + "jurisdictions": [ + "US" + ], + "regulations": [ + "HIPAA", + "COPPA" + ] + } + ] + ] + }, + "purposes": { + "type": "array", + "title": "Purposes", + "description": "The stated purposes for which this data is collected, processed, or retained. Under the principle of purpose limitation, data must only be used for purposes compatible with those originally specified. Capturing purposes explicitly enables automated compliance checking and compatibility analysis across the data lifecycle.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/purpose" + }, + "examples": [ + [ + { + "name": "Service Delivery", + "legalBasis": "contract" + }, + { + "name": "Fraud Prevention", + "legalBasis": "legitimate interest" + } + ] + ] + }, + "jurisdictions": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/jurisdictions", + "description": "The jurisdictions whose laws and regulations apply to this data based on its nature, classification, or how it is processed and stored. See also subject.jurisdictions for jurisdictions that apply because of who the data is about." + }, + "regulations": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/regulations", + "description": "The regulations that apply to this data based on its nature, classification, or processing context. See also subject.regulations for regulations that apply because of who the data is about." + }, "dataFormats": { "type": "array", "title": "Data Formats", @@ -7384,7 +5978,14 @@ "items": { "type": "string" }, - "description": "Format of data" + "description": "The formats in which the data is stored or transmitted.", + "examples": [ + [ + "JSON", + "CSV", + "Parquet" + ] + ] }, "dataTypes": { "type": "array", @@ -7393,7 +5994,14 @@ "items": { "type": "string" }, - "description": "Specific types of data" + "description": "The specific types of data elements contained within this dataset.", + "examples": [ + [ + "email address", + "date of birth", + "IP address" + ] + ] }, "schema": { "type": "array", @@ -7403,7 +6011,12 @@ "type": "string", "format": "uri" }, - "description": "Reference to schema contracts or documents describing the data structure." + "description": "References to schema contracts or documents describing the data structure.", + "examples": [ + [ + "https://example.com/schemas/customer-v2.json" + ] + ] }, "access": { "type": "array", @@ -7473,6 +6086,191 @@ } } }, + "subject": { + "type": "object", + "title": "Subject", + "description": "An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. Subjects may include named individuals, organizations, demographic groups, protected classes, technologies, devices, locations, or any other identifiable topic of the data.", + "required": [ + "name", + "type" + ], + "additionalProperties": false, + "examples": [ + { + "name": "EU Residents", + "type": "group", + "protectedClass": false, + "jurisdictions": [ + "DE", + "FR" + ], + "regulations": [ + "GDPR" + ] + }, + { + "name": "Pediatric Patients", + "type": "group", + "protectedClass": true, + "jurisdictions": [ + "US" + ], + "regulations": [ + "HIPAA", + "COPPA" + ] + }, + { + "name": "GPT-4 Model", + "type": "technology", + "protectedClass": false + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor.", + "minLength": 1, + "examples": [ + "EU Residents", + "Pediatric Patients", + "Fleet Vehicles" + ] + }, + "type": { + "type": "string", + "title": "Type", + "description": "A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices.", + "minLength": 1, + "examples": [ + "individual", + "group", + "technology" + ] + }, + "protectedClass": { + "type": "boolean", + "title": "Protected Class", + "description": "Indicates whether this subject represents or includes a legally protected class under applicable regulations. Protected classes are groups defined by characteristics such as race, ethnicity, religion, gender, age, disability, sexual orientation, national origin, or genetic information. When true, additional regulatory obligations may apply to the collection, processing, and sharing of data about this subject, including GDPR special category data provisions, US civil rights protections, COPPA requirements for children, and HIPAA protections for health information." + }, + "jurisdictions": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/jurisdictions", + "description": "The jurisdictions whose laws and regulations apply specifically because of this subject. See also dataProfile.jurisdictions for jurisdictions that apply to the data itself." + }, + "regulations": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/regulations", + "description": "The regulations that apply specifically because of this subject. See also dataProfile.regulations for regulations that apply to the data itself." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the subject, its relationship to the data, and any special handling considerations. This may include why the subject is relevant, what aspects of the subject the data captures, and any known sensitivities or regulatory implications." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "jurisdictions": { + "type": "array", + "title": "Jurisdictions", + "description": "The geographic or political jurisdictions whose laws and regulations apply. Values should use ISO 3166-1 alpha-2 country codes or ISO 3166-2 subdivision codes for subnational jurisdictions.", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 2, + "examples": [ + "US", + "GB", + "US-CA" + ] + }, + "examples": [ + [ + "US", + "GB", + "DE" + ] + ] + }, + "regulations": { + "type": "array", + "title": "Regulations", + "description": "The specific laws, regulations, or compliance frameworks that apply.", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1, + "examples": [ + "GDPR", + "HIPAA", + "PCI-DSS" + ] + }, + "examples": [ + [ + "GDPR", + "CCPA", + "PCI-DSS" + ] + ] + }, + "purpose": { + "type": "object", + "title": "Purpose", + "description": "The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.", + "required": [ + "name" + ], + "additionalProperties": false, + "examples": [ + { + "name": "Service Delivery", + "legalBasis": "contract" + }, + { + "name": "Fraud Prevention", + "legalBasis": "legitimate interest" + }, + { + "name": "Marketing Analytics", + "legalBasis": "consent" + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the purpose for which data is collected or processed.", + "minLength": 1, + "examples": [ + "Service Delivery", + "Fraud Prevention", + "Marketing Analytics" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the purpose, how the data serves it, and any constraints on use. This narrative should be specific enough to evaluate whether subsequent processing activities are compatible with the original stated purpose." + }, + "legalBasis": { + "type": "string", + "title": "Legal Basis", + "description": "The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.", + "minLength": 1, + "examples": [ + "consent", + "contract", + "legitimate interest" + ] + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, "dataClassification": { "type": "string", "title": "Data Classification", From f730ce0697ee1d81a1cb7aeeaba89d880aee5d9e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 26 Mar 2026 23:29:30 -0500 Subject: [PATCH 20/44] Updated to use cases and requirements - moving them to definitions Signed-off-by: Steve Springett --- .../cyclonedx-definition-2.0.schema.json | 6 +++++ .../cyclonedx-requirement-2.0.schema.json | 24 +++++++++---------- .../model/cyclonedx-usecase-2.0.schema.json | 9 +++++++ 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/schema/2.0/model/cyclonedx-definition-2.0.schema.json b/schema/2.0/model/cyclonedx-definition-2.0.schema.json index e4c29ac1b..3b4e595f3 100644 --- a/schema/2.0/model/cyclonedx-definition-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-definition-2.0.schema.json @@ -16,6 +16,12 @@ }, "patents": { "$ref": "cyclonedx-patent-2.0.schema.json#/$defs/patents" + }, + "useCases": { + "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/useCases" + }, + "requirements": { + "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirements" } } } diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json index bee371df5..ccfdcb55d 100644 --- a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -5,6 +5,15 @@ "title": "CycloneDX Engineering Requirement Model", "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/requirement" + }, + "description": "A collection of requirements representing specific needs, constraints, or capabilities that must be met." + }, "requirement": { "type": "object", "title": "Requirement", @@ -121,20 +130,11 @@ } }, "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" - } + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" }, "externalReferences": { - "type": "array", - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" - } + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + } } } }, diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json index f54e09196..d1d35303f 100644 --- a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -97,6 +97,15 @@ }, "description": "Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off." }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the requirements that are implemented, validated, or addressed by this use case" + }, "notes": { "type": "array", "title": "Notes", From 935364b4b3a476025b344538a9c60185d0ead5a5 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 26 Mar 2026 23:31:14 -0500 Subject: [PATCH 21/44] correted json syntax Signed-off-by: Steve Springett --- schema/2.0/model/cyclonedx-requirement-2.0.schema.json | 1 - 1 file changed, 1 deletion(-) diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json index ccfdcb55d..a67c46649 100644 --- a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -135,7 +135,6 @@ "externalReferences": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" } - } } }, "requirementType": { From 27282d303a80f5a97e6d80b6745712c566037b61 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 27 Mar 2026 04:31:38 +0000 Subject: [PATCH 22/44] chore: update bundled schemas [skip ci] --- .../2.0/cyclonedx-2.0-bundled.min.schema.json | 2 +- schema/2.0/cyclonedx-2.0-bundled.schema.json | 38 +++++++++++++------ 2 files changed, 27 insertions(+), 13 deletions(-) diff --git a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json index 6c0d4257a..2a751d9fd 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json @@ -1 +1 @@ -{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-behavior-2.0":{"type":"null","title":"CycloneDX Behavior Model","$defs":{"behaviors":{"type":"object","title":"Behaviors","description":"Behaviors performed by objects within the BOM.","additionalProperties":false,"properties":{"instances":{"type":"array","title":"Instances","description":"Individual behavior instances.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance"}},"flows":{"type":"array","title":"Flows","description":"Behavior flows that organise behaviors into operational patterns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorFlow"}}}},"behaviorInstance":{"type":"object","title":"Behavior Instance","description":"A behavior performed by one or more objects within the BOM.","additionalProperties":false,"required":["bom-ref","behavior"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"The behavior from the taxonomy."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}},"trigger":{"type":"string","title":"Trigger","description":"The condition or event that initiates a behavior.","enum":["startup","shutdown","scheduled","event-driven","user-initiated","api-call","signal","condition-based","continuous","on-demand","unknown"],"meta:enum":{"startup":"Triggered during system or component initialisation.","shutdown":"Triggered during system or component termination.","scheduled":"Triggered at predetermined times or intervals.","event-driven":"Triggered in response to a specific event.","user-initiated":"Triggered by explicit user action.","api-call":"Triggered by an API invocation.","signal":"Triggered by a system or inter-process signal.","condition-based":"Triggered when specific conditions are met.","continuous":"Runs continuously during normal operation.","on-demand":"Triggered on demand as needed.","unknown":"The trigger mechanism is not known."}},"ordering":{"type":"string","title":"Ordering","description":"Execution semantics for steps within a flow.","default":"sequential","enum":["sequential","unordered","parallel","conditional"],"meta:enum":{"sequential":"Steps execute in ordinal order. Each completes before the next begins.","unordered":"All steps execute, but order is not guaranteed.","parallel":"Steps may execute concurrently.","conditional":"Step execution is determined by runtime conditions."}},"acknowledgment":{"type":"array","title":"Acknowledgment","description":"Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.","uniqueItems":true,"items":{"type":"string","enum":["declared","observed"],"meta:enum":{"declared":"The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.","observed":"The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis."}}},"behaviorFlow":{"type":"object","title":"Behavior Flow","description":"An organised collection of behaviors forming a coherent process.","additionalProperties":false,"required":["bom-ref","steps"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"ordering":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/ordering"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"steps":{"type":"array","title":"Steps","description":"The steps that comprise this flow.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/flowStep"}}},"allOf":[{"if":{"anyOf":[{"properties":{"ordering":{"const":"sequential"}},"required":["ordering"]},{"not":{"required":["ordering"]}}]},"then":{"properties":{"steps":{"items":{"required":["ordinal"]}}}}}]},"flowStep":{"type":"object","title":"Flow Step","description":"A single step within a behavior flow.","additionalProperties":false,"properties":{"ordinal":{"type":"integer","title":"Ordinal","description":"Position within the flow. Required when ordering is 'sequential' or omitted.","minimum":1},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'."},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Behavior Reference","description":"Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'."},"flow":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Flow Reference","description":"Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'."},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}},"oneOf":[{"required":["behavior"]},{"required":["ref"]},{"required":["flow"]}]}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","$defs":{"blueprints":{"type":"array","title":"Blueprints","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint"},"description":"A collection of blueprints, each supporting a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling."},"blueprint":{"type":"object","title":"Blueprint","description":"A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.","required":["name","modelTypes","methodologies"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the blueprint, used to identify this model within the BOM and distinguish it from other blueprints.","minLength":1},"description":{"type":"string","title":"Description","description":"A detailed explanation of the blueprint, including its scope, the system or subsystem it represents, and any relevant context about the modelling objectives or intended audience."},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/metadata"},"modelTypes":{"type":"array","title":"Model Types","minItems":1,"uniqueItems":true,"description":"The types of models being represented","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"methodologies":{"type":"array","title":"Methodologies","uniqueItems":true,"description":"The modeling methodologies used","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/methodology"}},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model"},"behaviors":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviors"},"dataStores":{"type":"array","title":"Data Stores","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore"},"description":"Structured description of data stores used in the model"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet"},"description":"Datasets handled by the system, including placements and sensitivity"},"zones":{"type":"array","title":"Zones","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets"},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/actor"},"description":"Human or system actors involved in the model, distinct from assets"},"assumptions":{"type":"array","title":"Assumptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process"},"visualizations":{"type":"array","title":"Visualizations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},{"properties":{"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint assets that are involved in or exercised by this use case"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint flows that are triggered or traversed during the execution of this use case"},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the requirements that are implemented, validated, or addressed by this use case"}}}]},"description":"Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements."},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"Requirements derived from or related to the model"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"modelType":{"type":"object","title":"Model Type","description":"The type of model being represented, either a predefined type or a custom named type.","oneOf":[{"title":"Predefined Model Type","description":"A model type selected from a predefined set of well-known modelling categories.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Model Type","enum":["architecture","behavioral","conceptual","dataFlow","deployment","logical","network","operational","physical","privacy","process","risk","structural","threat"],"meta:enum":{"architecture":"System or software architecture model","behavioral":"System behavior model","conceptual":"High-level conceptual model","dataFlow":"Data flow model showing how data moves through the system","deployment":"Deployment or infrastructure model","logical":"Logical system model","network":"Network topology or connectivity model","operational":"Operational model","physical":"Physical infrastructure model","privacy":"Privacy impact assessment model","process":"Business or system process model","risk":"Risk assessment model","structural":"System structure model","threat":"Security threat model"}}}},{"title":"Custom Model Type","description":"A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom model type name"},"description":{"type":"string","title":"Description","description":"Description of the custom model type"}}}]},"methodology":{"type":"object","title":"Methodology","description":"The modelling methodology used, either a predefined type or a custom named methodology.","oneOf":[{"title":"Predefined Methodology","description":"A modelling methodology selected from a predefined set of well-known frameworks and standards.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Type","enum":["4+1","Archimate","ATFAA","BPMN","C4","DFD","DODAF","ERD","IDEF","LINDDUN","MAESTRO","MITRE-ATTACK","MODAF","NAF","OWASP","PASTA","SABSA","STRIDE","SysML","TOGAF","TRIKE","UML","VAST","Zachman","attackTree"],"meta:enum":{"4+1":"4+1 Architectural View Model","Archimate":"Enterprise architecture modeling language","ATFAA":"Advanced Threat Framework for Autonomous AI Agents","BPMN":"Business Process Model and Notation","C4":"C4 Model for software architecture","DFD":"Data Flow Diagrams","DODAF":"Department of Defense Architecture Framework","ERD":"Entity Relationship Diagrams","IDEF":"Integration Definition Methods","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome","MITRE-ATTACK":"MITRE ATT&CK adversarial tactics, techniques, and procedures framework","MODAF":"Ministry of Defence Architecture Framework","NAF":"NATO Architecture Framework","OWASP":"OWASP threat modelling methodology","PASTA":"Process for Attack Simulation and Threat Analysis","SABSA":"Sherwood Applied Business Security Architecture","STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege","SysML":"Systems Modeling Language","TOGAF":"The Open Group Architecture Framework","TRIKE":"Risk-based threat modelling methodology","UML":"Unified Modeling Language","VAST":"Visual, Agile, and Simple Threat modelling","Zachman":"Zachman Framework","attackTree":"Attack tree methodology for structured threat analysis"}},"version":{"type":"string","title":"Version","description":"Version of the methodology"}}},{"title":"Custom Methodology","description":"A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom methodology name"},"version":{"type":"string","title":"Version","description":"Version of the methodology"},"description":{"type":"string","title":"Description","description":"Description of the custom methodology"},"externalReferences":{"type":"array","title":"External References","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}}]},"metadata":{"type":"object","title":"Blueprint Metadata","description":"Metadata about the creation, review, and approval of the blueprint.","additionalProperties":false,"properties":{"timestamp":{"type":"string","title":"Timestamp","format":"date-time","description":"When the blueprint was created or last updated"},"authors":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who created the blueprint"},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who reviewed the blueprint"},"reviewDate":{"type":"string","title":"Review Date","format":"date-time","description":"When the blueprint was reviewed"},"approver":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who approved the blueprint"},"approvalDate":{"type":"string","title":"Approval Date","format":"date-time","description":"When the blueprint was approved"},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","title":"Validity Period","description":"The period during which the blueprint is considered valid.","additionalProperties":false,"properties":{"start":{"type":"string","title":"Start","format":"date-time","description":"When the blueprint becomes valid"},"end":{"type":"string","title":"End","format":"date-time","description":"When the blueprint expires"},"reviewFrequency":{"type":"string","title":"Review Frequency","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)"}}},"scope":{"type":"object","title":"Scope","description":"Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the scope"},"description":{"type":"string","title":"Description","description":"Description of what is included and excluded from the model"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Explicit boundaries of the model"},"includedComponents":{"type":"array","title":"Included Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly included"},"excludedComponents":{"type":"array","title":"Excluded Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly excluded"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","title":"Asset","description":"A component, service, data store, or other element included in the blueprint model.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset"},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the component this asset represents"},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the service this asset represents"},"type":{"type":"string","title":"Asset Type","enum":["actor","agent","api","broker","cache","component","container","data","dataStore","device","endpoint","function","gateway","infrastructure","interface","model","module","network","other","process","queue","resource","service","stream","subsystem","system"],"meta:enum":{"actor":"User, system, or external entity","agent":"Autonomous AI or software agent","api":"API endpoint or interface","broker":"Message broker or event bus infrastructure","cache":"Caching layer or in-memory data store","component":"Software component or application","container":"Container or orchestration unit","data":"Dataset","dataStore":"Database, file system, or data repository","device":"Physical or IoT device","endpoint":"Service endpoint or URL","function":"Serverless function or lambda","gateway":"API gateway, load balancer, or proxy","infrastructure":"Infrastructure component","interface":"System interface or contract","model":"AI or machine learning model","module":"Software module or package","network":"Network segment or resource","other":"Asset type not covered by predefined values","process":"Business or system process","queue":"Message queue or task queue","resource":"Generic resource or artifact","service":"Service or microservice","stream":"Data stream or event stream","subsystem":"Part of a larger system","system":"Complete system or application"}},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the asset"},"description":{"type":"string","title":"Description","description":"Description of the asset's role and purpose"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone containing this asset"},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent asset if this is a sub-component"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"responsibilities":{"type":"array","title":"Responsibilities","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Responsibilities or functions of this asset"},"interfaces":{"type":"array","title":"Interfaces","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset"},"dependencies":{"type":"array","title":"Dependencies","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets this asset depends on"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage."},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"title":"Component Reference Asset","description":"An asset defined by reference to a component declared elsewhere in the BOM.","required":["bom-ref","componentRef"]},{"title":"Service Reference Asset","description":"An asset defined by reference to a service declared elsewhere in the BOM.","required":["bom-ref","serviceRef"]},{"title":"Inline Asset","description":"An asset defined inline within the blueprint with an explicit type and name.","required":["bom-ref","type","name"]}]},"dataStore":{"type":"object","title":"Data Store","description":"A persistent storage system used within the modelled system to hold, retrieve, or manage data.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the data store"},"description":{"type":"string","title":"Description","description":"Purpose and contents of the store"},"type":{"type":"string","title":"Type","enum":["blob","blockchain","cache","columnFamily","custom","dataLake","dataWarehouse","document","eventLog","file","graph","inMemory","keyValue","messageQueue","object","other","registry","search","spatial","sql","timeSeries","vector"],"meta:enum":{"blob":"Binary/blob storage","blockchain":"Distributed ledger or blockchain storage","cache":"Caching tier","columnFamily":"Wide-column or column-family store (e.g., Cassandra, HBase)","custom":"Custom or mixed storage technology","dataLake":"Data lake or lakehouse for raw and semi-structured data","dataWarehouse":"Analytical data warehouse optimised for OLAP workloads","document":"Document database (e.g., MongoDB)","eventLog":"Event log or append-only streaming store (e.g., Kafka)","file":"File system or NAS","graph":"Graph database","inMemory":"In-memory data store used as a primary store","keyValue":"Key-value store","messageQueue":"Message queue or broker with persistent storage","object":"Object storage","other":"Other storage technology not listed","registry":"Configuration or service registry (e.g., etcd, Consul)","search":"Search index or full-text search engine (e.g., Elasticsearch)","spatial":"Spatial or geospatial database","sql":"Relational database","timeSeries":"Time-series database","vector":"Vector database for embeddings and similarity search"}},"vendor":{"type":"string","title":"Vendor","description":"The vendor or publisher of the data store product"},"product":{"type":"string","title":"Product","description":"The name of the data store product"},"version":{"type":"string","title":"Version","description":"The version of the data store product"},"environment":{"type":"string","title":"Environment","description":"Deployment environment (prod, test, etc.)"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the asset resides"},"location":{"type":"string","title":"Location","description":"Physical or logical hosting location"},"technologies":{"type":"array","title":"Technologies","uniqueItems":true,"items":{"type":"string"},"description":"Supporting technologies or services"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to data sets stored here"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataSet":{"type":"object","title":"Data Set","description":"A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.","required":["bom-ref","name","description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the dataset"},"description":{"type":"string","title":"Description","minLength":1,"description":"What information is contained and why it exists"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"recordCount":{"type":"integer","title":"Record Count","description":"Approximate number of records"},"owners":{"type":"array","title":"Owners","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Individuals or organizational entities that own the dataset"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"placements":{"type":"array","title":"Placements","uniqueItems":true,"items":{"type":"object","title":"Placement","description":"Describes where a dataset physically or logically resides and the storage characteristics at that location.","required":["dataStore"],"additionalProperties":false,"properties":{"dataStore":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the store holding this dataset"},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the dataset is encrypted at this location"},"retention":{"type":"string","title":"Retention","description":"Retention policy for this placement"},"replicated":{"type":"boolean","title":"Replicated","description":"Indicates if this placement is a replica"}}},"description":"Where the dataset resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface"},"type":{"type":"string","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"],"description":"Type of interface"},"description":{"type":"string","description":"Description of the interface"},"specification":{"type":"string","description":"Link or reference to interface specification"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed"}}},"zone":{"type":"object","title":"Zone","description":"A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the zone"},"description":{"type":"string","title":"Description","description":"Description of the zone's characteristics"},"type":{"type":"string","title":"Type","enum":["deployment","functional","logical","network","organizational","other","physical","trust"],"meta:enum":{"deployment":"Deployment environment (e.g., dev, staging, prod)","functional":"Functional grouping","logical":"Logical grouping or boundary","network":"Network segmentation zone","organizational":"Organizational or administrative boundary","other":"Other zone type not listed","physical":"Physical location or boundary","trust":"Security trust zone"}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent zone if this is a sub-zone"},"characteristics":{"type":"array","title":"Characteristics","uniqueItems":true,"items":{"type":"string"},"description":"Key characteristics of this zone"},"constraints":{"type":"array","title":"Constraints","uniqueItems":true,"items":{"type":"string"},"description":"Constraints or limitations of this zone"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","title":"Boundary","description":"Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the boundary"},"type":{"type":"string","title":"Type","enum":["data","functional","network","organizational","other","physical","process","trust"],"meta:enum":{"data":"Data classification boundary","functional":"Functional boundary","network":"Network boundary or firewall","organizational":"Organizational boundary","other":"A boundary type not covered by the predefined enumeration","physical":"Physical security boundary","process":"Process or execution boundary","trust":"Trust boundary between different security zones"}},"zones":{"type":"array","title":"Zones","uniqueItems":true,"minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"The zones this boundary connects or separates"},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","title":"Crossing Requirements","description":"Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.","additionalProperties":false,"properties":{"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced at this boundary"},"dataValidation":{"type":"boolean","title":"Data Validation","description":"Whether data is validated when crossing this boundary"},"dataTransformation":{"type":"boolean","title":"Data Transformation","description":"Whether data is transformed when crossing this boundary"},"logging":{"type":"boolean","title":"Logging","description":"Whether crossings are logged"},"monitoring":{"type":"boolean","title":"Monitoring","description":"Whether crossings are monitored"},"rateLimit":{"type":"string","title":"Rate Limit","description":"Rate limiting policy"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Allowed protocols for crossing"}}},"flow":{"type":"object","title":"Flow","description":"Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or description of the flow"},"description":{"type":"string","title":"Description","description":"Detailed description of what flows and why"},"type":{"type":"string","title":"Type","enum":["control","data","dependency","event","interaction","message","other","physical","process","signal"],"meta:enum":{"control":"Control or command flow","data":"Data or information flow","dependency":"Dependency relationship","event":"Event or notification flow","interaction":"User or system interaction","message":"Message or communication flow","other":"A flow type not covered by the predefined enumeration","physical":"Physical movement of goods or materials","process":"Business process flow","signal":"Hardware or system signal"}},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the source asset"},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the destination asset"},"bidirectional":{"type":"boolean","title":"Bidirectional","default":false,"description":"Whether flow occurs in both directions"},"synchronous":{"type":"boolean","title":"Synchronous","description":"Whether the flow is synchronous or asynchronous"},"volume":{"type":"string","title":"Volume","description":"Expected volume or frequency of flow"},"timing":{"type":"string","title":"Timing","description":"Timing characteristics (real-time, batch, scheduled)"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Communication protocols used by this flow"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required for this flow"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced on this flow"},"sequence":{"type":"integer","title":"Sequence","minimum":0,"description":"Ordering hint so flows can be assembled into sequence diagrams"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"actor":{"type":"object","title":"Actor","description":"Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the actor"},"description":{"type":"string","title":"Description","description":"Narrative describing the actor's role and context"},"type":{"type":"string","title":"Type","enum":["administrator","agent","engineer","external","operator","other","system","user"],"meta:enum":{"administrator":"Administrative or privileged operator","agent":"Autonomous AI agent or intelligent software agent","engineer":"Developer or platform/DevOps engineer","external":"Third-party or external entity","operator":"Operational staff running the system","other":"An actor type not covered by the predefined enumeration","system":"Automated system actor or service account","user":"End user of a client application or service"}},"permissions":{"type":"array","title":"Permissions","uniqueItems":true,"items":{"type":"string"},"description":"Permissions, capabilities, or duties the actor holds"},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the actor resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","title":"Assumption","description":"A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies"},"topic":{"type":"string","title":"Topic","enum":["availability","business","compliance","operational","other","performance","security","technical"],"meta:enum":{"availability":"Assumption about system uptime, redundancy, or failover capabilities","business":"Assumption about business requirements, constraints, or organizational context","compliance":"Assumption about regulatory, legal, or policy compliance obligations","operational":"Assumption about operational procedures, staffing, or maintenance practices","other":"An assumption topic not covered by the predefined enumeration","performance":"Assumption about throughput, latency, capacity, or scalability characteristics","security":"Assumption about threat landscape, trust boundaries, or security controls","technical":"Assumption about technology choices, capabilities, or technical constraints"}},"relatedAssets":{"type":"array","title":"Related Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes"},"validity":{"type":"string","title":"Validity","enum":["invalid","unknown","unverified","verified"],"meta:enum":{"invalid":"The assumption has been disproven or is no longer applicable","unknown":"The validity of the assumption has not yet been assessed","unverified":"The assumption has been identified but not yet validated","verified":"The assumption has been confirmed as true through validation"},"default":"unknown","description":"The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound"},"impact":{"type":"string","title":"Impact","description":"A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components"},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model"},"validationMethod":{"type":"string","title":"Validation Method","description":"The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement"},"validationDate":{"type":"string","title":"Validation Date","format":"date-time","description":"The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation"}}},"visualization":{"type":"object","title":"Visualization","description":"A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the visualization"},"description":{"type":"string","title":"Description","description":"Description of what the visualization shows"},"type":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType"},"format":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationFormat"},"content":{"type":"string","title":"Content","description":"The diagram content (source code or base64 encoded image)"},"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL to the diagram if stored externally"},"level":{"type":"string","title":"Level","enum":["detailed","high","medium","overview"],"meta:enum":{"detailed":"Fine-grained view showing implementation-level specifics","high":"High-level view showing major components and relationships","medium":"Intermediate view balancing breadth and depth","overview":"Top-level summary providing a broad perspective of the system"},"description":"Level of detail in the visualization"},"elements":{"type":"array","title":"Elements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to elements shown in this visualization"},"interactive":{"type":"boolean","title":"Interactive","description":"Whether the visualization is interactive"},"layers":{"type":"array","title":"Layers","uniqueItems":true,"items":{"type":"string"},"description":"Layers or views available in the visualization"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"visualizationType":{"type":"object","title":"Visualization Type","description":"The type of diagram or visual representation.","oneOf":[{"title":"Predefined Visualization Type","description":"A visualization type selected from a predefined set of well-known diagram types.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","enum":["activity","architecture","class","code","collaboration","component","container","context","dataFlow","deployment","entity","network","process","sequence","state","useCase"],"meta:enum":{"activity":"Activity or workflow diagram","architecture":"System architecture diagram","class":"Class or object diagram","code":"Code structure diagram","collaboration":"Collaboration diagram","component":"Component diagram","container":"Container diagram (C4)","context":"Context diagram","dataFlow":"Data flow diagram (DFD)","deployment":"Deployment or infrastructure diagram","entity":"Entity relationship diagram","network":"Network topology diagram","process":"Business process diagram","sequence":"Sequence or interaction diagram","state":"State machine diagram","useCase":"Use case diagram"}}}},{"title":"Custom Visualization Type","description":"A custom visualization type not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization type"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization type"}}}]},"visualizationFormat":{"type":"object","title":"Visualization Format","description":"The rendering format or toolchain used to produce the visualization.","oneOf":[{"title":"Predefined Visualization Format","description":"A visualization format selected from a predefined set of well-known diagram formats and tools.","required":["format"],"additionalProperties":false,"properties":{"format":{"type":"string","title":"Format","enum":["archimate","cytoscape","d3","drawio","graphviz","jpeg","mermaid","plantuml","png","svg","visio"],"meta:enum":{"archimate":"ArchiMate model format","cytoscape":"Cytoscape graph format","d3":"D3.js visualization","drawio":"Draw.io/diagrams.net format","graphviz":"GraphViz DOT language","jpeg":"JPEG image format","mermaid":"Mermaid diagram language","plantuml":"PlantUML diagram language","png":"Portable Network Graphics","svg":"Scalable Vector Graphics","visio":"Microsoft Visio format"}}}},{"title":"Custom Visualization Format","description":"A custom visualization format not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization format"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization format"}}}]},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataClassification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"tier":{"type":"string","enum":["tier0","tier1","tier2","tier3","tier4"],"meta:enum":{"tier0":"Mission critical - highest priority","tier1":"Business critical - high priority","tier2":"Business important - medium priority","tier3":"Business supporting - low priority","tier4":"Non-critical - minimal priority"}},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search"}}},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"ownership":{"type":"object","title":"Ownership","description":"Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.","additionalProperties":false,"properties":{"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary owner of the asset"},"steward":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Steward responsible for the asset"},"custodian":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Custodian responsible for protecting the asset"},"users":{"type":"array","title":"Users","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Primary users of the asset"}}},"authenticationType":{"type":"string","title":"Authentication Type","description":"The authentication method or protocol used to verify identity.","enum":["apiKey","basic","bearer","certificate","custom","digest","fido2","jwt","kerberos","ldap","mfa","mTLS","none","ntlm","oauth1","oauth2","oidc","saml","ssh"],"meta:enum":{"apiKey":"API key authentication","basic":"Basic authentication (username/password)","bearer":"Bearer token authentication","certificate":"Certificate-based authentication","custom":"Custom authentication method","digest":"Digest authentication","fido2":"FIDO2/WebAuthn passwordless authentication","jwt":"JSON Web Token authentication","kerberos":"Kerberos authentication","ldap":"LDAP directory authentication","mfa":"Multi-factor authentication","mTLS":"Mutual TLS authentication","none":"No authentication required","ntlm":"NTLM authentication","oauth1":"OAuth 1.0 authentication","oauth2":"OAuth 2.0 authentication","oidc":"OpenID Connect authentication","saml":"SAML authentication","ssh":"SSH key authentication"}},"authorizationType":{"type":"string","title":"Authorization Type","description":"The authorization model used to determine and enforce access permissions.","enum":["abac","acl","cbac","custom","dac","mac","none","other","pbac","rbac","rebac"],"meta:enum":{"abac":"Attribute-Based Access Control","acl":"Access Control Lists","cbac":"Claims-Based Access Control","custom":"Custom authorization model","dac":"Discretionary Access Control","mac":"Mandatory Access Control","none":"No authorization controls","other":"Other authorization model not listed","pbac":"Policy-Based Access Control","rbac":"Role-Based Access Control","rebac":"Relationship-Based Access Control"}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataProfile":{"type":"object","title":"Data Profile","description":"Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data profile"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes.","examples":["Customer PII Dataset","Transaction Logs","Employee Health Records"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system."},"sensitivity":{"type":"string","title":"Sensitivity","enum":["confidential","internal","public","restricted","classified"],"description":"Data sensitivity classification.","meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access and special protection measures","classified":"Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations"}},"classification":{"title":"Classification","description":"Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.","oneOf":[{"title":"Predefined Classification","description":"A predefined data classification from the enumeration.","type":"object","additionalProperties":false,"required":["type"],"properties":{"type":{"type":"string","title":"Type","enum":["credentials","financial","intellectualProperty","logs","operational","other","pci","phi","pii","safety","telemetry"],"meta:enum":{"credentials":"Secrets, tokens, or credentials","financial":"Financial statements or transaction data","intellectualProperty":"Intellectual property or trade secrets","logs":"Operational or security log data","operational":"Operational or process data","other":"Other data classification not listed","pci":"Payment card industry data","phi":"Protected health information","pii":"Personally identifiable information","safety":"Safety critical data or signals","telemetry":"System or product telemetry data"}}}},{"title":"Custom Classification","description":"A custom data classification not covered by the predefined enumeration.","type":"object","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of a custom data classification not covered by the predefined enumeration"},"description":{"type":"string","title":"Description","description":"A description of the custom data classification"}}}]},"subjects":{"type":"array","title":"Subjects","description":"The entities, groups, categories, or things that the data is about or pertains to. Identifying data subjects is essential for determining applicable privacy regulations, handling requirements, and protected class obligations.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/subject"},"examples":[[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR","IT"],"regulations":["GDPR"]},{"name":"Pediatric Patients","type":"group","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]}]]},"purposes":{"type":"array","title":"Purposes","description":"The stated purposes for which this data is collected, processed, or retained. Under the principle of purpose limitation, data must only be used for purposes compatible with those originally specified. Capturing purposes explicitly enables automated compliance checking and compatibility analysis across the data lifecycle.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/purpose"},"examples":[[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"}]]},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply to this data based on its nature, classification, or how it is processed and stored. See also subject.jurisdictions for jurisdictions that apply because of who the data is about."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply to this data based on its nature, classification, or processing context. See also subject.regulations for regulations that apply because of who the data is about."},"dataFormats":{"type":"array","title":"Data Formats","uniqueItems":true,"items":{"type":"string"},"description":"The formats in which the data is stored or transmitted.","examples":[["JSON","CSV","Parquet"]]},"dataTypes":{"type":"array","title":"Data Types","uniqueItems":true,"items":{"type":"string"},"description":"The specific types of data elements contained within this dataset.","examples":[["email address","date of birth","IP address"]]},"schema":{"type":"array","title":"Schema","uniqueItems":true,"items":{"type":"string","format":"uri"},"description":"References to schema contracts or documents describing the data structure.","examples":[["https://example.com/schemas/customer-v2.json"]]},"access":{"type":"array","title":"Access","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures."},"collection":{"type":"array","title":"Collection","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations."},"disposal":{"type":"array","title":"Disposal","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction."},"handling":{"type":"array","title":"Handling","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations."},"processing":{"type":"array","title":"Processing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions."},"retention":{"type":"array","title":"Retention","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation."},"sharing":{"type":"array","title":"Sharing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"subject":{"type":"object","title":"Subject","description":"An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. Subjects may include named individuals, organizations, demographic groups, protected classes, technologies, devices, locations, or any other identifiable topic of the data.","required":["name","type"],"additionalProperties":false,"examples":[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR"],"regulations":["GDPR"]},{"name":"Pediatric Patients","type":"group","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]},{"name":"GPT-4 Model","type":"technology","protectedClass":false}],"properties":{"name":{"type":"string","title":"Name","description":"The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor.","minLength":1,"examples":["EU Residents","Pediatric Patients","Fleet Vehicles"]},"type":{"type":"string","title":"Type","description":"A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices.","minLength":1,"examples":["individual","group","technology"]},"protectedClass":{"type":"boolean","title":"Protected Class","description":"Indicates whether this subject represents or includes a legally protected class under applicable regulations. Protected classes are groups defined by characteristics such as race, ethnicity, religion, gender, age, disability, sexual orientation, national origin, or genetic information. When true, additional regulatory obligations may apply to the collection, processing, and sharing of data about this subject, including GDPR special category data provisions, US civil rights protections, COPPA requirements for children, and HIPAA protections for health information."},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply specifically because of this subject. See also dataProfile.jurisdictions for jurisdictions that apply to the data itself."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply specifically because of this subject. See also dataProfile.regulations for regulations that apply to the data itself."},"description":{"type":"string","title":"Description","description":"A narrative explanation of the subject, its relationship to the data, and any special handling considerations. This may include why the subject is relevant, what aspects of the subject the data captures, and any known sensitivities or regulatory implications."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"jurisdictions":{"type":"array","title":"Jurisdictions","description":"The geographic or political jurisdictions whose laws and regulations apply. Values should use ISO 3166-1 alpha-2 country codes or ISO 3166-2 subdivision codes for subnational jurisdictions.","uniqueItems":true,"items":{"type":"string","minLength":2,"examples":["US","GB","US-CA"]},"examples":[["US","GB","DE"]]},"regulations":{"type":"array","title":"Regulations","description":"The specific laws, regulations, or compliance frameworks that apply.","uniqueItems":true,"items":{"type":"string","minLength":1,"examples":["GDPR","HIPAA","PCI-DSS"]},"examples":[["GDPR","CCPA","PCI-DSS"]]},"purpose":{"type":"object","title":"Purpose","description":"The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.","required":["name"],"additionalProperties":false,"examples":[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"},{"name":"Marketing Analytics","legalBasis":"consent"}],"properties":{"name":{"type":"string","title":"Name","description":"The name of the purpose for which data is collected or processed.","minLength":1,"examples":["Service Delivery","Fraud Prevention","Marketing Analytics"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the purpose, how the data serves it, and any constraints on use. This narrative should be specific enough to evaluate whether subsequent processing activities are compatible with the original stated purpose."},"legalBasis":{"type":"string","title":"Legal Basis","description":"The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.","minLength":1,"examples":["consent","contract","legitimate interest"]},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataSensitivity":{"type":"string","title":"Data Sensitivity","description":"Classifies the sensitivity of data to indicate the level of protection required.","enum":["confidential","internal","public","restricted"],"meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access"}},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","uniqueItems":true,"description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","uniqueItems":true,"description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","uniqueItems":true,"description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","title":"Data Governance Responsible Party","description":"An organizational entity or individual responsible for a specific data governance role.","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","title":"Data Flow Direction","description":"Specifies the flow direction of the data. Direction is relative to the service.","enum":["bi-directional","inbound","outbound","unknown"],"meta:enum":{"bi-directional":"Data flows in and out of the service.","inbound":"Data that enters a service.","outbound":"Data that exits a service.","unknown":"The directional flow of data is not known."}}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"}},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"}},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"}},"parent":{"type":"string","title":"Parent BOM Reference","description":"The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"externalReferences":{"type":"array","title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the risk assessment elsewhere in the BOM"},"domains":{"type":"array","description":"Risk domains covered by this assessment","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"}},"scenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},"description":"Risk scenarios identified"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risk"},"description":"Documented risks derived from scenarios"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Controls, countermeasures, or mitigations to address identified risks"},"assessments":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Risk assessments and evaluations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}},"$defs":{"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply_chain","technical","project"],"meta:enum":{"security":"Information security and cybersecurity risks","privacy":"Data protection and privacy risks","operational":"Business operations and continuity risks","financial":"Financial loss and economic impact risks","compliance":"Regulatory and legal compliance risks","strategic":"Strategic business and market risks","reputational":"Brand and reputation damage risks","safety":"Human safety and physical security risks","environmental":"Environmental impact and sustainability risks","supply_chain":"Supply chain and third-party risks","technical":"Technical and technology risks","project":"Project delivery and execution risks"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain"}}},"riskAttribute":{"type":"string","description":"A classification of security and privacy attributes that represent potential impact areas when a risk is realized","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data_subject_rights","integrity","minimisation","non-repudiation","possession","privacy","purpose_limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities","authentication":"Verifying the identity of users, devices, or systems before granting access","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified","availability":"Ensuring systems, data, and services are accessible and operational when needed","compliance":"Adherence to applicable laws, regulations, policies, and standards","confidentiality":"Preventing unauthorised access to or disclosure of information","connectivity":"Maintaining secure and reliable communication between systems or components","control":"Enabling individuals to manage how their personal data is used and shared","data_subject_rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorised actors","minimisation":"Limiting data collection and retention to what is strictly necessary for the intended purpose","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications","possession":"Ensuring control or custody over data or assets, regardless of ownership","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards","purpose_limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing","utility":"Ensuring data is usable and in a format suitable for the intended purpose"}},"scenario":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the risk scenario"},"description":{"type":"string","description":"Detailed description of the scenario"},"type":{"type":"string","enum":["threat","vulnerability","weakness","risk","incident","opportunity","hazard"],"meta:enum":{"threat":"Threat scenario","vulnerability":"Exploitable vulnerability","weakness":"System or design weakness","risk":"General risk scenario","incident":"Potential incident scenario","opportunity":"Positive risk (opportunity)","hazard":"Safety hazard scenario"}},"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected by this scenario"},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to affected assets"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations that address this scenario"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"compliance":{"type":"array","items":{"type":"object","required":["framework","controlId"],"additionalProperties":false,"properties":{"framework":{"type":"string","description":"Name of the compliance program or framework"},"controlId":{"type":"string","description":"Identifier of the control within the framework"},"reference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference","description":"Link or citation to the requirement or control documentation"},"description":{"type":"string","description":"Optional notes describing the mapping"}}},"description":"Compliance frameworks and control references this mitigation supports"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"risk":{"type":"object","required":["bom-ref","name","statement"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier for the risk"},"statement":{"type":"string","description":"Structured risk statement describing source, event, and impact"},"description":{"type":"string","description":"Additional narrative about the risk"},"domains":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"description":"Risk domains impacted"},"scenarios":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this risk addresses"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"}},"responses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskResponse"},"description":"Risk responses or mitigation plans applied to this risk"},"relatedThreats":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatScenario"},"description":"Related threat scenarios informing this risk"},"status":{"type":"string","enum":["identified","assessed","mitigated","accepted","transferred","retired"],"meta:enum":{"identified":"Risk has been identified but not yet evaluated","assessed":"Risk has been assessed and prioritized","mitigated":"Mitigations are in place reducing this risk","accepted":"Risk has been formally accepted","transferred":"Risk has been transferred to another party","retired":"Risk no longer applies"}},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Owner or accountable party for this risk"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"Almost certain to occur (> 90% probability).","high":"Likely to occur (60-90% probability).","low":"Unlikely to occur (10-30% probability).","medium":"Possible to occur (30-60% probability).","veryHigh":"Very likely to occur (75-90% probability).","veryLow":"Very unlikely to occur (< 10% probability)."}},"score":{"type":"number","minimum":0,"maximum":5,"description":"Numeric likelihood score"},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal (0-1)"},"factors":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor"},"description":"Factors considered when determining the likelihood level"},"rationale":{"type":"string","description":"Justification for the likelihood rating"}}},"likelihoodFactor":{"type":"object","title":"Likelihood Factor","description":"An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.","minLength":1},"type":{"title":"Type","description":"The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","oneOf":[{"title":"Predefined Likelihood Factor Type","description":"A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.","type":"string","additionalProperties":false,"enum":["attackVector","controlEffectiveness","exploitMaturity","exposure","motivation","opportunity","other","threatCapability","vulnerability"],"meta:enum":{"attackVector":"Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.","controlEffectiveness":"Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.","exploitMaturity":"Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.","exposure":"Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.","motivation":"Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.","opportunity":"Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.","other":"A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.","threatCapability":"Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.","vulnerability":"Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor."}},{"title":"Custom Likelihood Factor Type","description":"A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the custom likelihood factor type.","minLength":1},"description":{"type":"string","title":"Description","description":"A description of the custom likelihood factor type and how it contributes to likelihood assessment."}}}]},"level":{"type":"string","title":"Level","description":"The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"This factor almost certainly contributes to risk realization (> 90% influence).","high":"This factor strongly contributes to risk realization (60-90% influence).","low":"This factor has limited contribution to risk realization (10-30% influence).","medium":"This factor moderately contributes to risk realization (30-60% influence).","veryHigh":"This factor very strongly contributes to risk realization (75-90% influence).","veryLow":"This factor has minimal contribution to risk realization (< 10% influence)."}},"score":{"type":"number","title":"Score","description":"A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.","minimum":0,"maximum":5},"weight":{"type":"number","title":"Weight","description":"The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.","minimum":0,"maximum":1},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","major","catastrophic"],"description":"Impact severity level","meta:enum":{"negligible":"Minimal impact with no significant consequences","low":"Minor impact with limited consequences","moderate":"Moderate impact affecting some operations","major":"Significant impact with serious consequences","catastrophic":"Catastrophic impact with existential consequences"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric impact score"},"categories":{"type":"array","items":{"type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic"],"meta:enum":{"confidentiality":"Impact on data confidentiality","integrity":"Impact on data or system integrity","availability":"Impact on service availability","financial":"Financial loss or impact","reputation":"Reputational damage","regulatory":"Regulatory compliance impact","safety":"Human safety impact","privacy":"Privacy violation impact","operational":"Operational disruption","strategic":"Strategic business impact"}},"description":"Categories of impact"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected"},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"Description of the potential impact"}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"Estimated financial loss in currency units"},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"ISO 4217 currency code"},"affectedUsers":{"type":"integer","description":"Number of affected users"},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Expected downtime as ISO 8601 duration"},"dataRecords":{"type":"integer","description":"Number of data records affected"},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Recovery time as ISO 8601 duration"}}},"riskScore":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Overall risk level","meta:enum":{"info":"Informational - no immediate action required","low":"Low risk - monitor and address in normal cycle","medium":"Medium risk - plan mitigation activities","high":"High risk - prioritize mitigation efforts","critical":"Critical risk - immediate action required"}},"score":{"type":"number","minimum":1,"description":"Numeric risk score"},"vector":{"type":"string","description":"Risk scoring vector (e.g., L:H/I:M)"},"methodology":{"type":"string","description":"Risk scoring methodology used"}}},"riskResponse":{"type":"object","required":["bom-ref","mitigations","mitigationPlan"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Mitigations applied to this risk response"},"mitigationPlan":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigationPlan"}}},"mitigation":{"type":"object","required":["bom-ref","reference"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this mitigation entry so it can be referenced by a plan"},"reference":{"description":"Reference to a mitigation/control implementing the response.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"strategy":{"type":"string","enum":["prevent","detect","respond","recover"],"meta:enum":{"prevent":"Prevents the risk from occurring","detect":"Detects when the risk occurs","respond":"Responds to the risk when detected","recover":"Recovers from the impact"}},"type":{"type":"string","enum":["control","countermeasure","procedure","removal"],"meta:enum":{"control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","procedure":"Documented procedure","removal":"Removing a risky component or asset"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"effectiveness":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/effectiveness"},"cost":{"type":"string","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort","low":"Low cost and effort","medium":"Moderate cost and effort","high":"High cost and significant effort","extreme":"Extreme cost and major effort"}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this plan addresses"},"implementedBy":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets that implement this plan"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"mitigationPlan":{"type":"object","required":["name","type","status","mitigations"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the mitigation plan"},"description":{"type":"string","description":"Description of what the plan covers"},"type":{"type":"string","enum":["avoid","reduce","transfer","accept","control","countermeasure","safeguard","practice","procedure"],"meta:enum":{"avoid":"Avoid the risk entirely","reduce":"Reduce likelihood or impact","transfer":"Transfer risk to another party","accept":"Accept the risk","control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","safeguard":"Safeguards mitigating adverse events","practice":"Operational or governance practice","procedure":"Documented procedure"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"List of mitigation bom-refs chosen for this plan"}}},"effectiveness":{"type":"object","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":1,"description":"Effectiveness as decimal"},"rating":{"type":"string","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk","marginal":"Slightly reduces risk","adequate":"Adequately reduces risk","good":"Significantly reduces risk","excellent":"Nearly eliminates risk"}}}},"assessment":{"type":"object","required":["bom-ref","type","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"type":{"type":"string","enum":["initial","periodic","continuous","triggered"],"meta:enum":{"initial":"Initial risk assessment","periodic":"Scheduled periodic assessment","continuous":"Continuous monitoring assessment","triggered":"Event-triggered assessment"}},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed"},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who performed the assessment"},"summary":{"type":"string","description":"Executive summary of the assessment"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to risk entries evaluated in this assessment"},"overallRisk":{"type":"object","required":["method","score"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["sum","average","custom"],"description":"Aggregation method used to derive the overall risk"},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"description":{"type":"string","description":"Optional explanation for custom aggregation approaches"}},"description":"Aggregated risk result for this assessment"},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment"},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level","meta:enum":{"none":"No priority assigned","low":"Low priority - address when convenient","medium":"Medium priority - address in normal cycle","high":"High priority - address soon","critical":"Critical priority - address immediately"}},"severity":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Severity level","meta:enum":{"info":"Informational finding","low":"Low severity issue","medium":"Medium severity issue","high":"High severity issue","critical":"Critical severity issue"}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level","meta:enum":{"minimal":"Minimal impact on business operations","low":"Low impact with minor inconvenience","moderate":"Moderate impact affecting some operations","high":"High impact affecting critical operations","critical":"Critical impact with severe business consequences"}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threatScenario":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},{"properties":{"threatCategory":{"type":"string","description":"Threat category based on methodology (e.g., STRIDE category)"},"threatActor":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"attackPattern":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference"},"abuseCases":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/abuseCase"},"description":"Abuse or misuse cases that illustrate how this threat can be exercised"},"weakness":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"killChainPhase":{"type":"string","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target","weaponization":"Creating malicious payloads","delivery":"Transmitting weapon to target","exploitation":"Exploiting vulnerabilities","installation":"Installing malware or backdoors","command-and-control":"Establishing C2 channel","actions-on-objectives":"Achieving attack goals"}},"technicalImpact":{"type":"array","items":{"type":"string","enum":["unauthorized-access","data-breach","data-corruption","service-disruption","privilege-escalation","code-execution","information-disclosure","denial-of-service"]}}}}]},"threatActor":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier of the threat actor"},"description":{"type":"string","description":"Description of the threat actor"},"type":{"type":"string","enum":["individual","group","organization","nation-state","unknown"],"meta:enum":{"individual":"Individual threat actor","group":"Organized group or collective","organization":"Corporate or criminal organization","nation-state":"Nation-state sponsored actor","unknown":"Unknown threat actor type"}},"aliases":{"type":"array","items":{"type":"string"},"description":"Known aliases or alternative names"},"profile":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"observedTTPs":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/ttp"},"description":"Observed tactics, techniques, and procedures"},"attributedAttacks":{"type":"array","items":{"type":"string"},"description":"Attacks attributed to this actor"},"targeting":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/targeting"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"threatActorProfile":{"type":"object","additionalProperties":false,"properties":{"sophistication":{"type":"string","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication","minimal":"Script kiddie level","intermediate":"Intermediate technical skills","advanced":"Advanced persistent threat","expert":"Nation-state level capabilities"}},"motivation":{"type":"array","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"]},"description":"Primary motivations"},"intent":{"type":"string","enum":["accidental","opportunistic","targeted","persistent"],"description":"Intent level"},"resources":{"type":"string","enum":["minimal","limited","moderate","substantial","unlimited"],"description":"Resource availability"},"accessLevel":{"type":"string","enum":["none","external","internal","privileged","physical"],"description":"Level of access to target systems"},"skillSet":{"type":"array","items":{"type":"string"},"description":"Specific skills possessed"}}},"attackVector":{"type":"object","additionalProperties":false,"properties":{"type":{"type":"string","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via network","adjacent":"Exploitable from adjacent network","local":"Requires local access","physical":"Requires physical access"}},"complexity":{"type":"string","enum":["low","high"],"description":"Attack complexity"},"privileges":{"type":"string","enum":["none","low","high"],"description":"Privileges required"},"userInteraction":{"type":"string","enum":["none","required"],"description":"User interaction requirement"},"scope":{"type":"string","enum":["unchanged","changed"],"description":"Scope impact"}}},"abuseCase":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the abuse case"},"description":{"type":"string","description":"Narrative describing how the system can be misused or abused"},"abuser":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference (bom-ref) to a threat actor involved in the abuse case"},"targets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References (bom-refs) to assets or flows targeted in this abuse case"},"steps":{"type":"array","items":{"type":"string"},"description":"Ordered steps the abuser follows"}}},"attackPattern":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"capecId":{"type":"integer","description":"CAPEC (Common Attack Pattern Enumeration and Classification) ID"},"name":{"type":"string","description":"Name of the attack pattern"},"description":{"type":"string","description":"Description of the attack pattern"},"prerequisites":{"type":"array","items":{"type":"string"},"description":"Prerequisites for the attack"},"techniques":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"Techniques used in the attack"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations"},"examples":{"type":"array","items":{"type":"string"},"description":"Real-world examples"}}},"attackPatternReference":{"type":"object","additionalProperties":false,"properties":{"patternRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to attack pattern"},"capecId":{"type":"integer","description":"CAPEC ID if not referencing internal pattern"},"customization":{"type":"string","description":"How this pattern is customized for the specific scenario"}}},"technique":{"type":"object","additionalProperties":false,"properties":{"id":{"type":"string","description":"Technique ID (e.g., MITRE ATT&CK ID)"},"name":{"type":"string","description":"Name of the technique"},"tactic":{"type":"string","description":"Associated tactic"},"procedure":{"type":"string","description":"Specific procedure"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools used with this technique"}}},"weakness":{"type":"object","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"cweId":{"type":"integer","description":"CWE (Common Weakness Enumeration) ID"},"name":{"type":"string","description":"Name of the weakness"},"description":{"type":"string","description":"Description of the weakness"},"abstraction":{"type":"string","enum":["pillar","class","base","variant","compound"],"meta:enum":{"pillar":"Most abstract type of weakness","class":"Weakness described in generic terms","base":"Weakness described in abstract terms","variant":"Weakness specific to a resource/technology","compound":"Combination of two or more weaknesses"}},"ordinality":{"type":"string","enum":["primary","resultant","indirect"],"meta:enum":{"primary":"Weakness exists independent of other weaknesses","resultant":"Weakness is caused by another weakness","indirect":"Weakness is indirectly caused by another weakness"}},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this weakness"},"exploitationDifficulty":{"type":"string","enum":["trivial","easy","moderate","difficult","impractical"],"description":"Difficulty of exploiting this weakness"},"detectionMethods":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod"},"description":"Methods for detecting this weakness"}}},"weaknessReference":{"type":"object","additionalProperties":false,"properties":{"weaknessRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to weakness"},"cweId":{"type":"integer","description":"CWE ID if not referencing internal weakness"},"instance":{"type":"string","description":"Specific instance or manifestation of the weakness"}}},"exploitability":{"type":"object","additionalProperties":false,"properties":{"level":{"type":"string","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Theoretically possible but not demonstrated","proof-of-concept":"Proof of concept exists","functional":"Functional exploit exists","weaponized":"Weaponized exploit in the wild"}},"complexity":{"type":"string","enum":["trivial","low","medium","high","very-high"],"description":"Complexity to exploit"},"skillRequired":{"type":"string","enum":["none","basic","intermediate","advanced","expert"],"description":"Skill level required"},"toolsRequired":{"type":"array","items":{"type":"string"},"description":"Tools required for exploitation"},"timeRequired":{"type":"string","description":"Estimated time to develop exploit"},"reliability":{"type":"string","enum":["unreliable","occasional","reliable","highly-reliable"],"description":"Reliability of exploitation"},"automatable":{"type":"boolean","description":"Whether exploitation can be automated"}}},"indicators":{"type":"object","additionalProperties":false,"properties":{"compromise":{"type":"array","items":{"type":"string"},"description":"Indicators of compromise"},"attack":{"type":"array","items":{"type":"string"},"description":"Indicators of attack"},"behavioral":{"type":"array","items":{"type":"string"},"description":"Behavioral indicators"},"signatures":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"Detection signatures"}}},"signature":{"type":"object","required":["type","value"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["yara","snort","regex","hash","behavior"],"description":"Type of signature"},"value":{"type":"string","description":"Signature value or pattern"},"description":{"type":"string","description":"Description of what the signature detects"},"confidence":{"type":"string","enum":["low","medium","high"],"description":"Confidence level of detection"}}},"ttp":{"type":"object","additionalProperties":false,"properties":{"tactic":{"type":"string","description":"High-level tactic"},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"procedure":{"type":"string","description":"Specific implementation"},"tools":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/tool"},"description":"Tools used"},"infrastructure":{"type":"array","items":{"type":"string"},"description":"Infrastructure used"}}},"tool":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Tool name"},"type":{"type":"string","enum":["exploit","scanner","fuzzer","proxy","framework","custom"],"description":"Type of tool"},"version":{"type":"string","description":"Tool version"},"capabilities":{"type":"array","items":{"type":"string"},"description":"Tool capabilities"}}},"targeting":{"type":"object","additionalProperties":false,"properties":{"sectors":{"type":"array","items":{"type":"string"},"description":"Targeted sectors or industries"},"regions":{"type":"array","items":{"type":"string"},"description":"Targeted geographic regions"},"technologies":{"type":"array","items":{"type":"string"},"description":"Targeted technologies or platforms"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Types of data targeted"}}},"detectionMethod":{"type":"object","required":["method"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["static-analysis","dynamic-analysis","penetration-test","code-review","architecture-review","automated-scan"],"description":"Detection method type"},"description":{"type":"string","description":"Description of the detection method"},"effectiveness":{"type":"string","enum":["low","medium","high"],"description":"Effectiveness of the method"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools that implement this method"}}},"securityPolicy":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Policy name"},"type":{"type":"string","enum":["access-control","data-protection","network-security","application-security","operational-security","compliance"],"description":"Type of security policy"},"description":{"type":"string","description":"Policy description"},"requirements":{"type":"array","items":{"type":"string"},"description":"Policy requirements"},"enforcement":{"type":"string","enum":["mandatory","recommended","optional"],"description":"Enforcement level"},"appliesTo":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this policy applies to"},"exceptions":{"type":"array","items":{"type":"string"},"description":"Policy exceptions"}}},"trustBoundary":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},{"properties":{"trustLevel":{"type":"string","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"description":"Trust level differential"},"securityRequirements":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements"},"threatsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Threats that could exploit this boundary"},"controlsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Controls implemented at this boundary"}}}]},"boundarySecurityRequirements":{"type":"object","additionalProperties":false,"properties":{"authenticationStrength":{"type":"string","enum":["none","weak","moderate","strong","very-strong"],"description":"Required authentication strength"},"authorizationGranularity":{"type":"string","enum":["coarse","medium","fine","very-fine"],"description":"Authorization granularity required"},"integrityVerification":{"type":"boolean","description":"Whether integrity verification is required"},"confidentialityProtection":{"type":"boolean","description":"Whether confidentiality protection is required"},"auditingLevel":{"type":"string","enum":["none","basic","detailed","comprehensive"],"description":"Level of auditing required"},"dataValidationRules":{"type":"array","items":{"type":"string"},"description":"Data validation rules at boundary"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","$defs":{"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},"description":"A collection of use cases that describe how actors interact with the system to achieve specific goals."},"useCase":{"type":"object","title":"Use Case","description":"A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')."},"description":{"type":"string","title":"Description","description":"A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases."},"postconditions":{"type":"array","title":"Postconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced."},"mainFlow":{"type":"array","title":"Main Flow","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome."},"alternativeFlows":{"type":"array","title":"Alternative Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"},"description":"Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome."},"exceptions":{"type":"array","title":"Exceptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"},"description":"Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully."},"successCriteria":{"type":"array","title":"Success Criteria","uniqueItems":true,"items":{"type":"string"},"description":"Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off."},"notes":{"type":"array","title":"Notes","uniqueItems":true,"items":{"type":"string"},"description":"Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","title":"Step","description":"A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.","required":["number","description"],"additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","minimum":1,"description":"The sequence number indicating the ordinal position of this step within its flow, starting at 1."},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design."}}},"flow":{"type":"object","title":"Flow","description":"An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')."},"description":{"type":"string","title":"Description","description":"A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path."},"steps":{"type":"array","title":"Steps","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps."}}},"exception":{"type":"object","title":"Exception","description":"An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')."},"description":{"type":"string","title":"Description","description":"A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific error condition, system state, or external event that triggers this exception during the execution of the use case."},"handling":{"type":"string","title":"Handling","description":"The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support."}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file +{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-behavior-2.0":{"type":"null","title":"CycloneDX Behavior Model","$defs":{"behaviors":{"type":"object","title":"Behaviors","description":"Behaviors performed by objects within the BOM.","additionalProperties":false,"properties":{"instances":{"type":"array","title":"Instances","description":"Individual behavior instances.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance"}},"flows":{"type":"array","title":"Flows","description":"Behavior flows that organise behaviors into operational patterns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorFlow"}}}},"behaviorInstance":{"type":"object","title":"Behavior Instance","description":"A behavior performed by one or more objects within the BOM.","additionalProperties":false,"required":["bom-ref","behavior"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"The behavior from the taxonomy."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}},"trigger":{"type":"string","title":"Trigger","description":"The condition or event that initiates a behavior.","enum":["startup","shutdown","scheduled","event-driven","user-initiated","api-call","signal","condition-based","continuous","on-demand","unknown"],"meta:enum":{"startup":"Triggered during system or component initialisation.","shutdown":"Triggered during system or component termination.","scheduled":"Triggered at predetermined times or intervals.","event-driven":"Triggered in response to a specific event.","user-initiated":"Triggered by explicit user action.","api-call":"Triggered by an API invocation.","signal":"Triggered by a system or inter-process signal.","condition-based":"Triggered when specific conditions are met.","continuous":"Runs continuously during normal operation.","on-demand":"Triggered on demand as needed.","unknown":"The trigger mechanism is not known."}},"ordering":{"type":"string","title":"Ordering","description":"Execution semantics for steps within a flow.","default":"sequential","enum":["sequential","unordered","parallel","conditional"],"meta:enum":{"sequential":"Steps execute in ordinal order. Each completes before the next begins.","unordered":"All steps execute, but order is not guaranteed.","parallel":"Steps may execute concurrently.","conditional":"Step execution is determined by runtime conditions."}},"acknowledgment":{"type":"array","title":"Acknowledgment","description":"Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.","uniqueItems":true,"items":{"type":"string","enum":["declared","observed"],"meta:enum":{"declared":"The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.","observed":"The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis."}}},"behaviorFlow":{"type":"object","title":"Behavior Flow","description":"An organised collection of behaviors forming a coherent process.","additionalProperties":false,"required":["bom-ref","steps"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"ordering":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/ordering"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"steps":{"type":"array","title":"Steps","description":"The steps that comprise this flow.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/flowStep"}}},"allOf":[{"if":{"anyOf":[{"properties":{"ordering":{"const":"sequential"}},"required":["ordering"]},{"not":{"required":["ordering"]}}]},"then":{"properties":{"steps":{"items":{"required":["ordinal"]}}}}}]},"flowStep":{"type":"object","title":"Flow Step","description":"A single step within a behavior flow.","additionalProperties":false,"properties":{"ordinal":{"type":"integer","title":"Ordinal","description":"Position within the flow. Required when ordering is 'sequential' or omitted.","minimum":1},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'."},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Behavior Reference","description":"Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'."},"flow":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Flow Reference","description":"Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'."},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}},"oneOf":[{"required":["behavior"]},{"required":["ref"]},{"required":["flow"]}]}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","$defs":{"blueprints":{"type":"array","title":"Blueprints","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint"},"description":"A collection of blueprints, each supporting a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling."},"blueprint":{"type":"object","title":"Blueprint","description":"A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.","required":["name","modelTypes","methodologies"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the blueprint, used to identify this model within the BOM and distinguish it from other blueprints.","minLength":1},"description":{"type":"string","title":"Description","description":"A detailed explanation of the blueprint, including its scope, the system or subsystem it represents, and any relevant context about the modelling objectives or intended audience."},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/metadata"},"modelTypes":{"type":"array","title":"Model Types","minItems":1,"uniqueItems":true,"description":"The types of models being represented","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"methodologies":{"type":"array","title":"Methodologies","uniqueItems":true,"description":"The modeling methodologies used","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/methodology"}},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model"},"behaviors":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviors"},"dataStores":{"type":"array","title":"Data Stores","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore"},"description":"Structured description of data stores used in the model"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet"},"description":"Datasets handled by the system, including placements and sensitivity"},"zones":{"type":"array","title":"Zones","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets"},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/actor"},"description":"Human or system actors involved in the model, distinct from assets"},"assumptions":{"type":"array","title":"Assumptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process"},"visualizations":{"type":"array","title":"Visualizations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},{"properties":{"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint assets that are involved in or exercised by this use case"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint flows that are triggered or traversed during the execution of this use case"},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the requirements that are implemented, validated, or addressed by this use case"}}}]},"description":"Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements."},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"Requirements derived from or related to the model"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"modelType":{"type":"object","title":"Model Type","description":"The type of model being represented, either a predefined type or a custom named type.","oneOf":[{"title":"Predefined Model Type","description":"A model type selected from a predefined set of well-known modelling categories.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Model Type","enum":["architecture","behavioral","conceptual","dataFlow","deployment","logical","network","operational","physical","privacy","process","risk","structural","threat"],"meta:enum":{"architecture":"System or software architecture model","behavioral":"System behavior model","conceptual":"High-level conceptual model","dataFlow":"Data flow model showing how data moves through the system","deployment":"Deployment or infrastructure model","logical":"Logical system model","network":"Network topology or connectivity model","operational":"Operational model","physical":"Physical infrastructure model","privacy":"Privacy impact assessment model","process":"Business or system process model","risk":"Risk assessment model","structural":"System structure model","threat":"Security threat model"}}}},{"title":"Custom Model Type","description":"A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom model type name"},"description":{"type":"string","title":"Description","description":"Description of the custom model type"}}}]},"methodology":{"type":"object","title":"Methodology","description":"The modelling methodology used, either a predefined type or a custom named methodology.","oneOf":[{"title":"Predefined Methodology","description":"A modelling methodology selected from a predefined set of well-known frameworks and standards.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Type","enum":["4+1","Archimate","ATFAA","BPMN","C4","DFD","DODAF","ERD","IDEF","LINDDUN","MAESTRO","MITRE-ATTACK","MODAF","NAF","OWASP","PASTA","SABSA","STRIDE","SysML","TOGAF","TRIKE","UML","VAST","Zachman","attackTree"],"meta:enum":{"4+1":"4+1 Architectural View Model","Archimate":"Enterprise architecture modeling language","ATFAA":"Advanced Threat Framework for Autonomous AI Agents","BPMN":"Business Process Model and Notation","C4":"C4 Model for software architecture","DFD":"Data Flow Diagrams","DODAF":"Department of Defense Architecture Framework","ERD":"Entity Relationship Diagrams","IDEF":"Integration Definition Methods","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome","MITRE-ATTACK":"MITRE ATT&CK adversarial tactics, techniques, and procedures framework","MODAF":"Ministry of Defence Architecture Framework","NAF":"NATO Architecture Framework","OWASP":"OWASP threat modelling methodology","PASTA":"Process for Attack Simulation and Threat Analysis","SABSA":"Sherwood Applied Business Security Architecture","STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege","SysML":"Systems Modeling Language","TOGAF":"The Open Group Architecture Framework","TRIKE":"Risk-based threat modelling methodology","UML":"Unified Modeling Language","VAST":"Visual, Agile, and Simple Threat modelling","Zachman":"Zachman Framework","attackTree":"Attack tree methodology for structured threat analysis"}},"version":{"type":"string","title":"Version","description":"Version of the methodology"}}},{"title":"Custom Methodology","description":"A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom methodology name"},"version":{"type":"string","title":"Version","description":"Version of the methodology"},"description":{"type":"string","title":"Description","description":"Description of the custom methodology"},"externalReferences":{"type":"array","title":"External References","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}}]},"metadata":{"type":"object","title":"Blueprint Metadata","description":"Metadata about the creation, review, and approval of the blueprint.","additionalProperties":false,"properties":{"timestamp":{"type":"string","title":"Timestamp","format":"date-time","description":"When the blueprint was created or last updated"},"authors":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who created the blueprint"},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who reviewed the blueprint"},"reviewDate":{"type":"string","title":"Review Date","format":"date-time","description":"When the blueprint was reviewed"},"approver":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who approved the blueprint"},"approvalDate":{"type":"string","title":"Approval Date","format":"date-time","description":"When the blueprint was approved"},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","title":"Validity Period","description":"The period during which the blueprint is considered valid.","additionalProperties":false,"properties":{"start":{"type":"string","title":"Start","format":"date-time","description":"When the blueprint becomes valid"},"end":{"type":"string","title":"End","format":"date-time","description":"When the blueprint expires"},"reviewFrequency":{"type":"string","title":"Review Frequency","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)"}}},"scope":{"type":"object","title":"Scope","description":"Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the scope"},"description":{"type":"string","title":"Description","description":"Description of what is included and excluded from the model"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Explicit boundaries of the model"},"includedComponents":{"type":"array","title":"Included Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly included"},"excludedComponents":{"type":"array","title":"Excluded Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly excluded"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","title":"Asset","description":"A component, service, data store, or other element included in the blueprint model.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset"},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the component this asset represents"},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the service this asset represents"},"type":{"type":"string","title":"Asset Type","enum":["actor","agent","api","broker","cache","component","container","data","dataStore","device","endpoint","function","gateway","infrastructure","interface","model","module","network","other","process","queue","resource","service","stream","subsystem","system"],"meta:enum":{"actor":"User, system, or external entity","agent":"Autonomous AI or software agent","api":"API endpoint or interface","broker":"Message broker or event bus infrastructure","cache":"Caching layer or in-memory data store","component":"Software component or application","container":"Container or orchestration unit","data":"Dataset","dataStore":"Database, file system, or data repository","device":"Physical or IoT device","endpoint":"Service endpoint or URL","function":"Serverless function or lambda","gateway":"API gateway, load balancer, or proxy","infrastructure":"Infrastructure component","interface":"System interface or contract","model":"AI or machine learning model","module":"Software module or package","network":"Network segment or resource","other":"Asset type not covered by predefined values","process":"Business or system process","queue":"Message queue or task queue","resource":"Generic resource or artifact","service":"Service or microservice","stream":"Data stream or event stream","subsystem":"Part of a larger system","system":"Complete system or application"}},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the asset"},"description":{"type":"string","title":"Description","description":"Description of the asset's role and purpose"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone containing this asset"},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent asset if this is a sub-component"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"responsibilities":{"type":"array","title":"Responsibilities","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Responsibilities or functions of this asset"},"interfaces":{"type":"array","title":"Interfaces","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset"},"dependencies":{"type":"array","title":"Dependencies","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets this asset depends on"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage."},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"title":"Component Reference Asset","description":"An asset defined by reference to a component declared elsewhere in the BOM.","required":["bom-ref","componentRef"]},{"title":"Service Reference Asset","description":"An asset defined by reference to a service declared elsewhere in the BOM.","required":["bom-ref","serviceRef"]},{"title":"Inline Asset","description":"An asset defined inline within the blueprint with an explicit type and name.","required":["bom-ref","type","name"]}]},"dataStore":{"type":"object","title":"Data Store","description":"A persistent storage system used within the modelled system to hold, retrieve, or manage data.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the data store"},"description":{"type":"string","title":"Description","description":"Purpose and contents of the store"},"type":{"type":"string","title":"Type","enum":["blob","blockchain","cache","columnFamily","custom","dataLake","dataWarehouse","document","eventLog","file","graph","inMemory","keyValue","messageQueue","object","other","registry","search","spatial","sql","timeSeries","vector"],"meta:enum":{"blob":"Binary/blob storage","blockchain":"Distributed ledger or blockchain storage","cache":"Caching tier","columnFamily":"Wide-column or column-family store (e.g., Cassandra, HBase)","custom":"Custom or mixed storage technology","dataLake":"Data lake or lakehouse for raw and semi-structured data","dataWarehouse":"Analytical data warehouse optimised for OLAP workloads","document":"Document database (e.g., MongoDB)","eventLog":"Event log or append-only streaming store (e.g., Kafka)","file":"File system or NAS","graph":"Graph database","inMemory":"In-memory data store used as a primary store","keyValue":"Key-value store","messageQueue":"Message queue or broker with persistent storage","object":"Object storage","other":"Other storage technology not listed","registry":"Configuration or service registry (e.g., etcd, Consul)","search":"Search index or full-text search engine (e.g., Elasticsearch)","spatial":"Spatial or geospatial database","sql":"Relational database","timeSeries":"Time-series database","vector":"Vector database for embeddings and similarity search"}},"vendor":{"type":"string","title":"Vendor","description":"The vendor or publisher of the data store product"},"product":{"type":"string","title":"Product","description":"The name of the data store product"},"version":{"type":"string","title":"Version","description":"The version of the data store product"},"environment":{"type":"string","title":"Environment","description":"Deployment environment (prod, test, etc.)"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the asset resides"},"location":{"type":"string","title":"Location","description":"Physical or logical hosting location"},"technologies":{"type":"array","title":"Technologies","uniqueItems":true,"items":{"type":"string"},"description":"Supporting technologies or services"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to data sets stored here"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataSet":{"type":"object","title":"Data Set","description":"A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.","required":["bom-ref","name","description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the dataset"},"description":{"type":"string","title":"Description","minLength":1,"description":"What information is contained and why it exists"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"recordCount":{"type":"integer","title":"Record Count","description":"Approximate number of records"},"owners":{"type":"array","title":"Owners","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Individuals or organizational entities that own the dataset"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"placements":{"type":"array","title":"Placements","uniqueItems":true,"items":{"type":"object","title":"Placement","description":"Describes where a dataset physically or logically resides and the storage characteristics at that location.","required":["dataStore"],"additionalProperties":false,"properties":{"dataStore":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the store holding this dataset"},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the dataset is encrypted at this location"},"retention":{"type":"string","title":"Retention","description":"Retention policy for this placement"},"replicated":{"type":"boolean","title":"Replicated","description":"Indicates if this placement is a replica"}}},"description":"Where the dataset resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface"},"type":{"type":"string","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"],"description":"Type of interface"},"description":{"type":"string","description":"Description of the interface"},"specification":{"type":"string","description":"Link or reference to interface specification"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed"}}},"zone":{"type":"object","title":"Zone","description":"A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the zone"},"description":{"type":"string","title":"Description","description":"Description of the zone's characteristics"},"type":{"type":"string","title":"Type","enum":["deployment","functional","logical","network","organizational","other","physical","trust"],"meta:enum":{"deployment":"Deployment environment (e.g., dev, staging, prod)","functional":"Functional grouping","logical":"Logical grouping or boundary","network":"Network segmentation zone","organizational":"Organizational or administrative boundary","other":"Other zone type not listed","physical":"Physical location or boundary","trust":"Security trust zone"}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent zone if this is a sub-zone"},"characteristics":{"type":"array","title":"Characteristics","uniqueItems":true,"items":{"type":"string"},"description":"Key characteristics of this zone"},"constraints":{"type":"array","title":"Constraints","uniqueItems":true,"items":{"type":"string"},"description":"Constraints or limitations of this zone"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","title":"Boundary","description":"Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the boundary"},"type":{"type":"string","title":"Type","enum":["data","functional","network","organizational","other","physical","process","trust"],"meta:enum":{"data":"Data classification boundary","functional":"Functional boundary","network":"Network boundary or firewall","organizational":"Organizational boundary","other":"A boundary type not covered by the predefined enumeration","physical":"Physical security boundary","process":"Process or execution boundary","trust":"Trust boundary between different security zones"}},"zones":{"type":"array","title":"Zones","uniqueItems":true,"minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"The zones this boundary connects or separates"},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","title":"Crossing Requirements","description":"Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.","additionalProperties":false,"properties":{"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced at this boundary"},"dataValidation":{"type":"boolean","title":"Data Validation","description":"Whether data is validated when crossing this boundary"},"dataTransformation":{"type":"boolean","title":"Data Transformation","description":"Whether data is transformed when crossing this boundary"},"logging":{"type":"boolean","title":"Logging","description":"Whether crossings are logged"},"monitoring":{"type":"boolean","title":"Monitoring","description":"Whether crossings are monitored"},"rateLimit":{"type":"string","title":"Rate Limit","description":"Rate limiting policy"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Allowed protocols for crossing"}}},"flow":{"type":"object","title":"Flow","description":"Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or description of the flow"},"description":{"type":"string","title":"Description","description":"Detailed description of what flows and why"},"type":{"type":"string","title":"Type","enum":["control","data","dependency","event","interaction","message","other","physical","process","signal"],"meta:enum":{"control":"Control or command flow","data":"Data or information flow","dependency":"Dependency relationship","event":"Event or notification flow","interaction":"User or system interaction","message":"Message or communication flow","other":"A flow type not covered by the predefined enumeration","physical":"Physical movement of goods or materials","process":"Business process flow","signal":"Hardware or system signal"}},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the source asset"},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the destination asset"},"bidirectional":{"type":"boolean","title":"Bidirectional","default":false,"description":"Whether flow occurs in both directions"},"synchronous":{"type":"boolean","title":"Synchronous","description":"Whether the flow is synchronous or asynchronous"},"volume":{"type":"string","title":"Volume","description":"Expected volume or frequency of flow"},"timing":{"type":"string","title":"Timing","description":"Timing characteristics (real-time, batch, scheduled)"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Communication protocols used by this flow"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required for this flow"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced on this flow"},"sequence":{"type":"integer","title":"Sequence","minimum":0,"description":"Ordering hint so flows can be assembled into sequence diagrams"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"actor":{"type":"object","title":"Actor","description":"Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the actor"},"description":{"type":"string","title":"Description","description":"Narrative describing the actor's role and context"},"type":{"type":"string","title":"Type","enum":["administrator","agent","engineer","external","operator","other","system","user"],"meta:enum":{"administrator":"Administrative or privileged operator","agent":"Autonomous AI agent or intelligent software agent","engineer":"Developer or platform/DevOps engineer","external":"Third-party or external entity","operator":"Operational staff running the system","other":"An actor type not covered by the predefined enumeration","system":"Automated system actor or service account","user":"End user of a client application or service"}},"permissions":{"type":"array","title":"Permissions","uniqueItems":true,"items":{"type":"string"},"description":"Permissions, capabilities, or duties the actor holds"},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the actor resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","title":"Assumption","description":"A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies"},"topic":{"type":"string","title":"Topic","enum":["availability","business","compliance","operational","other","performance","security","technical"],"meta:enum":{"availability":"Assumption about system uptime, redundancy, or failover capabilities","business":"Assumption about business requirements, constraints, or organizational context","compliance":"Assumption about regulatory, legal, or policy compliance obligations","operational":"Assumption about operational procedures, staffing, or maintenance practices","other":"An assumption topic not covered by the predefined enumeration","performance":"Assumption about throughput, latency, capacity, or scalability characteristics","security":"Assumption about threat landscape, trust boundaries, or security controls","technical":"Assumption about technology choices, capabilities, or technical constraints"}},"relatedAssets":{"type":"array","title":"Related Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes"},"validity":{"type":"string","title":"Validity","enum":["invalid","unknown","unverified","verified"],"meta:enum":{"invalid":"The assumption has been disproven or is no longer applicable","unknown":"The validity of the assumption has not yet been assessed","unverified":"The assumption has been identified but not yet validated","verified":"The assumption has been confirmed as true through validation"},"default":"unknown","description":"The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound"},"impact":{"type":"string","title":"Impact","description":"A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components"},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model"},"validationMethod":{"type":"string","title":"Validation Method","description":"The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement"},"validationDate":{"type":"string","title":"Validation Date","format":"date-time","description":"The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation"}}},"visualization":{"type":"object","title":"Visualization","description":"A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the visualization"},"description":{"type":"string","title":"Description","description":"Description of what the visualization shows"},"type":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType"},"format":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationFormat"},"content":{"type":"string","title":"Content","description":"The diagram content (source code or base64 encoded image)"},"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL to the diagram if stored externally"},"level":{"type":"string","title":"Level","enum":["detailed","high","medium","overview"],"meta:enum":{"detailed":"Fine-grained view showing implementation-level specifics","high":"High-level view showing major components and relationships","medium":"Intermediate view balancing breadth and depth","overview":"Top-level summary providing a broad perspective of the system"},"description":"Level of detail in the visualization"},"elements":{"type":"array","title":"Elements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to elements shown in this visualization"},"interactive":{"type":"boolean","title":"Interactive","description":"Whether the visualization is interactive"},"layers":{"type":"array","title":"Layers","uniqueItems":true,"items":{"type":"string"},"description":"Layers or views available in the visualization"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"visualizationType":{"type":"object","title":"Visualization Type","description":"The type of diagram or visual representation.","oneOf":[{"title":"Predefined Visualization Type","description":"A visualization type selected from a predefined set of well-known diagram types.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","enum":["activity","architecture","class","code","collaboration","component","container","context","dataFlow","deployment","entity","network","process","sequence","state","useCase"],"meta:enum":{"activity":"Activity or workflow diagram","architecture":"System architecture diagram","class":"Class or object diagram","code":"Code structure diagram","collaboration":"Collaboration diagram","component":"Component diagram","container":"Container diagram (C4)","context":"Context diagram","dataFlow":"Data flow diagram (DFD)","deployment":"Deployment or infrastructure diagram","entity":"Entity relationship diagram","network":"Network topology diagram","process":"Business process diagram","sequence":"Sequence or interaction diagram","state":"State machine diagram","useCase":"Use case diagram"}}}},{"title":"Custom Visualization Type","description":"A custom visualization type not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization type"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization type"}}}]},"visualizationFormat":{"type":"object","title":"Visualization Format","description":"The rendering format or toolchain used to produce the visualization.","oneOf":[{"title":"Predefined Visualization Format","description":"A visualization format selected from a predefined set of well-known diagram formats and tools.","required":["format"],"additionalProperties":false,"properties":{"format":{"type":"string","title":"Format","enum":["archimate","cytoscape","d3","drawio","graphviz","jpeg","mermaid","plantuml","png","svg","visio"],"meta:enum":{"archimate":"ArchiMate model format","cytoscape":"Cytoscape graph format","d3":"D3.js visualization","drawio":"Draw.io/diagrams.net format","graphviz":"GraphViz DOT language","jpeg":"JPEG image format","mermaid":"Mermaid diagram language","plantuml":"PlantUML diagram language","png":"Portable Network Graphics","svg":"Scalable Vector Graphics","visio":"Microsoft Visio format"}}}},{"title":"Custom Visualization Format","description":"A custom visualization format not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization format"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization format"}}}]},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataClassification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"tier":{"type":"string","enum":["tier0","tier1","tier2","tier3","tier4"],"meta:enum":{"tier0":"Mission critical - highest priority","tier1":"Business critical - high priority","tier2":"Business important - medium priority","tier3":"Business supporting - low priority","tier4":"Non-critical - minimal priority"}},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search"}}},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"ownership":{"type":"object","title":"Ownership","description":"Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.","additionalProperties":false,"properties":{"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary owner of the asset"},"steward":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Steward responsible for the asset"},"custodian":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Custodian responsible for protecting the asset"},"users":{"type":"array","title":"Users","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Primary users of the asset"}}},"authenticationType":{"type":"string","title":"Authentication Type","description":"The authentication method or protocol used to verify identity.","enum":["apiKey","basic","bearer","certificate","custom","digest","fido2","jwt","kerberos","ldap","mfa","mTLS","none","ntlm","oauth1","oauth2","oidc","saml","ssh"],"meta:enum":{"apiKey":"API key authentication","basic":"Basic authentication (username/password)","bearer":"Bearer token authentication","certificate":"Certificate-based authentication","custom":"Custom authentication method","digest":"Digest authentication","fido2":"FIDO2/WebAuthn passwordless authentication","jwt":"JSON Web Token authentication","kerberos":"Kerberos authentication","ldap":"LDAP directory authentication","mfa":"Multi-factor authentication","mTLS":"Mutual TLS authentication","none":"No authentication required","ntlm":"NTLM authentication","oauth1":"OAuth 1.0 authentication","oauth2":"OAuth 2.0 authentication","oidc":"OpenID Connect authentication","saml":"SAML authentication","ssh":"SSH key authentication"}},"authorizationType":{"type":"string","title":"Authorization Type","description":"The authorization model used to determine and enforce access permissions.","enum":["abac","acl","cbac","custom","dac","mac","none","other","pbac","rbac","rebac"],"meta:enum":{"abac":"Attribute-Based Access Control","acl":"Access Control Lists","cbac":"Claims-Based Access Control","custom":"Custom authorization model","dac":"Discretionary Access Control","mac":"Mandatory Access Control","none":"No authorization controls","other":"Other authorization model not listed","pbac":"Policy-Based Access Control","rbac":"Role-Based Access Control","rebac":"Relationship-Based Access Control"}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataProfile":{"type":"object","title":"Data Profile","description":"Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data profile"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes.","examples":["Customer PII Dataset","Transaction Logs","Employee Health Records"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system."},"sensitivity":{"type":"string","title":"Sensitivity","enum":["confidential","internal","public","restricted","classified"],"description":"Data sensitivity classification.","meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access and special protection measures","classified":"Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations"}},"classification":{"title":"Classification","description":"Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.","oneOf":[{"title":"Predefined Classification","description":"A predefined data classification from the enumeration.","type":"object","additionalProperties":false,"required":["type"],"properties":{"type":{"type":"string","title":"Type","enum":["credentials","financial","intellectualProperty","logs","operational","other","pci","phi","pii","safety","telemetry"],"meta:enum":{"credentials":"Secrets, tokens, or credentials","financial":"Financial statements or transaction data","intellectualProperty":"Intellectual property or trade secrets","logs":"Operational or security log data","operational":"Operational or process data","other":"Other data classification not listed","pci":"Payment card industry data","phi":"Protected health information","pii":"Personally identifiable information","safety":"Safety critical data or signals","telemetry":"System or product telemetry data"}}}},{"title":"Custom Classification","description":"A custom data classification not covered by the predefined enumeration.","type":"object","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of a custom data classification not covered by the predefined enumeration"},"description":{"type":"string","title":"Description","description":"A description of the custom data classification"}}}]},"subjects":{"type":"array","title":"Subjects","description":"The entities, groups, categories, or things that the data is about or pertains to. Identifying data subjects is essential for determining applicable privacy regulations, handling requirements, and protected class obligations.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/subject"},"examples":[[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR","IT"],"regulations":["GDPR"]},{"name":"Pediatric Patients","type":"group","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]}]]},"purposes":{"type":"array","title":"Purposes","description":"The stated purposes for which this data is collected, processed, or retained. Under the principle of purpose limitation, data must only be used for purposes compatible with those originally specified. Capturing purposes explicitly enables automated compliance checking and compatibility analysis across the data lifecycle.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/purpose"},"examples":[[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"}]]},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply to this data based on its nature, classification, or how it is processed and stored. See also subject.jurisdictions for jurisdictions that apply because of who the data is about."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply to this data based on its nature, classification, or processing context. See also subject.regulations for regulations that apply because of who the data is about."},"dataFormats":{"type":"array","title":"Data Formats","uniqueItems":true,"items":{"type":"string"},"description":"The formats in which the data is stored or transmitted.","examples":[["JSON","CSV","Parquet"]]},"dataTypes":{"type":"array","title":"Data Types","uniqueItems":true,"items":{"type":"string"},"description":"The specific types of data elements contained within this dataset.","examples":[["email address","date of birth","IP address"]]},"schema":{"type":"array","title":"Schema","uniqueItems":true,"items":{"type":"string","format":"uri"},"description":"References to schema contracts or documents describing the data structure.","examples":[["https://example.com/schemas/customer-v2.json"]]},"access":{"type":"array","title":"Access","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures."},"collection":{"type":"array","title":"Collection","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations."},"disposal":{"type":"array","title":"Disposal","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction."},"handling":{"type":"array","title":"Handling","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations."},"processing":{"type":"array","title":"Processing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions."},"retention":{"type":"array","title":"Retention","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation."},"sharing":{"type":"array","title":"Sharing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"subject":{"type":"object","title":"Subject","description":"An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. Subjects may include named individuals, organizations, demographic groups, protected classes, technologies, devices, locations, or any other identifiable topic of the data.","required":["name","type"],"additionalProperties":false,"examples":[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR"],"regulations":["GDPR"]},{"name":"Pediatric Patients","type":"group","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]},{"name":"GPT-4 Model","type":"technology","protectedClass":false}],"properties":{"name":{"type":"string","title":"Name","description":"The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor.","minLength":1,"examples":["EU Residents","Pediatric Patients","Fleet Vehicles"]},"type":{"type":"string","title":"Type","description":"A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices.","minLength":1,"examples":["individual","group","technology"]},"protectedClass":{"type":"boolean","title":"Protected Class","description":"Indicates whether this subject represents or includes a legally protected class under applicable regulations. Protected classes are groups defined by characteristics such as race, ethnicity, religion, gender, age, disability, sexual orientation, national origin, or genetic information. When true, additional regulatory obligations may apply to the collection, processing, and sharing of data about this subject, including GDPR special category data provisions, US civil rights protections, COPPA requirements for children, and HIPAA protections for health information."},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply specifically because of this subject. See also dataProfile.jurisdictions for jurisdictions that apply to the data itself."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply specifically because of this subject. See also dataProfile.regulations for regulations that apply to the data itself."},"description":{"type":"string","title":"Description","description":"A narrative explanation of the subject, its relationship to the data, and any special handling considerations. This may include why the subject is relevant, what aspects of the subject the data captures, and any known sensitivities or regulatory implications."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"jurisdictions":{"type":"array","title":"Jurisdictions","description":"The geographic or political jurisdictions whose laws and regulations apply. Values should use ISO 3166-1 alpha-2 country codes or ISO 3166-2 subdivision codes for subnational jurisdictions.","uniqueItems":true,"items":{"type":"string","minLength":2,"examples":["US","GB","US-CA"]},"examples":[["US","GB","DE"]]},"regulations":{"type":"array","title":"Regulations","description":"The specific laws, regulations, or compliance frameworks that apply.","uniqueItems":true,"items":{"type":"string","minLength":1,"examples":["GDPR","HIPAA","PCI-DSS"]},"examples":[["GDPR","CCPA","PCI-DSS"]]},"purpose":{"type":"object","title":"Purpose","description":"The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.","required":["name"],"additionalProperties":false,"examples":[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"},{"name":"Marketing Analytics","legalBasis":"consent"}],"properties":{"name":{"type":"string","title":"Name","description":"The name of the purpose for which data is collected or processed.","minLength":1,"examples":["Service Delivery","Fraud Prevention","Marketing Analytics"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the purpose, how the data serves it, and any constraints on use. This narrative should be specific enough to evaluate whether subsequent processing activities are compatible with the original stated purpose."},"legalBasis":{"type":"string","title":"Legal Basis","description":"The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.","minLength":1,"examples":["consent","contract","legitimate interest"]},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataSensitivity":{"type":"string","title":"Data Sensitivity","description":"Classifies the sensitivity of data to indicate the level of protection required.","enum":["confidential","internal","public","restricted"],"meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access"}},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","uniqueItems":true,"description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","uniqueItems":true,"description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","uniqueItems":true,"description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","title":"Data Governance Responsible Party","description":"An organizational entity or individual responsible for a specific data governance role.","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","title":"Data Flow Direction","description":"Specifies the flow direction of the data. Direction is relative to the service.","enum":["bi-directional","inbound","outbound","unknown"],"meta:enum":{"bi-directional":"Data flows in and out of the service.","inbound":"Data that enters a service.","outbound":"Data that exits a service.","unknown":"The directional flow of data is not known."}}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"},"useCases":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCases"},"requirements":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirements"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"A collection of requirements representing specific needs, constraints, or capabilities that must be met."},"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"}},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"}},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"}},"parent":{"type":"string","title":"Parent BOM Reference","description":"The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the risk assessment elsewhere in the BOM"},"domains":{"type":"array","description":"Risk domains covered by this assessment","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"}},"scenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},"description":"Risk scenarios identified"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risk"},"description":"Documented risks derived from scenarios"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Controls, countermeasures, or mitigations to address identified risks"},"assessments":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Risk assessments and evaluations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}},"$defs":{"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply_chain","technical","project"],"meta:enum":{"security":"Information security and cybersecurity risks","privacy":"Data protection and privacy risks","operational":"Business operations and continuity risks","financial":"Financial loss and economic impact risks","compliance":"Regulatory and legal compliance risks","strategic":"Strategic business and market risks","reputational":"Brand and reputation damage risks","safety":"Human safety and physical security risks","environmental":"Environmental impact and sustainability risks","supply_chain":"Supply chain and third-party risks","technical":"Technical and technology risks","project":"Project delivery and execution risks"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain"}}},"riskAttribute":{"type":"string","description":"A classification of security and privacy attributes that represent potential impact areas when a risk is realized","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data_subject_rights","integrity","minimisation","non-repudiation","possession","privacy","purpose_limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities","authentication":"Verifying the identity of users, devices, or systems before granting access","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified","availability":"Ensuring systems, data, and services are accessible and operational when needed","compliance":"Adherence to applicable laws, regulations, policies, and standards","confidentiality":"Preventing unauthorised access to or disclosure of information","connectivity":"Maintaining secure and reliable communication between systems or components","control":"Enabling individuals to manage how their personal data is used and shared","data_subject_rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorised actors","minimisation":"Limiting data collection and retention to what is strictly necessary for the intended purpose","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications","possession":"Ensuring control or custody over data or assets, regardless of ownership","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards","purpose_limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing","utility":"Ensuring data is usable and in a format suitable for the intended purpose"}},"scenario":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the risk scenario"},"description":{"type":"string","description":"Detailed description of the scenario"},"type":{"type":"string","enum":["threat","vulnerability","weakness","risk","incident","opportunity","hazard"],"meta:enum":{"threat":"Threat scenario","vulnerability":"Exploitable vulnerability","weakness":"System or design weakness","risk":"General risk scenario","incident":"Potential incident scenario","opportunity":"Positive risk (opportunity)","hazard":"Safety hazard scenario"}},"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected by this scenario"},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to affected assets"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations that address this scenario"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"compliance":{"type":"array","items":{"type":"object","required":["framework","controlId"],"additionalProperties":false,"properties":{"framework":{"type":"string","description":"Name of the compliance program or framework"},"controlId":{"type":"string","description":"Identifier of the control within the framework"},"reference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference","description":"Link or citation to the requirement or control documentation"},"description":{"type":"string","description":"Optional notes describing the mapping"}}},"description":"Compliance frameworks and control references this mitigation supports"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"risk":{"type":"object","required":["bom-ref","name","statement"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier for the risk"},"statement":{"type":"string","description":"Structured risk statement describing source, event, and impact"},"description":{"type":"string","description":"Additional narrative about the risk"},"domains":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"description":"Risk domains impacted"},"scenarios":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this risk addresses"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"}},"responses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskResponse"},"description":"Risk responses or mitigation plans applied to this risk"},"relatedThreats":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatScenario"},"description":"Related threat scenarios informing this risk"},"status":{"type":"string","enum":["identified","assessed","mitigated","accepted","transferred","retired"],"meta:enum":{"identified":"Risk has been identified but not yet evaluated","assessed":"Risk has been assessed and prioritized","mitigated":"Mitigations are in place reducing this risk","accepted":"Risk has been formally accepted","transferred":"Risk has been transferred to another party","retired":"Risk no longer applies"}},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Owner or accountable party for this risk"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"Almost certain to occur (> 90% probability).","high":"Likely to occur (60-90% probability).","low":"Unlikely to occur (10-30% probability).","medium":"Possible to occur (30-60% probability).","veryHigh":"Very likely to occur (75-90% probability).","veryLow":"Very unlikely to occur (< 10% probability)."}},"score":{"type":"number","minimum":0,"maximum":5,"description":"Numeric likelihood score"},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal (0-1)"},"factors":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor"},"description":"Factors considered when determining the likelihood level"},"rationale":{"type":"string","description":"Justification for the likelihood rating"}}},"likelihoodFactor":{"type":"object","title":"Likelihood Factor","description":"An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.","minLength":1},"type":{"title":"Type","description":"The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","oneOf":[{"title":"Predefined Likelihood Factor Type","description":"A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.","type":"string","additionalProperties":false,"enum":["attackVector","controlEffectiveness","exploitMaturity","exposure","motivation","opportunity","other","threatCapability","vulnerability"],"meta:enum":{"attackVector":"Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.","controlEffectiveness":"Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.","exploitMaturity":"Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.","exposure":"Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.","motivation":"Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.","opportunity":"Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.","other":"A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.","threatCapability":"Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.","vulnerability":"Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor."}},{"title":"Custom Likelihood Factor Type","description":"A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the custom likelihood factor type.","minLength":1},"description":{"type":"string","title":"Description","description":"A description of the custom likelihood factor type and how it contributes to likelihood assessment."}}}]},"level":{"type":"string","title":"Level","description":"The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"This factor almost certainly contributes to risk realization (> 90% influence).","high":"This factor strongly contributes to risk realization (60-90% influence).","low":"This factor has limited contribution to risk realization (10-30% influence).","medium":"This factor moderately contributes to risk realization (30-60% influence).","veryHigh":"This factor very strongly contributes to risk realization (75-90% influence).","veryLow":"This factor has minimal contribution to risk realization (< 10% influence)."}},"score":{"type":"number","title":"Score","description":"A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.","minimum":0,"maximum":5},"weight":{"type":"number","title":"Weight","description":"The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.","minimum":0,"maximum":1},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","major","catastrophic"],"description":"Impact severity level","meta:enum":{"negligible":"Minimal impact with no significant consequences","low":"Minor impact with limited consequences","moderate":"Moderate impact affecting some operations","major":"Significant impact with serious consequences","catastrophic":"Catastrophic impact with existential consequences"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric impact score"},"categories":{"type":"array","items":{"type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic"],"meta:enum":{"confidentiality":"Impact on data confidentiality","integrity":"Impact on data or system integrity","availability":"Impact on service availability","financial":"Financial loss or impact","reputation":"Reputational damage","regulatory":"Regulatory compliance impact","safety":"Human safety impact","privacy":"Privacy violation impact","operational":"Operational disruption","strategic":"Strategic business impact"}},"description":"Categories of impact"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected"},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"Description of the potential impact"}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"Estimated financial loss in currency units"},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"ISO 4217 currency code"},"affectedUsers":{"type":"integer","description":"Number of affected users"},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Expected downtime as ISO 8601 duration"},"dataRecords":{"type":"integer","description":"Number of data records affected"},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Recovery time as ISO 8601 duration"}}},"riskScore":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Overall risk level","meta:enum":{"info":"Informational - no immediate action required","low":"Low risk - monitor and address in normal cycle","medium":"Medium risk - plan mitigation activities","high":"High risk - prioritize mitigation efforts","critical":"Critical risk - immediate action required"}},"score":{"type":"number","minimum":1,"description":"Numeric risk score"},"vector":{"type":"string","description":"Risk scoring vector (e.g., L:H/I:M)"},"methodology":{"type":"string","description":"Risk scoring methodology used"}}},"riskResponse":{"type":"object","required":["bom-ref","mitigations","mitigationPlan"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Mitigations applied to this risk response"},"mitigationPlan":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigationPlan"}}},"mitigation":{"type":"object","required":["bom-ref","reference"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this mitigation entry so it can be referenced by a plan"},"reference":{"description":"Reference to a mitigation/control implementing the response.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"strategy":{"type":"string","enum":["prevent","detect","respond","recover"],"meta:enum":{"prevent":"Prevents the risk from occurring","detect":"Detects when the risk occurs","respond":"Responds to the risk when detected","recover":"Recovers from the impact"}},"type":{"type":"string","enum":["control","countermeasure","procedure","removal"],"meta:enum":{"control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","procedure":"Documented procedure","removal":"Removing a risky component or asset"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"effectiveness":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/effectiveness"},"cost":{"type":"string","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort","low":"Low cost and effort","medium":"Moderate cost and effort","high":"High cost and significant effort","extreme":"Extreme cost and major effort"}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this plan addresses"},"implementedBy":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets that implement this plan"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"mitigationPlan":{"type":"object","required":["name","type","status","mitigations"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the mitigation plan"},"description":{"type":"string","description":"Description of what the plan covers"},"type":{"type":"string","enum":["avoid","reduce","transfer","accept","control","countermeasure","safeguard","practice","procedure"],"meta:enum":{"avoid":"Avoid the risk entirely","reduce":"Reduce likelihood or impact","transfer":"Transfer risk to another party","accept":"Accept the risk","control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","safeguard":"Safeguards mitigating adverse events","practice":"Operational or governance practice","procedure":"Documented procedure"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"List of mitigation bom-refs chosen for this plan"}}},"effectiveness":{"type":"object","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":1,"description":"Effectiveness as decimal"},"rating":{"type":"string","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk","marginal":"Slightly reduces risk","adequate":"Adequately reduces risk","good":"Significantly reduces risk","excellent":"Nearly eliminates risk"}}}},"assessment":{"type":"object","required":["bom-ref","type","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"type":{"type":"string","enum":["initial","periodic","continuous","triggered"],"meta:enum":{"initial":"Initial risk assessment","periodic":"Scheduled periodic assessment","continuous":"Continuous monitoring assessment","triggered":"Event-triggered assessment"}},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed"},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who performed the assessment"},"summary":{"type":"string","description":"Executive summary of the assessment"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to risk entries evaluated in this assessment"},"overallRisk":{"type":"object","required":["method","score"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["sum","average","custom"],"description":"Aggregation method used to derive the overall risk"},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"description":{"type":"string","description":"Optional explanation for custom aggregation approaches"}},"description":"Aggregated risk result for this assessment"},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment"},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level","meta:enum":{"none":"No priority assigned","low":"Low priority - address when convenient","medium":"Medium priority - address in normal cycle","high":"High priority - address soon","critical":"Critical priority - address immediately"}},"severity":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Severity level","meta:enum":{"info":"Informational finding","low":"Low severity issue","medium":"Medium severity issue","high":"High severity issue","critical":"Critical severity issue"}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level","meta:enum":{"minimal":"Minimal impact on business operations","low":"Low impact with minor inconvenience","moderate":"Moderate impact affecting some operations","high":"High impact affecting critical operations","critical":"Critical impact with severe business consequences"}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threatScenario":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},{"properties":{"threatCategory":{"type":"string","description":"Threat category based on methodology (e.g., STRIDE category)"},"threatActor":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"attackPattern":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference"},"abuseCases":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/abuseCase"},"description":"Abuse or misuse cases that illustrate how this threat can be exercised"},"weakness":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"killChainPhase":{"type":"string","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target","weaponization":"Creating malicious payloads","delivery":"Transmitting weapon to target","exploitation":"Exploiting vulnerabilities","installation":"Installing malware or backdoors","command-and-control":"Establishing C2 channel","actions-on-objectives":"Achieving attack goals"}},"technicalImpact":{"type":"array","items":{"type":"string","enum":["unauthorized-access","data-breach","data-corruption","service-disruption","privilege-escalation","code-execution","information-disclosure","denial-of-service"]}}}}]},"threatActor":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier of the threat actor"},"description":{"type":"string","description":"Description of the threat actor"},"type":{"type":"string","enum":["individual","group","organization","nation-state","unknown"],"meta:enum":{"individual":"Individual threat actor","group":"Organized group or collective","organization":"Corporate or criminal organization","nation-state":"Nation-state sponsored actor","unknown":"Unknown threat actor type"}},"aliases":{"type":"array","items":{"type":"string"},"description":"Known aliases or alternative names"},"profile":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"observedTTPs":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/ttp"},"description":"Observed tactics, techniques, and procedures"},"attributedAttacks":{"type":"array","items":{"type":"string"},"description":"Attacks attributed to this actor"},"targeting":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/targeting"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"threatActorProfile":{"type":"object","additionalProperties":false,"properties":{"sophistication":{"type":"string","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication","minimal":"Script kiddie level","intermediate":"Intermediate technical skills","advanced":"Advanced persistent threat","expert":"Nation-state level capabilities"}},"motivation":{"type":"array","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"]},"description":"Primary motivations"},"intent":{"type":"string","enum":["accidental","opportunistic","targeted","persistent"],"description":"Intent level"},"resources":{"type":"string","enum":["minimal","limited","moderate","substantial","unlimited"],"description":"Resource availability"},"accessLevel":{"type":"string","enum":["none","external","internal","privileged","physical"],"description":"Level of access to target systems"},"skillSet":{"type":"array","items":{"type":"string"},"description":"Specific skills possessed"}}},"attackVector":{"type":"object","additionalProperties":false,"properties":{"type":{"type":"string","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via network","adjacent":"Exploitable from adjacent network","local":"Requires local access","physical":"Requires physical access"}},"complexity":{"type":"string","enum":["low","high"],"description":"Attack complexity"},"privileges":{"type":"string","enum":["none","low","high"],"description":"Privileges required"},"userInteraction":{"type":"string","enum":["none","required"],"description":"User interaction requirement"},"scope":{"type":"string","enum":["unchanged","changed"],"description":"Scope impact"}}},"abuseCase":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the abuse case"},"description":{"type":"string","description":"Narrative describing how the system can be misused or abused"},"abuser":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference (bom-ref) to a threat actor involved in the abuse case"},"targets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References (bom-refs) to assets or flows targeted in this abuse case"},"steps":{"type":"array","items":{"type":"string"},"description":"Ordered steps the abuser follows"}}},"attackPattern":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"capecId":{"type":"integer","description":"CAPEC (Common Attack Pattern Enumeration and Classification) ID"},"name":{"type":"string","description":"Name of the attack pattern"},"description":{"type":"string","description":"Description of the attack pattern"},"prerequisites":{"type":"array","items":{"type":"string"},"description":"Prerequisites for the attack"},"techniques":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"Techniques used in the attack"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations"},"examples":{"type":"array","items":{"type":"string"},"description":"Real-world examples"}}},"attackPatternReference":{"type":"object","additionalProperties":false,"properties":{"patternRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to attack pattern"},"capecId":{"type":"integer","description":"CAPEC ID if not referencing internal pattern"},"customization":{"type":"string","description":"How this pattern is customized for the specific scenario"}}},"technique":{"type":"object","additionalProperties":false,"properties":{"id":{"type":"string","description":"Technique ID (e.g., MITRE ATT&CK ID)"},"name":{"type":"string","description":"Name of the technique"},"tactic":{"type":"string","description":"Associated tactic"},"procedure":{"type":"string","description":"Specific procedure"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools used with this technique"}}},"weakness":{"type":"object","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"cweId":{"type":"integer","description":"CWE (Common Weakness Enumeration) ID"},"name":{"type":"string","description":"Name of the weakness"},"description":{"type":"string","description":"Description of the weakness"},"abstraction":{"type":"string","enum":["pillar","class","base","variant","compound"],"meta:enum":{"pillar":"Most abstract type of weakness","class":"Weakness described in generic terms","base":"Weakness described in abstract terms","variant":"Weakness specific to a resource/technology","compound":"Combination of two or more weaknesses"}},"ordinality":{"type":"string","enum":["primary","resultant","indirect"],"meta:enum":{"primary":"Weakness exists independent of other weaknesses","resultant":"Weakness is caused by another weakness","indirect":"Weakness is indirectly caused by another weakness"}},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this weakness"},"exploitationDifficulty":{"type":"string","enum":["trivial","easy","moderate","difficult","impractical"],"description":"Difficulty of exploiting this weakness"},"detectionMethods":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod"},"description":"Methods for detecting this weakness"}}},"weaknessReference":{"type":"object","additionalProperties":false,"properties":{"weaknessRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to weakness"},"cweId":{"type":"integer","description":"CWE ID if not referencing internal weakness"},"instance":{"type":"string","description":"Specific instance or manifestation of the weakness"}}},"exploitability":{"type":"object","additionalProperties":false,"properties":{"level":{"type":"string","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Theoretically possible but not demonstrated","proof-of-concept":"Proof of concept exists","functional":"Functional exploit exists","weaponized":"Weaponized exploit in the wild"}},"complexity":{"type":"string","enum":["trivial","low","medium","high","very-high"],"description":"Complexity to exploit"},"skillRequired":{"type":"string","enum":["none","basic","intermediate","advanced","expert"],"description":"Skill level required"},"toolsRequired":{"type":"array","items":{"type":"string"},"description":"Tools required for exploitation"},"timeRequired":{"type":"string","description":"Estimated time to develop exploit"},"reliability":{"type":"string","enum":["unreliable","occasional","reliable","highly-reliable"],"description":"Reliability of exploitation"},"automatable":{"type":"boolean","description":"Whether exploitation can be automated"}}},"indicators":{"type":"object","additionalProperties":false,"properties":{"compromise":{"type":"array","items":{"type":"string"},"description":"Indicators of compromise"},"attack":{"type":"array","items":{"type":"string"},"description":"Indicators of attack"},"behavioral":{"type":"array","items":{"type":"string"},"description":"Behavioral indicators"},"signatures":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"Detection signatures"}}},"signature":{"type":"object","required":["type","value"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["yara","snort","regex","hash","behavior"],"description":"Type of signature"},"value":{"type":"string","description":"Signature value or pattern"},"description":{"type":"string","description":"Description of what the signature detects"},"confidence":{"type":"string","enum":["low","medium","high"],"description":"Confidence level of detection"}}},"ttp":{"type":"object","additionalProperties":false,"properties":{"tactic":{"type":"string","description":"High-level tactic"},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"procedure":{"type":"string","description":"Specific implementation"},"tools":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/tool"},"description":"Tools used"},"infrastructure":{"type":"array","items":{"type":"string"},"description":"Infrastructure used"}}},"tool":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Tool name"},"type":{"type":"string","enum":["exploit","scanner","fuzzer","proxy","framework","custom"],"description":"Type of tool"},"version":{"type":"string","description":"Tool version"},"capabilities":{"type":"array","items":{"type":"string"},"description":"Tool capabilities"}}},"targeting":{"type":"object","additionalProperties":false,"properties":{"sectors":{"type":"array","items":{"type":"string"},"description":"Targeted sectors or industries"},"regions":{"type":"array","items":{"type":"string"},"description":"Targeted geographic regions"},"technologies":{"type":"array","items":{"type":"string"},"description":"Targeted technologies or platforms"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Types of data targeted"}}},"detectionMethod":{"type":"object","required":["method"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["static-analysis","dynamic-analysis","penetration-test","code-review","architecture-review","automated-scan"],"description":"Detection method type"},"description":{"type":"string","description":"Description of the detection method"},"effectiveness":{"type":"string","enum":["low","medium","high"],"description":"Effectiveness of the method"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools that implement this method"}}},"securityPolicy":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Policy name"},"type":{"type":"string","enum":["access-control","data-protection","network-security","application-security","operational-security","compliance"],"description":"Type of security policy"},"description":{"type":"string","description":"Policy description"},"requirements":{"type":"array","items":{"type":"string"},"description":"Policy requirements"},"enforcement":{"type":"string","enum":["mandatory","recommended","optional"],"description":"Enforcement level"},"appliesTo":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this policy applies to"},"exceptions":{"type":"array","items":{"type":"string"},"description":"Policy exceptions"}}},"trustBoundary":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},{"properties":{"trustLevel":{"type":"string","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"description":"Trust level differential"},"securityRequirements":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements"},"threatsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Threats that could exploit this boundary"},"controlsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Controls implemented at this boundary"}}}]},"boundarySecurityRequirements":{"type":"object","additionalProperties":false,"properties":{"authenticationStrength":{"type":"string","enum":["none","weak","moderate","strong","very-strong"],"description":"Required authentication strength"},"authorizationGranularity":{"type":"string","enum":["coarse","medium","fine","very-fine"],"description":"Authorization granularity required"},"integrityVerification":{"type":"boolean","description":"Whether integrity verification is required"},"confidentialityProtection":{"type":"boolean","description":"Whether confidentiality protection is required"},"auditingLevel":{"type":"string","enum":["none","basic","detailed","comprehensive"],"description":"Level of auditing required"},"dataValidationRules":{"type":"array","items":{"type":"string"},"description":"Data validation rules at boundary"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","$defs":{"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},"description":"A collection of use cases that describe how actors interact with the system to achieve specific goals."},"useCase":{"type":"object","title":"Use Case","description":"A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')."},"description":{"type":"string","title":"Description","description":"A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases."},"postconditions":{"type":"array","title":"Postconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced."},"mainFlow":{"type":"array","title":"Main Flow","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome."},"alternativeFlows":{"type":"array","title":"Alternative Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"},"description":"Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome."},"exceptions":{"type":"array","title":"Exceptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"},"description":"Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully."},"successCriteria":{"type":"array","title":"Success Criteria","uniqueItems":true,"items":{"type":"string"},"description":"Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off."},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the requirements that are implemented, validated, or addressed by this use case"},"notes":{"type":"array","title":"Notes","uniqueItems":true,"items":{"type":"string"},"description":"Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","title":"Step","description":"A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.","required":["number","description"],"additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","minimum":1,"description":"The sequence number indicating the ordinal position of this step within its flow, starting at 1."},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design."}}},"flow":{"type":"object","title":"Flow","description":"An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')."},"description":{"type":"string","title":"Description","description":"A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path."},"steps":{"type":"array","title":"Steps","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps."}}},"exception":{"type":"object","title":"Exception","description":"An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')."},"description":{"type":"string","title":"Description","description":"A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific error condition, system state, or external event that triggers this exception during the execution of the use case."},"handling":{"type":"string","title":"Handling","description":"The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support."}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file diff --git a/schema/2.0/cyclonedx-2.0-bundled.schema.json b/schema/2.0/cyclonedx-2.0-bundled.schema.json index 74ac6881e..346fe1bfd 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.schema.json @@ -6817,6 +6817,12 @@ }, "patents": { "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patents" + }, + "useCases": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/useCases" + }, + "requirements": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirements" } } } @@ -8709,6 +8715,15 @@ "type": "null", "title": "CycloneDX Engineering Requirement Model", "$defs": { + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirement" + }, + "description": "A collection of requirements representing specific needs, constraints, or capabilities that must be met." + }, "requirement": { "type": "object", "title": "Requirement", @@ -8825,20 +8840,10 @@ } }, "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" }, "externalReferences": { - "type": "array", - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } } }, @@ -11489,6 +11494,15 @@ }, "description": "Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off." }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to the requirements that are implemented, validated, or addressed by this use case" + }, "notes": { "type": "array", "title": "Notes", From 54d16af5acbbb2c8cbc10650b1a13ea039aff512 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 7 May 2026 12:50:03 -0500 Subject: [PATCH 23/44] Added mockups Signed-off-by: Steve Springett --- .../prototypes/behavior-mockup-evidence.json | 119 ++++++++++++++++++ .../2.0/prototypes/behavior-mockup.json | 109 ++++++++++++++++ 2 files changed, 228 insertions(+) create mode 100644 tools/src/test/resources/2.0/prototypes/behavior-mockup-evidence.json create mode 100644 tools/src/test/resources/2.0/prototypes/behavior-mockup.json diff --git a/tools/src/test/resources/2.0/prototypes/behavior-mockup-evidence.json b/tools/src/test/resources/2.0/prototypes/behavior-mockup-evidence.json new file mode 100644 index 000000000..a66beb174 --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/behavior-mockup-evidence.json @@ -0,0 +1,119 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "blueprints": [ + { + "bom-ref": "blueprint-pth-payload", + "name": "Pass-the-Hash Payload Behavioral Blueprint", + "modelTypes": [ + { "type": "behavioral" } + ], + "methodologies": [ + { "type": "MITRE-ATTACK" } + ], + "behaviors": { + "instances": [ + { + "bom-ref": "b-startup-exec", + "behavior": "system:persistence:registersForStartup", + "trigger": "startup", + "evidence": { + "bom-ref": "evidence-1", + "confidence": 0.95, + "description": "Persistence registration via Run key write observed in unpacked binary.", + "methods": [ + { + "technique": "binary-analysis", + "confidence": 0.95, + "value": "Import of advapi32!RegSetValueExW resolving to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run at 0x00401a20.", + "tools": [{ "ref": "karambit" }], + "externalReferences": { + "type": "formulation", + "url": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#my-workflow" + } + } + ] + } + }, + { + "bom-ref": "b-decode", + "behavior": "evasion:obfuscation:obfuscatesStrings", + "trigger": "startup", + "evidence": { + "confidence": 0.9, + "description": "Stack-built XOR-decoded strings resolved at runtime.", + "methods": [ + { + "technique": "binary-analysis", + "confidence": 0.9, + "value": "XOR decode loop at 0x00403110 with key 0x5A resolving C2 hostnames and API names prior to use." + } + ], + "tools": [ + { "ref": "karambit" } + ] + } + }, + { + "bom-ref": "b-credential-collect", + "behavior": "privacy:collection:collectsPersonalData", + "trigger": "startup", + "evidence": { + "confidence": 0.92, + "description": "LSASS memory access to harvest NTLM hashes.", + "methods": [ + { + "technique": "binary-analysis", + "confidence": 0.92, + "value": "OpenProcess on lsass.exe with PROCESS_VM_READ followed by MiniDumpWriteDump observed at 0x004044c0." + } + ], + "tools": [ + { "ref": "karambit" } + ] + } + }, + { + "bom-ref": "b-exfil", + "behavior": "network:transmission:sendsData", + "trigger": "startup", + "evidence": { + "confidence": 0.88, + "description": "HTTPS POST of collected artifacts to external C2 endpoint.", + "methods": [ + { + "technique": "binary-analysis", + "confidence": 0.88, + "value": "WinHttpOpen/WinHttpConnect/WinHttpSendRequest chain at 0x00405e80 posting to 185.x.x.x/gate.php." + } + ], + "tools": [ + { "ref": "karambit" } + ] + } + } + ], + "flows": [ + { + "bom-ref": "flow-pth-payload", + "trigger": "startup", + "acknowledgment": ["observed"], + "evidence": { + "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#evidence-1" + }, + "ordering": "unordered", + "steps": [ + { "ordinal": 1, "ref": "b-startup-exec" }, + { "ordinal": 2, "ref": "b-decode" }, + { "ordinal": 3, "ref": "b-credential-collect" }, + { "ordinal": 4, "ref": "b-exfil" } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/prototypes/behavior-mockup.json b/tools/src/test/resources/2.0/prototypes/behavior-mockup.json new file mode 100644 index 000000000..8638870a1 --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/behavior-mockup.json @@ -0,0 +1,109 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "blueprints": [ + { + "bom-ref": "blueprint-pth-payload", + "name": "Pass-the-Hash Payload Behavioral Blueprint", + "modelTypes": [ + { "type": "behavioral" } + ], + "methodologies": [ + { "type": "MITRE-ATTACK" } + ], + "behaviors": { + "instances": [ + { + "bom-ref": "b-startup-exec", + "behavior": "system:persistence:registersForStartup", + "acknowledgment": ["observed"], + "trigger": "startup" + }, + { + "bom-ref": "b-decode", + "behavior": "evasion:obfuscation:obfuscatesStrings", + "acknowledgment": ["observed"], + "trigger": "startup" + }, + { + "bom-ref": "b-credential-collect", + "behavior": "privacy:collection:collectsPersonalData", + "acknowledgment": ["observed"], + "trigger": "startup" + }, + { + "bom-ref": "b-exfil", + "behavior": "network:transmission:sendsData", + "acknowledgment": ["observed"], + "trigger": "startup" + } + ], + "flows": [ + { + "bom-ref": "flow-pth-payload", + "trigger": "startup", + "acknowledgment": ["observed"], + "ordering": "sequential", + "steps": [ + { "ordinal": 1, "ref": "b-startup-exec" }, + { "ordinal": 2, "ref": "b-decode" }, + { "ordinal": 3, "ref": "b-credential-collect" }, + { "ordinal": 4, "ref": "b-exfil" } + ] + } + ], + + "workflows": [ + { + "bom-ref": "workflow-pth-payload", + "name": "Pass-the-Hash Payload Workflow", + "trigger": { + "type": "startup" + }, + "tasks": [ + { + "b-ref": "b-startup-exec", + "timeStart": "2026-01-01T00:00:00Z" + }, + { + "b-ref": "b-decode", + "timeStart": "2026-01-01T00:10:00Z" + }, + { + "b-ref": "b-credential-collect", + "timeStart": "2026-01-01T00:12:00Z" + }, + { + "b-ref": "b-exfil", + "timeStart": "2026-01-01T00:13:00Z" + } + ], + "taskDependencies": [ + { + "ref": "b-startup-exec", + "dependsOn": [] + }, + { + "ref": "b-decode", + "dependsOn": [ "b-startup-exec" ] + }, + { + "ref": "b-credential-collect", + "dependsOn": [ "b-decode" ] + }, + { + "ref": "b-exfil", + "dependsOn": [ "b-credential-collect" ] + } + ] + } + ] + + + } + } + ] +} From 21ca15a0470b3fedfa1ec04e596b870a9ab49f7b Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 27 May 2026 16:09:01 -0500 Subject: [PATCH 24/44] Major updates to threatmodeling and bluepring schemas and their related schemas. Supersedes and closes #777. Signed-off-by: Steve Springett --- schema/2.0/cyclonedx-2.0.schema.json | 3 + .../model/cyclonedx-blueprint-2.0.schema.json | 828 ++++++++++-------- .../model/cyclonedx-component-2.0.schema.json | 8 + .../2.0/model/cyclonedx-data-2.0.schema.json | 721 +++++++++++---- .../model/cyclonedx-profile-2.0.schema.json | 20 + .../cyclonedx-requirement-2.0.schema.json | 66 +- .../2.0/model/cyclonedx-risk-2.0.schema.json | 244 ++++-- .../model/cyclonedx-threat-2.0.schema.json | 273 ++++-- .../model/cyclonedx-usecase-2.0.schema.json | 99 ++- 9 files changed, 1581 insertions(+), 681 deletions(-) create mode 100644 schema/2.0/model/cyclonedx-profile-2.0.schema.json diff --git a/schema/2.0/cyclonedx-2.0.schema.json b/schema/2.0/cyclonedx-2.0.schema.json index 548d0fca1..bcd14808c 100644 --- a/schema/2.0/cyclonedx-2.0.schema.json +++ b/schema/2.0/cyclonedx-2.0.schema.json @@ -79,6 +79,9 @@ "blueprints": { "$ref": "model/cyclonedx-blueprint-2.0.schema.json#/$defs/blueprints" }, + "profiles": { + "$ref": "model/cyclonedx-profile-2.0.schema.json#/$defs/profiles" + }, "citations": { "$ref": "model/cyclonedx-citation-2.0.schema.json#/$defs/citations" }, diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index 3292274a9..b2abd7ca2 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -3,7 +3,7 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json", "type": "null", "title": "CycloneDX Blueprint Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "blueprints": { "type": "array", @@ -18,7 +18,11 @@ "type": "object", "title": "Blueprint", "description": "A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.", - "required": ["name", "modelTypes", "methodologies"], + "required": [ + "name", + "modelTypes", + "methodologies" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -150,42 +154,40 @@ "uniqueItems": true, "items": { "type": "object", - "allOf": [ - { - "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/useCase" + "properties": { + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Use Case Reference", + "description": "A reference to a use case object defined in definitions." + }, + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the blueprint assets that are involved in or exercised by this use case." }, - { - "properties": { - "assets": { - "type": "array", - "title": "Assets", - "uniqueItems": true, - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "References to the blueprint assets that are involved in or exercised by this use case" - }, - "flows": { - "type": "array", - "title": "Flows", - "uniqueItems": true, - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "References to the blueprint flows that are triggered or traversed during the execution of this use case" - }, - "requirements": { - "type": "array", - "title": "Requirements", - "uniqueItems": true, - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "References to the requirements that are implemented, validated, or addressed by this use case" - } - } + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the blueprint flows that are triggered or traversed during the execution of this use case." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case." } - ] + } }, "description": "Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements." }, @@ -205,172 +207,157 @@ } }, "modelType": { - "type": "object", "title": "Model Type", - "description": "The type of model being represented, either a predefined type or a custom named type.", + "description": "The type of model being represented, either a predefined value from the enumeration or a custom name and description for types not covered by the enumeration.", "oneOf": [ { + "type": "string", "title": "Predefined Model Type", - "description": "A model type selected from a predefined set of well-known modelling categories.", - "required": ["type"], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "Pre-Defined Model Type", - "enum": [ - "architecture", - "behavioral", - "conceptual", - "dataFlow", - "deployment", - "logical", - "network", - "operational", - "physical", - "privacy", - "process", - "risk", - "structural", - "threat" - ], - "meta:enum": { - "architecture": "System or software architecture model", - "behavioral": "System behavior model", - "conceptual": "High-level conceptual model", - "dataFlow": "Data flow model showing how data moves through the system", - "deployment": "Deployment or infrastructure model", - "logical": "Logical system model", - "network": "Network topology or connectivity model", - "operational": "Operational model", - "physical": "Physical infrastructure model", - "privacy": "Privacy impact assessment model", - "process": "Business or system process model", - "risk": "Risk assessment model", - "structural": "System structure model", - "threat": "Security threat model" - } - } + "description": "A predefined model type from the enumeration.", + "enum": [ + "architecture", + "behavioral", + "conceptual", + "dataFlow", + "deployment", + "logical", + "network", + "operational", + "physical", + "privacy", + "process", + "risk", + "structural", + "threat" + ], + "meta:enum": { + "architecture": "System or software architecture model.", + "behavioral": "System behaviour model.", + "conceptual": "High-level conceptual model.", + "dataFlow": "Data flow model showing how data moves through the system.", + "deployment": "Deployment or infrastructure model.", + "logical": "Logical system model.", + "network": "Network topology or connectivity model.", + "operational": "Operational model.", + "physical": "Physical infrastructure model.", + "privacy": "Privacy impact assessment model.", + "process": "Business or system process model.", + "risk": "Risk assessment model.", + "structural": "System structure model.", + "threat": "Security threat model." } }, { + "type": "object", "title": "Custom Model Type", - "description": "A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.", - "required": ["name"], + "description": "A custom model type not covered by the predefined enumeration, allowing organisations to define methodology-specific or domain-specific model categories.", "additionalProperties": false, + "required": [ + "name" + ], "properties": { "name": { "type": "string", "title": "Name", "minLength": 1, - "description": "Custom model type name" + "description": "The name of the custom model type." }, "description": { "type": "string", "title": "Description", - "description": "Description of the custom model type" + "description": "A description of the custom model type." } } } ] }, "methodology": { - "type": "object", "title": "Methodology", - "description": "The modelling methodology used, either a predefined type or a custom named methodology.", + "description": "The modelling methodology used, either a predefined value from the enumeration or a custom object for methodologies not covered. The object form may also be used to annotate a predefined methodology with a version or external references.", "oneOf": [ { + "type": "string", "title": "Predefined Methodology", - "description": "A modelling methodology selected from a predefined set of well-known frameworks and standards.", - "required": ["type"], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "Pre-Defined Type", - "enum": [ - "4+1", - "Archimate", - "ATFAA", - "BPMN", - "C4", - "DFD", - "DODAF", - "ERD", - "IDEF", - "LINDDUN", - "MAESTRO", - "MITRE-ATTACK", - "MODAF", - "NAF", - "OWASP", - "PASTA", - "SABSA", - "STRIDE", - "SysML", - "TOGAF", - "TRIKE", - "UML", - "VAST", - "Zachman", - "attackTree" - ], - "meta:enum": { - "4+1": "4+1 Architectural View Model", - "Archimate": "Enterprise architecture modeling language", - "ATFAA": "Advanced Threat Framework for Autonomous AI Agents", - "BPMN": "Business Process Model and Notation", - "C4": "C4 Model for software architecture", - "DFD": "Data Flow Diagrams", - "DODAF": "Department of Defense Architecture Framework", - "ERD": "Entity Relationship Diagrams", - "IDEF": "Integration Definition Methods", - "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance", - "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome", - "MITRE-ATTACK": "MITRE ATT&CK adversarial tactics, techniques, and procedures framework", - "MODAF": "Ministry of Defence Architecture Framework", - "NAF": "NATO Architecture Framework", - "OWASP": "OWASP threat modelling methodology", - "PASTA": "Process for Attack Simulation and Threat Analysis", - "SABSA": "Sherwood Applied Business Security Architecture", - "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege", - "SysML": "Systems Modeling Language", - "TOGAF": "The Open Group Architecture Framework", - "TRIKE": "Risk-based threat modelling methodology", - "UML": "Unified Modeling Language", - "VAST": "Visual, Agile, and Simple Threat modelling", - "Zachman": "Zachman Framework", - "attackTree": "Attack tree methodology for structured threat analysis" - } - }, - "version": { - "type": "string", - "title": "Version", - "description": "Version of the methodology" - } + "description": "A predefined methodology from the enumeration.", + "enum": [ + "4+1", + "Archimate", + "ATFAA", + "BPMN", + "C4", + "DFD", + "DODAF", + "ERD", + "IDEF", + "LINDDUN", + "MAESTRO", + "MITRE-ATTACK", + "MODAF", + "NAF", + "OWASP", + "PASTA", + "SABSA", + "STRIDE", + "SysML", + "TOGAF", + "TRIKE", + "UML", + "VAST", + "Zachman", + "attackTree" + ], + "meta:enum": { + "4+1": "4+1 Architectural View Model.", + "Archimate": "Enterprise architecture modelling language.", + "ATFAA": "Advanced Threat Framework for Autonomous AI Agents.", + "BPMN": "Business Process Model and Notation.", + "C4": "C4 Model for software architecture.", + "DFD": "Data Flow Diagrams.", + "DODAF": "Department of Defense Architecture Framework.", + "ERD": "Entity Relationship Diagrams.", + "IDEF": "Integration Definition Methods.", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome.", + "MITRE-ATTACK": "MITRE ATT&CK adversarial tactics, techniques, and procedures framework.", + "MODAF": "Ministry of Defence Architecture Framework.", + "NAF": "NATO Architecture Framework.", + "OWASP": "OWASP threat modelling methodology.", + "PASTA": "Process for Attack Simulation and Threat Analysis.", + "SABSA": "Sherwood Applied Business Security Architecture.", + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.", + "SysML": "Systems Modeling Language.", + "TOGAF": "The Open Group Architecture Framework.", + "TRIKE": "Risk-based threat modelling methodology.", + "UML": "Unified Modeling Language.", + "VAST": "Visual, Agile, and Simple Threat modelling.", + "Zachman": "Zachman Framework.", + "attackTree": "Attack tree methodology for structured threat analysis." } }, { + "type": "object", "title": "Custom Methodology", - "description": "A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.", - "required": ["name"], + "description": "A custom methodology not covered by the predefined enumeration, or a predefined methodology that needs to carry a version or external references.", "additionalProperties": false, + "required": [ + "name" + ], "properties": { "name": { "type": "string", "title": "Name", "minLength": 1, - "description": "Custom methodology name" + "description": "The name of the methodology. May reference a predefined methodology by its enumerated identifier or a custom methodology name." }, "version": { "type": "string", "title": "Version", - "description": "Version of the methodology" + "description": "The version of the methodology." }, "description": { "type": "string", "title": "Description", - "description": "Description of the custom methodology" + "description": "A description of the methodology." }, "externalReferences": { "type": "array", @@ -397,12 +384,17 @@ "description": "When the blueprint was created or last updated" }, "authors": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "The person(s) or organization(s) who created the blueprint" + "type": "array", + "title": "Authors", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" + }, + "description": "The parties that created the blueprint. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `author`." }, "reviewer": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "The person(s) or organization(s) who reviewed the blueprint" + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party that reviewed the blueprint. The party's `roles` should include `reviewer`." }, "reviewDate": { "type": "string", @@ -411,8 +403,8 @@ "description": "When the blueprint was reviewed" }, "approver": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "The person(s) or organization(s) who approved the blueprint" + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party that approved the blueprint. The party's `roles` should include `signatory` or a custom role identifying the approving authority." }, "approvalDate": { "type": "string", @@ -461,7 +453,9 @@ "type": "object", "title": "Scope", "description": "Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.", - "required": ["name"], + "required": [ + "name" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -493,18 +487,18 @@ "title": "Included Components", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to components explicitly included" + "description": "References using bom-link or bom-ref to components explicitly included." }, "excludedComponents": { "type": "array", "title": "Excluded Components", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to components explicitly excluded" + "description": "References using bom-link or bom-ref to components explicitly excluded." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -522,12 +516,12 @@ "description": "Unique identifier for the asset" }, "componentRef": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the component this asset represents" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the component this asset represents." }, "serviceRef": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the service this asset represents" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the service this asset represents." }, "type": { "type": "string", @@ -601,12 +595,12 @@ "description": "Description of the asset's role and purpose" }, "zone": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the zone containing this asset" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the zone containing this asset." }, "parent": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to parent asset if this is a sub-component" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the parent asset if this is a sub-component." }, "classification": { "$ref": "#/$defs/assetClassification" @@ -638,18 +632,18 @@ "title": "Dependencies", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to assets this asset depends on" + "description": "References using bom-link or bom-ref to assets this asset depends on." }, "useCases": { "type": "array", "title": "Use Cases", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." + "description": "References using bom-link or bom-ref to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." }, "authentication": { "type": "array", @@ -683,17 +677,27 @@ { "title": "Component Reference Asset", "description": "An asset defined by reference to a component declared elsewhere in the BOM.", - "required": ["bom-ref", "componentRef"] + "required": [ + "bom-ref", + "componentRef" + ] }, { "title": "Service Reference Asset", "description": "An asset defined by reference to a service declared elsewhere in the BOM.", - "required": ["bom-ref", "serviceRef"] + "required": [ + "bom-ref", + "serviceRef" + ] }, { "title": "Inline Asset", "description": "An asset defined inline within the blueprint with an explicit type and name.", - "required": ["bom-ref", "type", "name"] + "required": [ + "bom-ref", + "type", + "name" + ] } ] }, @@ -701,7 +705,11 @@ "type": "object", "title": "Data Store", "description": "A persistent storage system used within the modelled system to hold, retrieve, or manage data.", - "required": ["bom-ref", "name", "type"], + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -791,8 +799,8 @@ "description": "Deployment environment (prod, test, etc.)" }, "zone": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the zone where the asset resides" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the zone where the asset resides." }, "location": { "type": "string", @@ -813,9 +821,9 @@ "title": "Data Sets", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to data sets stored here" + "description": "References using bom-link or bom-ref to data sets stored here." }, "authorization": { "type": "array", @@ -835,7 +843,11 @@ "type": "object", "title": "Data Set", "description": "A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.", - "required": ["bom-ref", "name", "description"], + "required": [ + "bom-ref", + "name", + "description" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -853,22 +865,37 @@ "minLength": 1, "description": "What information is contained and why it exists" }, - "dataProfile": { - "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfile" + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "Data profiles that govern the dataset. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile, typically declared in the root profiles catalogue.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfileChoice" + } + }, + "dataObjects": { + "type": "array", + "title": "Data Objects", + "description": "The specific data objects stored in the dataset. Each object names a payload and may reference one of the dataset's data profiles for its governing policy.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataObject" + } }, "recordCount": { "type": "integer", "title": "Record Count", - "description": "Approximate number of records" + "description": "Approximate number of records." }, "owners": { "type": "array", "title": "Owners", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" }, - "description": "Individuals or organizational entities that own the dataset" + "description": "Parties that own the dataset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." }, "authorization": { "type": "array", @@ -887,12 +914,14 @@ "type": "object", "title": "Placement", "description": "Describes where a dataset physically or logically resides and the storage characteristics at that location.", - "required": ["dataStore"], + "required": [ + "dataStore" + ], "additionalProperties": false, "properties": { "dataStore": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the store holding this dataset" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the store holding this dataset." }, "encrypted": { "type": "boolean", @@ -920,7 +949,10 @@ }, "interface": { "type": "object", - "required": ["name", "type"], + "required": [ + "name", + "type" + ], "additionalProperties": false, "properties": { "name": { @@ -929,7 +961,20 @@ }, "type": { "type": "string", - "enum": ["rest", "graphql", "grpc", "soap", "messaging", "file", "database", "cli", "gui", "api", "event", "stream"], + "enum": [ + "rest", + "graphql", + "grpc", + "soap", + "messaging", + "file", + "database", + "cli", + "gui", + "api", + "event", + "stream" + ], "description": "Type of interface" }, "description": { @@ -967,7 +1012,11 @@ "type": "object", "title": "Zone", "description": "A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.", - "required": ["bom-ref", "name", "type"], + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -1009,8 +1058,8 @@ } }, "parent": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to parent zone if this is a sub-zone" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the parent zone if this is a sub-zone." }, "characteristics": { "type": "array", @@ -1039,7 +1088,10 @@ "type": "object", "title": "Boundary", "description": "Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.", - "required": ["bom-ref", "zones"], + "required": [ + "bom-ref", + "zones" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -1081,9 +1133,9 @@ "uniqueItems": true, "minItems": 2, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "The zones this boundary connects or separates" + "description": "References using bom-link or bom-ref to the zones this boundary connects or separates." }, "crossingRequirements": { "$ref": "#/$defs/crossingRequirements" @@ -1157,7 +1209,13 @@ "type": "object", "title": "Flow", "description": "Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.", - "required": ["bom-ref", "name", "source", "destination", "type"], + "required": [ + "bom-ref", + "name", + "source", + "destination", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -1203,12 +1261,12 @@ } }, "source": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the source asset" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the source of the flow. The source may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that originates the exchange." }, "destination": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the destination asset" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the destination of the flow. The destination may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that receives the exchange." }, "bidirectional": { "type": "boolean", @@ -1240,8 +1298,23 @@ }, "description": "Communication protocols used by this flow" }, - "dataProfile": { - "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfile" + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "Data profiles that govern the data carried by this flow. A flow may carry data governed by multiple profiles, for example a payment submission carrying both payment card data and customer personally identifiable information. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfileChoice" + } + }, + "dataObjects": { + "type": "array", + "title": "Data Objects", + "description": "The specific data objects carried by this flow. Each object names a payload and may reference one of the flow's data profiles for its governing policy.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataObject" + } }, "authentication": { "type": "array", @@ -1275,47 +1348,26 @@ "actor": { "type": "object", "title": "Actor", - "description": "Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.", - "required": ["bom-ref", "name", "type"], + "description": "An actor is a contextual binding between a party and the modelled system. The party identifies who or what is acting (an organisation, person, system, or persona). The actor layer adds properties that are meaningful only within the blueprint, such as the permissions the actor holds in this system and the trust zone in which the actor operates. Identity, roles, archetype, and inter-party relations such as delegation are carried by the wrapped party and shall not be duplicated on the actor.", + "required": [ + "bom-ref", + "party" + ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this actor binding. References to actors from other parts of the blueprint, such as use cases or flows, use this identifier." }, - "name": { - "type": "string", - "title": "Name", - "minLength": 1, - "description": "Name or title of the actor" + "party": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "title": "Party", + "description": "The party that this actor binds to the modelled system. May be an inline party object declaring identity and roles in place, or a bom-link or bom-ref to a party declared elsewhere in the document." }, "description": { "type": "string", "title": "Description", - "description": "Narrative describing the actor's role and context" - }, - "type": { - "type": "string", - "title": "Type", - "enum": [ - "administrator", - "agent", - "engineer", - "external", - "operator", - "other", - "system", - "user" - ], - "meta:enum": { - "administrator": "Administrative or privileged operator", - "agent": "Autonomous AI agent or intelligent software agent", - "engineer": "Developer or platform/DevOps engineer", - "external": "Third-party or external entity", - "operator": "Operational staff running the system", - "other": "An actor type not covered by the predefined enumeration", - "system": "Automated system actor or service account", - "user": "End user of a client application or service" - } + "description": "A narrative describing this actor's role within the modelled system, distinct from the party's identity-level description. Use to record context-specific framing such as why this actor is in scope or how it interacts with the assets in this blueprint." }, "permissions": { "type": "array", @@ -1324,15 +1376,12 @@ "items": { "type": "string" }, - "description": "Permissions, capabilities, or duties the actor holds" - }, - "delegatedBy": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity" + "description": "The permissions, capabilities, or duties this actor holds within the modelled system. Distinct from any innate party-level capabilities; these are scoped to the blueprint." }, "zone": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the zone where the actor resides" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Zone", + "description": "Reference using bom-link or bom-ref to the trust zone in which the actor operates." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -1343,7 +1392,9 @@ "type": "object", "title": "Assumption", "description": "A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.", - "required": ["description"], + "required": [ + "description" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -1384,9 +1435,9 @@ "title": "Related Assets", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes" + "description": "References using bom-link or bom-ref to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes." }, "validity": { "type": "string", @@ -1412,8 +1463,8 @@ "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components" }, "owner": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model" + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." }, "validationMethod": { "type": "string", @@ -1432,7 +1483,10 @@ "type": "object", "title": "Visualization", "description": "A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.", - "required": ["name", "type"], + "required": [ + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -1488,9 +1542,9 @@ "title": "Elements", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to elements shown in this visualization" + "description": "References using bom-link or bom-ref to elements shown in this visualization." }, "interactive": { "type": "boolean", @@ -1519,7 +1573,9 @@ { "title": "Predefined Visualization Type", "description": "A visualization type selected from a predefined set of well-known diagram types.", - "required": ["type"], + "required": [ + "type" + ], "additionalProperties": false, "properties": { "type": { @@ -1567,7 +1623,9 @@ { "title": "Custom Visualization Type", "description": "A custom visualization type not covered by the predefined enumeration.", - "required": ["name"], + "required": [ + "name" + ], "additionalProperties": false, "properties": { "name": { @@ -1593,7 +1651,9 @@ { "title": "Predefined Visualization Format", "description": "A visualization format selected from a predefined set of well-known diagram formats and tools.", - "required": ["format"], + "required": [ + "format" + ], "additionalProperties": false, "properties": { "format": { @@ -1631,7 +1691,9 @@ { "title": "Custom Visualization Format", "description": "A custom visualization format not covered by the predefined enumeration.", - "required": ["name"], + "required": [ + "name" + ], "additionalProperties": false, "properties": { "name": { @@ -1656,15 +1718,18 @@ "criticality": { "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality" }, - "sensitivity": { - "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" - }, - "dataClassification": { + "classification": { "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataClassification" }, "tier": { "type": "string", - "enum": ["tier0", "tier1", "tier2", "tier3", "tier4"], + "enum": [ + "tier0", + "tier1", + "tier2", + "tier3", + "tier4" + ], "meta:enum": { "tier0": "Mission critical - highest priority", "tier1": "Business critical - high priority", @@ -1689,115 +1754,142 @@ } } }, - "dataProfile": { - "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfile" - }, "ownership": { - "type": "object", + "type": "array", "title": "Ownership", - "description": "Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.", - "additionalProperties": false, - "properties": { - "owner": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "Primary owner of the asset" - }, - "steward": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "Steward responsible for the asset" - }, - "custodian": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "Custodian responsible for protecting the asset" - }, - "users": { - "type": "array", - "title": "Users", - "uniqueItems": true, - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" - }, - "description": "Primary users of the asset" - } + "description": "Parties responsible for the asset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the relationship (`owner`, `steward`, `custodian`, `end-user`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" } }, "authenticationType": { - "type": "string", "title": "Authentication Type", - "description": "The authentication method or protocol used to verify identity.", - "enum": [ - "apiKey", - "basic", - "bearer", - "certificate", - "custom", - "digest", - "fido2", - "jwt", - "kerberos", - "ldap", - "mfa", - "mTLS", - "none", - "ntlm", - "oauth1", - "oauth2", - "oidc", - "saml", - "ssh" - ], - "meta:enum": { - "apiKey": "API key authentication", - "basic": "Basic authentication (username/password)", - "bearer": "Bearer token authentication", - "certificate": "Certificate-based authentication", - "custom": "Custom authentication method", - "digest": "Digest authentication", - "fido2": "FIDO2/WebAuthn passwordless authentication", - "jwt": "JSON Web Token authentication", - "kerberos": "Kerberos authentication", - "ldap": "LDAP directory authentication", - "mfa": "Multi-factor authentication", - "mTLS": "Mutual TLS authentication", - "none": "No authentication required", - "ntlm": "NTLM authentication", - "oauth1": "OAuth 1.0 authentication", - "oauth2": "OAuth 2.0 authentication", - "oidc": "OpenID Connect authentication", - "saml": "SAML authentication", - "ssh": "SSH key authentication" - } + "description": "The authentication method or protocol used to verify identity, either a predefined value from the enumeration or a custom object describing a method not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Authentication Type", + "description": "A predefined authentication method from the enumeration.", + "enum": [ + "apiKey", + "basic", + "bearer", + "certificate", + "digest", + "fido2", + "jwt", + "kerberos", + "ldap", + "mfa", + "mTLS", + "none", + "ntlm", + "oauth1", + "oauth2", + "oidc", + "saml", + "ssh" + ], + "meta:enum": { + "apiKey": "API key authentication.", + "basic": "Basic authentication (username and password).", + "bearer": "Bearer token authentication.", + "certificate": "Certificate-based authentication.", + "digest": "Digest authentication.", + "fido2": "FIDO2 or WebAuthn passwordless authentication.", + "jwt": "JSON Web Token authentication.", + "kerberos": "Kerberos authentication.", + "ldap": "LDAP directory authentication.", + "mfa": "Multi-factor authentication.", + "mTLS": "Mutual TLS authentication.", + "none": "No authentication required.", + "ntlm": "NTLM authentication.", + "oauth1": "OAuth 1.0 authentication.", + "oauth2": "OAuth 2.0 authentication.", + "oidc": "OpenID Connect authentication.", + "saml": "SAML authentication.", + "ssh": "SSH key authentication." + } + }, + { + "type": "object", + "title": "Custom Authentication Type", + "description": "A custom authentication method not covered by the predefined enumeration, allowing organisations to describe proprietary, emerging, or composite authentication approaches.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom authentication method." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom authentication method, including how identity is verified and any relevant constraints." + } + } + } + ] }, "authorizationType": { - "type": "string", "title": "Authorization Type", - "description": "The authorization model used to determine and enforce access permissions.", - "enum": [ - "abac", - "acl", - "cbac", - "custom", - "dac", - "mac", - "none", - "other", - "pbac", - "rbac", - "rebac" - ], - "meta:enum": { - "abac": "Attribute-Based Access Control", - "acl": "Access Control Lists", - "cbac": "Claims-Based Access Control", - "custom": "Custom authorization model", - "dac": "Discretionary Access Control", - "mac": "Mandatory Access Control", - "none": "No authorization controls", - "other": "Other authorization model not listed", - "pbac": "Policy-Based Access Control", - "rbac": "Role-Based Access Control", - "rebac": "Relationship-Based Access Control" - } + "description": "The authorization model used to determine and enforce access permissions, either a predefined value from the enumeration or a custom object describing a model not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Authorization Type", + "description": "A predefined authorization model from the enumeration.", + "enum": [ + "abac", + "acl", + "cbac", + "dac", + "mac", + "none", + "pbac", + "rbac", + "rebac" + ], + "meta:enum": { + "abac": "Attribute-Based Access Control.", + "acl": "Access Control Lists.", + "cbac": "Claims-Based Access Control.", + "dac": "Discretionary Access Control.", + "mac": "Mandatory Access Control.", + "none": "No authorization controls.", + "pbac": "Policy-Based Access Control.", + "rbac": "Role-Based Access Control.", + "rebac": "Relationship-Based Access Control." + } + }, + { + "type": "object", + "title": "Custom Authorization Type", + "description": "A custom authorization model not covered by the predefined enumeration, allowing organisations to describe proprietary, domain-specific, or composite access control models.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom authorization model." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom authorization model, including how access decisions are made and any relevant constraints." + } + } + } + ] } } } diff --git a/schema/2.0/model/cyclonedx-component-2.0.schema.json b/schema/2.0/model/cyclonedx-component-2.0.schema.json index d2e8053d2..782fb377f 100644 --- a/schema/2.0/model/cyclonedx-component-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-component-2.0.schema.json @@ -156,6 +156,14 @@ "$ref": "cyclonedx-patent-2.0.schema.json#/$defs/patentAssertions", "title": "Component Patent(s)" }, + "requirementAssertions": { + "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirementAssertions", + "title": "Component Requirement(s)" + }, + "useCaseAssertions": { + "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/useCaseAssertions", + "title": "Component Use Case(s)" + }, "cpe": { "type": "string", "title": "Common Platform Enumeration (CPE)", diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index 66f16234a..3175c01c6 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -3,113 +3,72 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-data-2.0.schema.json", "type": "null", "title": "CycloneDX Data Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "A catalogue of reusable data profile definitions. Each entry is a complete inline data profile carrying its own bom-ref so other objects may reference it.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataProfile" + } + }, "dataProfile": { "type": "object", "title": "Data Profile", - "description": "Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", - "required": ["name"], + "description": "Captures the classification, information types, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", + "required": [ + "name" + ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Unique identifier for this data profile" + "description": "Unique identifier for this data profile." }, "name": { "type": "string", "title": "Name", "minLength": 1, - "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes.", - "examples": ["Customer PII Dataset", "Transaction Logs", "Employee Health Records"] + "description": "The name or label that identifies this data profile, such as the name of the dataset, information asset, or data domain it describes.", + "examples": [ + "Customer PII Dataset", + "Transaction Logs", + "Employee Health Records" + ] }, "description": { "type": "string", "title": "Description", "description": "A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system." }, - "sensitivity": { - "type": "string", - "title": "Sensitivity", - "enum": [ - "confidential", - "internal", - "public", - "restricted", - "classified" - ], - "description": "Data sensitivity classification.", - "meta:enum": { - "confidential": "Confidential information requiring protection", - "internal": "Internal use only within the organization", - "public": "Public information that can be freely shared", - "restricted": "Highly restricted information with limited access and special protection measures", - "classified": "Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations" - } - }, "classification": { - "title": "Classification", - "description": "Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.", - "oneOf": [ - { - "title": "Predefined Classification", - "description": "A predefined data classification from the enumeration.", - "type": "object", - "additionalProperties": false, - "required": ["type"], - "properties": { - "type": { - "type": "string", - "title": "Type", - "enum": [ - "credentials", - "financial", - "intellectualProperty", - "logs", - "operational", - "other", - "pci", - "phi", - "pii", - "safety", - "telemetry" - ], - "meta:enum": { - "credentials": "Secrets, tokens, or credentials", - "financial": "Financial statements or transaction data", - "intellectualProperty": "Intellectual property or trade secrets", - "logs": "Operational or security log data", - "operational": "Operational or process data", - "other": "Other data classification not listed", - "pci": "Payment card industry data", - "phi": "Protected health information", - "pii": "Personally identifiable information", - "safety": "Safety critical data or signals", - "telemetry": "System or product telemetry data" - } - } - } - }, - { - "title": "Custom Classification", - "description": "A custom data classification not covered by the predefined enumeration.", - "type": "object", - "additionalProperties": false, - "required": ["name"], - "properties": { - "name": { - "type": "string", - "title": "Name", - "minLength": 1, - "description": "The name of a custom data classification not covered by the predefined enumeration" - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the custom data classification" - } + "$ref": "#/$defs/dataClassification", + "description": "The classification of the data, indicating the level of protection required. A data profile carries a single classification reflecting the highest applicable level for the data it describes." + }, + "informationTypes": { + "type": "array", + "title": "Information Types", + "description": "The types of information contained in the data. A data profile may contain multiple information types, for example a profile may carry both personally identifiable information and financial data. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/informationType" + }, + "examples": [ + [ + "pii", + "financial" + ], + [ + "phi", + "biometric", + { + "name": "minor-health-data", + "description": "Health information for individuals under 18, subject to COPPA and HIPAA." } - } + ] ] }, "subjects": { @@ -122,8 +81,31 @@ }, "examples": [ [ - {"name": "EU Residents", "type": "group", "protectedClass": false, "jurisdictions": ["DE", "FR", "IT"], "regulations": ["GDPR"]}, - {"name": "Pediatric Patients", "type": "group", "protectedClass": true, "jurisdictions": ["US"], "regulations": ["HIPAA", "COPPA"]} + { + "name": "EU Residents", + "type": "group", + "protectedClass": false, + "jurisdictions": [ + "DE", + "FR", + "IT" + ], + "regulations": [ + "GDPR" + ] + }, + { + "name": "Pediatric Patients", + "type": "group", + "protectedClass": true, + "jurisdictions": [ + "US" + ], + "regulations": [ + "HIPAA", + "COPPA" + ] + } ] ] }, @@ -137,8 +119,14 @@ }, "examples": [ [ - {"name": "Service Delivery", "legalBasis": "contract"}, - {"name": "Fraud Prevention", "legalBasis": "legitimate interest"} + { + "name": "Service Delivery", + "legalBasis": "contract" + }, + { + "name": "Fraud Prevention", + "legalBasis": "legitimate interest" + } ] ] }, @@ -158,17 +146,13 @@ "type": "string" }, "description": "The formats in which the data is stored or transmitted.", - "examples": [["JSON", "CSV", "Parquet"]] - }, - "dataTypes": { - "type": "array", - "title": "Data Types", - "uniqueItems": true, - "items": { - "type": "string" - }, - "description": "The specific types of data elements contained within this dataset.", - "examples": [["email address", "date of birth", "IP address"]] + "examples": [ + [ + "JSON", + "CSV", + "Parquet" + ] + ] }, "schema": { "type": "array", @@ -179,14 +163,18 @@ "format": "uri" }, "description": "References to schema contracts or documents describing the data structure.", - "examples": [["https://example.com/schemas/customer-v2.json"]] + "examples": [ + [ + "https://example.com/schemas/customer-v2.json" + ] + ] }, "access": { "type": "array", "title": "Access", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "description": "References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures." }, @@ -195,7 +183,7 @@ "title": "Collection", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "description": "References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations." }, @@ -204,7 +192,7 @@ "title": "Disposal", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "description": "References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction." }, @@ -213,7 +201,7 @@ "title": "Handling", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "description": "References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations." }, @@ -222,7 +210,7 @@ "title": "Processing", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "description": "References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions." }, @@ -231,16 +219,26 @@ "title": "Retention", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "description": "References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation." }, + "ttl": { + "type": "integer", + "title": "Time to Live", + "minimum": 1, + "description": "The time-to-live in seconds for transient data that is not persisted, such as protected health information carried inside a short-lived JSON Web Token or sensitive material held in memory for the duration of a single request. Distinct from retention, which applies to persisted data and is governed by requirement objects.", + "examples": [ + 300, + 3600 + ] + }, "sharing": { "type": "array", "title": "Sharing", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "description": "References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions." }, @@ -249,31 +247,277 @@ } } }, + "dataProfileChoice": { + "title": "Data Profile Choice", + "description": "A data profile represented either as a complete inline object or as a reference to a previously declared profile. References use bom-link or bom-ref to point at a profile declared in the root profiles catalogue or elsewhere in the document.", + "oneOf": [ + { + "$ref": "#/$defs/dataProfile" + }, + { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to a previously declared data profile." + } + ] + }, + "dataObject": { + "type": "object", + "title": "Data Object", + "description": "A specific data payload such as a message, record, or document. Distinct from a data profile, which is a policy template; a data object is an instance whose name, schema, format, and field-level attributes describe a concrete payload. The governing policy is supplied by an optional reference to a data profile. A single profile may govern many data objects; each data object refers to at most one profile.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this data object." + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the data object, such as the name of the message, record, document, or table row it represents.", + "examples": [ + "user_registration", + "payment_request", + "audit_event" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the data object, including its purpose, origin, and any context relevant to interpreting its attributes." + }, + "profile": { + "$ref": "#/$defs/dataProfileChoice", + "title": "Profile", + "description": "The data profile that governs this object's classification, information types, and lifecycle requirements. May be an inline profile object or a reference using bom-link or bom-ref to a previously declared profile." + }, + "informationTypes": { + "type": "array", + "title": "Information Types", + "description": "The types of information contained in this object. May refine or extend the information types declared on the referenced profile. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/informationType" + } + }, + "schema": { + "type": "object", + "title": "Schema", + "description": "The structural contract describing this object's shape, such as a JSON Schema, XSD, Avro schema, or Protobuf descriptor.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL or URN pointing to the schema document." + }, + "mediaType": { + "type": "string", + "title": "Media Type", + "description": "Media type of the schema, for example application/schema+json, application/xml, or application/vnd.apache.avro+json.", + "examples": [ + "application/schema+json", + "application/xml", + "application/vnd.apache.avro+json" + ] + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "Additional notes about the schema, such as its version or compatibility expectations." + } + } + }, + "format": { + "type": "object", + "title": "Format", + "description": "The serialisation or encoding format of this object, such as application/json, text/csv, or application/hl7-v2.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL or URN pointing to the format specification." + }, + "mediaType": { + "type": "string", + "title": "Media Type", + "description": "Media type or encoding format, for example application/json, text/csv, application/hl7-v2.", + "examples": [ + "application/json", + "text/csv", + "application/hl7-v2" + ] + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "Additional notes about the format." + } + } + }, + "attributes": { + "type": "array", + "title": "Attributes", + "description": "The fields, columns, or properties contained in this object. Each attribute may carry a typed information type to support field-level classification and compliance analysis.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataAttribute" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataAttribute": { + "type": "object", + "title": "Data Attribute", + "description": "A single field, column, or property within a data object. Carries an optional information type so that producers and consumers can classify and reason about data at field granularity rather than only at the object level.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the attribute as it appears in the data object, such as a field name, column name, or property key.", + "examples": [ + "email", + "dateOfBirth", + "panToken", + "amount" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the attribute, such as its semantics, expected values, or constraints." + }, + "informationType": { + "$ref": "#/$defs/informationType", + "title": "Information Type", + "description": "The information type carried by this attribute. Field-level typing enables compliance analysis at finer granularity than the object-level information types." + }, + "required": { + "type": "boolean", + "title": "Required", + "description": "Indicates whether the attribute is required for the data object to be valid." + }, + "sensitive": { + "type": "boolean", + "title": "Sensitive", + "description": "Indicates whether the attribute carries sensitive content that warrants extra protection beyond the object-level classification, such as masking in logs or stricter access controls." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, "subject": { "type": "object", "title": "Subject", - "description": "An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. Subjects may include named individuals, organizations, demographic groups, protected classes, technologies, devices, locations, or any other identifiable topic of the data.", - "required": ["name", "type"], + "description": "An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. A subject is identified in one of three ways: inline by `name` and `type`, by an inline `party` object, or by `ref` pointing at any bom-ref'd element declared elsewhere in the document (a party, component, service, asset, dataset, or other element). At least one of these forms shall be supplied. Subject-context attributes such as protected-class status, applicable jurisdictions, and applicable regulations are carried here regardless of which identification form is used.", "additionalProperties": false, + "anyOf": [ + { + "required": [ + "name", + "type" + ] + }, + { + "required": [ + "party" + ] + }, + { + "required": [ + "ref" + ] + } + ], "examples": [ - {"name": "EU Residents", "type": "group", "protectedClass": false, "jurisdictions": ["DE", "FR"], "regulations": ["GDPR"]}, - {"name": "Pediatric Patients", "type": "group", "protectedClass": true, "jurisdictions": ["US"], "regulations": ["HIPAA", "COPPA"]}, - {"name": "GPT-4 Model", "type": "technology", "protectedClass": false} + { + "name": "EU Residents", + "type": "group", + "protectedClass": false, + "jurisdictions": [ + "DE", + "FR" + ], + "regulations": [ + "GDPR" + ] + }, + { + "ref": "party-pediatric-patients", + "protectedClass": true, + "jurisdictions": [ + "US" + ], + "regulations": [ + "HIPAA", + "COPPA" + ] + }, + { + "party": { + "roles": [ + { + "role": "data-subject" + } + ], + "persona": { + "archetype": "customer", + "scope": "external", + "description": "Fleet vehicle owners enrolled in the connected-services platform." + } + }, + "protectedClass": false + } ], "properties": { "name": { "type": "string", "title": "Name", - "description": "The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor.", + "description": "The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor. Optional when `party` or `ref` is supplied.", "minLength": 1, - "examples": ["EU Residents", "Pediatric Patients", "Fleet Vehicles"] + "examples": [ + "EU Residents", + "Pediatric Patients", + "Fleet Vehicles" + ] }, "type": { "type": "string", "title": "Type", - "description": "A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices.", + "description": "A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices. Optional when `party` or `ref` is supplied.", "minLength": 1, - "examples": ["individual", "group", "technology"] + "examples": [ + "individual", + "group", + "technology" + ] + }, + "party": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/party", + "title": "Party", + "description": "An inline party object identifying the subject. Use this when the subject is best modelled as a party (organization, person, system, or persona) and has not been declared elsewhere in the document. The party's `roles` should include `data-subject`." + }, + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to any element declared elsewhere in the document that identifies the subject, such as a party, component, service, asset, dataset, or other bom-ref'd element. Use this when the subject is already represented elsewhere and you want to point at it rather than redeclare it." }, "protectedClass": { "type": "boolean", @@ -306,9 +550,19 @@ "items": { "type": "string", "minLength": 2, - "examples": ["US", "GB", "US-CA"] + "examples": [ + "US", + "GB", + "US-CA" + ] }, - "examples": [["US", "GB", "DE"]] + "examples": [ + [ + "US", + "GB", + "DE" + ] + ] }, "regulations": { "type": "array", @@ -318,20 +572,41 @@ "items": { "type": "string", "minLength": 1, - "examples": ["GDPR", "HIPAA", "PCI-DSS"] + "examples": [ + "GDPR", + "HIPAA", + "PCI-DSS" + ] }, - "examples": [["GDPR", "CCPA", "PCI-DSS"]] + "examples": [ + [ + "GDPR", + "CCPA", + "PCI-DSS" + ] + ] }, "purpose": { "type": "object", "title": "Purpose", "description": "The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.", - "required": ["name"], + "required": [ + "name" + ], "additionalProperties": false, "examples": [ - {"name": "Service Delivery", "legalBasis": "contract"}, - {"name": "Fraud Prevention", "legalBasis": "legitimate interest"}, - {"name": "Marketing Analytics", "legalBasis": "consent"} + { + "name": "Service Delivery", + "legalBasis": "contract" + }, + { + "name": "Fraud Prevention", + "legalBasis": "legitimate interest" + }, + { + "name": "Marketing Analytics", + "legalBasis": "consent" + } ], "properties": { "name": { @@ -339,7 +614,11 @@ "title": "Name", "description": "The name of the purpose for which data is collected or processed.", "minLength": 1, - "examples": ["Service Delivery", "Fraud Prevention", "Marketing Analytics"] + "examples": [ + "Service Delivery", + "Fraud Prevention", + "Marketing Analytics" + ] }, "description": { "type": "string", @@ -351,7 +630,11 @@ "title": "Legal Basis", "description": "The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.", "minLength": 1, - "examples": ["consent", "contract", "legitimate interest"] + "examples": [ + "consent", + "contract", + "legitimate interest" + ] }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -359,82 +642,132 @@ } }, "dataClassification": { - "type": "string", "title": "Data Classification", - "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." - }, - "dataSensitivity": { - "type": "string", - "title": "Data Sensitivity", - "description": "Classifies the sensitivity of data to indicate the level of protection required.", - "enum": [ - "confidential", - "internal", - "public", - "restricted" - ], - "meta:enum": { - "confidential": "Confidential information requiring protection", - "internal": "Internal use only within the organization", - "public": "Public information that can be freely shared", - "restricted": "Highly restricted information with limited access" - } - }, - "dataGovernance": { - "type": "object", - "title": "Data Governance", - "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", - "additionalProperties": false, - "properties": { - "custodians": { - "type": "array", - "title": "Data Custodians", - "uniqueItems": true, - "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", - "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } - }, - "stewards": { - "type": "array", - "title": "Data Stewards", - "uniqueItems": true, - "description": "Data stewards are responsible for data content, context, and associated business rules.", - "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } + "description": "Classifies data by the level of protection it requires, either using a predefined classification level or a custom level not covered by the enumeration. Classification drives protection requirements such as access control, encryption, disclosure restrictions, and statutory handling obligations.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Classification", + "description": "A predefined classification level from the enumeration.", + "enum": [ + "confidential", + "internal", + "public", + "restricted", + "classified" + ], + "meta:enum": { + "confidential": "Confidential information requiring protection.", + "internal": "Internal use only within the organisation.", + "public": "Public information that can be freely shared.", + "restricted": "Highly restricted information with limited access and special protection measures.", + "classified": "Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations." + } }, - "owners": { - "type": "array", - "title": "Data Owners", - "uniqueItems": true, - "description": "Data owners are concerned with risk and appropriate access to data.", - "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } + { + "type": "object", + "title": "Custom Classification", + "description": "A custom classification level not covered by the predefined enumeration.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom classification level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of what this custom classification level means and the protections it implies." + } + } } - } + ] }, - "dataGovernanceResponsibleParty": { - "type": "object", - "title": "Data Governance Responsible Party", - "description": "An organizational entity or individual responsible for a specific data governance role.", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Organization", - "description": "The organization that is responsible for specific data governance role(s).", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntity" - }, - "contact": { - "title": "Individual", - "description": "The individual that is responsible for specific data governance role(s).", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalContact" - } - }, - "oneOf":[ + "informationType": { + "title": "Information Type", + "description": "Identifies a type of information contained in the data, either using a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. A single dataset can contain multiple information types and is captured as an array on the data profile.", + "oneOf": [ { - "required": ["organization"] + "type": "string", + "title": "Predefined Information Type", + "description": "A predefined information type from the enumeration.", + "enum": [ + "authentication", + "behavioral", + "biometric", + "communication", + "credentials", + "device", + "financial", + "genetic", + "intellectual-property", + "location", + "logs", + "operational", + "pci", + "phi", + "pii", + "safety", + "telemetry" + ], + "meta:enum": { + "authentication": "Authentication data such as passwords, PINs, or security questions.", + "behavioral": "Behavioural data such as browsing history, usage patterns, or profiling data.", + "biometric": "Biometric data such as fingerprints, facial recognition, or voice patterns.", + "communication": "Communication content such as messages, emails, or call records.", + "credentials": "Secrets, tokens, or credentials.", + "device": "Device identifiers or hardware-level data.", + "financial": "Financial statements or transaction data.", + "genetic": "Genetic or genomic data.", + "intellectual-property": "Intellectual property or trade secrets.", + "location": "Precise or inferred geographic location data.", + "logs": "Operational or security log data.", + "operational": "Operational or process data.", + "pci": "Payment card industry data.", + "phi": "Protected health information.", + "pii": "Personally identifiable information.", + "safety": "Safety critical data or signals.", + "telemetry": "System or product telemetry data." + } }, { - "required": ["contact"] + "type": "object", + "title": "Custom Information Type", + "description": "A custom information type not covered by the predefined enumeration.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom information type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom information type and any handling implications it carries." + } + } } ] }, + "dataGovernance": { + "type": "array", + "title": "Data Governance", + "description": "Parties responsible for the data throughout its lifecycle. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the governance relationship (`owner` for ownership and risk accountability, `steward` for content and business rules, `custodian` for safe custody, transport, and storage, `data-controller`, `data-processor`, `data-recipient`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" + } + }, "dataFlowDirection": { "type": "string", "title": "Data Flow Direction", diff --git a/schema/2.0/model/cyclonedx-profile-2.0.schema.json b/schema/2.0/model/cyclonedx-profile-2.0.schema.json new file mode 100644 index 000000000..8f92babe6 --- /dev/null +++ b/schema/2.0/model/cyclonedx-profile-2.0.schema.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-profile-2.0.schema.json", + "type": "null", + "title": "CycloneDX Profile Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "profiles": { + "type": "object", + "title": "Profiles", + "description": "A reusable, named characterization of how a subject behaves or is governed within a domain. Profiles separate characterization from identity: identity describes who or what the subject is; the profile describes the durable attributes that characterize it.", + "additionalProperties": false, + "properties": { + "dataProfiles": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfiles" + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json index a67c46649..94c22b000 100644 --- a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -3,7 +3,7 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-requirement-2.0.schema.json", "type": "null", "title": "CycloneDX Engineering Requirement Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "requirements": { "type": "array", @@ -91,9 +91,9 @@ } }, "parent": { - "type": "string", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", "title": "Parent BOM Reference", - "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + "description": "Optional reference using bom-link or bom-ref to a parent requirement. Establishes a hierarchy of requirements." }, "rationale": { "type": "string", @@ -274,6 +274,66 @@ "description": "A description of the dependency relationship." } } + }, + "requirementAssertions": { + "type": "array", + "title": "Requirement Assertions", + "description": "A list of assertions describing how a component relates to specific requirements.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Requirement Assertion", + "description": "An assertion linking one or more requirements to a component, specifying the nature of the relationship.", + "required": [ + "assertionType", + "requirementRefs" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the relationship between the component and the requirement.", + "enum": [ + "conflicts", + "not-applicable", + "not-assessed", + "other", + "partially-satisfies", + "satisfies", + "violates" + ], + "meta:enum": { + "conflicts": "The component is in tension with the requirement but a definitive determination of violation has not been made. This may indicate partial incompatibility, competing constraints, or an unresolved evaluation.", + "not-applicable": "The requirement does not pertain to this component. The evaluator has reviewed the requirement and determined it is irrelevant.", + "not-assessed": "The relationship between the component and the requirement has not yet been evaluated.", + "other": "A relationship that does not fit into the other predefined assertion types.", + "partially-satisfies": "The component partially meets the requirement but does not fully satisfy all of its conditions or acceptance criteria.", + "satisfies": "The component fully satisfies the requirement, meeting all of its conditions and acceptance criteria.", + "violates": "The component has been evaluated and conclusively determined to not meet the requirement, breaching one or more of its conditions or acceptance criteria." + } + }, + "requirementRefs": { + "type": "array", + "title": "Requirement References", + "description": "A list of BOM references linking to requirement objects defined in the BOM.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "Additional context or clarification regarding the assertion." + } + } + } } } } diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index 16f2e7798..6a7f83065 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -3,7 +3,7 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-risk-2.0.schema.json", "type": "null", "title": "CycloneDX Risk Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "properties": { "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", @@ -51,7 +51,9 @@ "$defs": { "riskDomain": { "type": "object", - "required": ["type"], + "required": [ + "type" + ], "additionalProperties": false, "properties": { "type": { @@ -140,7 +142,11 @@ }, "scenario": { "type": "object", - "required": ["bom-ref", "name", "type"], + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -156,7 +162,15 @@ }, "type": { "type": "string", - "enum": ["threat", "vulnerability", "weakness", "risk", "incident", "opportunity", "hazard"], + "enum": [ + "threat", + "vulnerability", + "weakness", + "risk", + "incident", + "opportunity", + "hazard" + ], "meta:enum": { "threat": "Threat scenario", "vulnerability": "Exploitable vulnerability", @@ -189,16 +203,16 @@ "affectedAssets": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to affected assets" + "description": "References using bom-link or bom-ref to affected assets." }, "mitigations": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to mitigations that address this scenario" + "description": "References using bom-link or bom-ref to mitigations that address this scenario." }, "externalReferences": { "type": "array", @@ -210,7 +224,10 @@ "type": "array", "items": { "type": "object", - "required": ["framework", "controlId"], + "required": [ + "framework", + "controlId" + ], "additionalProperties": false, "properties": { "framework": { @@ -240,7 +257,11 @@ }, "risk": { "type": "object", - "required": ["bom-ref", "name", "statement"], + "required": [ + "bom-ref", + "name", + "statement" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -269,9 +290,9 @@ "type": "array", "minItems": 1, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to scenarios this risk addresses" + "description": "References using bom-link or bom-ref to scenarios this risk addresses." }, "likelihood": { "$ref": "#/$defs/likelihood" @@ -304,7 +325,14 @@ }, "status": { "type": "string", - "enum": ["identified", "assessed", "mitigated", "accepted", "transferred", "retired"], + "enum": [ + "identified", + "assessed", + "mitigated", + "accepted", + "transferred", + "retired" + ], "meta:enum": { "identified": "Risk has been identified but not yet evaluated", "assessed": "Risk has been assessed and prioritized", @@ -315,8 +343,8 @@ } }, "owner": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "Owner or accountable party for this risk" + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for this risk. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -325,14 +353,23 @@ }, "likelihood": { "type": "object", - "required": ["level"], + "required": [ + "level" + ], "additionalProperties": false, "properties": { "level": { "type": "string", "title": "Level", "description": "The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.", - "enum": ["certain", "high", "low", "medium", "veryHigh", "veryLow"], + "enum": [ + "certain", + "high", + "low", + "medium", + "veryHigh", + "veryLow" + ], "meta:enum": { "certain": "Almost certain to occur (> 90% probability).", "high": "Likely to occur (60-90% probability).", @@ -371,7 +408,10 @@ "type": "object", "title": "Likelihood Factor", "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", - "required": ["name", "type"], + "required": [ + "name", + "type" + ], "additionalProperties": false, "properties": { "name": { @@ -416,7 +456,9 @@ "title": "Custom Likelihood Factor Type", "description": "A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.", "type": "object", - "required": ["name"], + "required": [ + "name" + ], "additionalProperties": false, "properties": { "name": { @@ -438,7 +480,14 @@ "type": "string", "title": "Level", "description": "The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.", - "enum": ["certain", "high", "low", "medium", "veryHigh", "veryLow"], + "enum": [ + "certain", + "high", + "low", + "medium", + "veryHigh", + "veryLow" + ], "meta:enum": { "certain": "This factor almost certainly contributes to risk realization (> 90% influence).", "high": "This factor strongly contributes to risk realization (60-90% influence).", @@ -474,12 +523,20 @@ }, "impact": { "type": "object", - "required": ["level"], + "required": [ + "level" + ], "additionalProperties": false, "properties": { "level": { "type": "string", - "enum": ["negligible", "low", "moderate", "major", "catastrophic"], + "enum": [ + "negligible", + "low", + "moderate", + "major", + "catastrophic" + ], "description": "Impact severity level", "meta:enum": { "negligible": "Minimal impact with no significant consequences", @@ -577,12 +634,20 @@ }, "riskScore": { "type": "object", - "required": ["level"], + "required": [ + "level" + ], "additionalProperties": false, "properties": { "level": { "type": "string", - "enum": ["info", "low", "medium", "high", "critical"], + "enum": [ + "info", + "low", + "medium", + "high", + "critical" + ], "description": "Overall risk level", "meta:enum": { "info": "Informational - no immediate action required", @@ -609,7 +674,11 @@ }, "riskResponse": { "type": "object", - "required": ["bom-ref", "mitigations", "mitigationPlan"], + "required": [ + "bom-ref", + "mitigations", + "mitigationPlan" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -630,7 +699,10 @@ }, "mitigation": { "type": "object", - "required": ["bom-ref", "reference"], + "required": [ + "bom-ref", + "reference" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -638,12 +710,17 @@ "description": "Unique identifier for this mitigation entry so it can be referenced by a plan" }, "reference": { - "description": "Reference to a mitigation/control implementing the response.", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "description": "Reference using bom-link or bom-ref to a mitigation or control implementing the response.", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "strategy": { "type": "string", - "enum": ["prevent", "detect", "respond", "recover"], + "enum": [ + "prevent", + "detect", + "respond", + "recover" + ], "meta:enum": { "prevent": "Prevents the risk from occurring", "detect": "Detects when the risk occurs", @@ -668,7 +745,14 @@ }, "status": { "type": "string", - "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "enum": [ + "proposed", + "approved", + "planned", + "inProgress", + "implemented", + "verified" + ], "meta:enum": { "proposed": "Mitigation has been proposed", "approved": "Mitigation has been approved", @@ -686,7 +770,13 @@ }, "cost": { "type": "string", - "enum": ["trivial", "low", "medium", "high", "extreme"], + "enum": [ + "trivial", + "low", + "medium", + "high", + "extreme" + ], "meta:enum": { "trivial": "Minimal cost and effort", "low": "Low cost and effort", @@ -698,16 +788,16 @@ "addresses": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to scenarios this plan addresses" + "description": "References using bom-link or bom-ref to scenarios this plan addresses." }, "implementedBy": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to assets that implement this plan" + "description": "References using bom-link or bom-ref to assets that implement this plan." }, "externalReferences": { "type": "array", @@ -722,7 +812,12 @@ }, "mitigationPlan": { "type": "object", - "required": ["name", "type", "status", "mitigations"], + "required": [ + "name", + "type", + "status", + "mitigations" + ], "additionalProperties": false, "properties": { "name": { @@ -760,7 +855,14 @@ }, "status": { "type": "string", - "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "enum": [ + "proposed", + "approved", + "planned", + "inProgress", + "implemented", + "verified" + ], "meta:enum": { "proposed": "Mitigation has been proposed", "approved": "Mitigation has been approved", @@ -783,9 +885,9 @@ "type": "array", "minItems": 1, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "List of mitigation bom-refs chosen for this plan" + "description": "References using bom-link or bom-ref to mitigations chosen for this plan." } } }, @@ -801,7 +903,13 @@ }, "rating": { "type": "string", - "enum": ["ineffective", "marginal", "adequate", "good", "excellent"], + "enum": [ + "ineffective", + "marginal", + "adequate", + "good", + "excellent" + ], "meta:enum": { "ineffective": "Does not meaningfully reduce risk", "marginal": "Slightly reduces risk", @@ -814,7 +922,11 @@ }, "assessment": { "type": "object", - "required": ["bom-ref", "type", "timestamp"], + "required": [ + "bom-ref", + "type", + "timestamp" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -822,7 +934,12 @@ }, "type": { "type": "string", - "enum": ["initial", "periodic", "continuous", "triggered"], + "enum": [ + "initial", + "periodic", + "continuous", + "triggered" + ], "meta:enum": { "initial": "Initial risk assessment", "periodic": "Scheduled periodic assessment", @@ -836,8 +953,8 @@ "description": "When the assessment was performed" }, "assessor": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", - "description": "Who performed the assessment" + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party that performed the assessment. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `auditor` or `assessor` (custom) depending on the assessment type." }, "summary": { "type": "string", @@ -846,18 +963,25 @@ "risks": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to risk entries evaluated in this assessment" + "description": "References using bom-link or bom-ref to risk entries evaluated in this assessment." }, "overallRisk": { "type": "object", - "required": ["method", "score"], + "required": [ + "method", + "score" + ], "additionalProperties": false, "properties": { "method": { "type": "string", - "enum": ["sum", "average", "custom"], + "enum": [ + "sum", + "average", + "custom" + ], "description": "Aggregation method used to derive the overall risk" }, "score": { @@ -889,7 +1013,13 @@ }, "priority": { "type": "string", - "enum": ["none", "low", "medium", "high", "critical"], + "enum": [ + "none", + "low", + "medium", + "high", + "critical" + ], "description": "Priority level", "meta:enum": { "none": "No priority assigned", @@ -901,7 +1031,13 @@ }, "severity": { "type": "string", - "enum": ["info", "low", "medium", "high", "critical"], + "enum": [ + "info", + "low", + "medium", + "high", + "critical" + ], "description": "Severity level", "meta:enum": { "info": "Informational finding", @@ -913,7 +1049,13 @@ }, "criticality": { "type": "string", - "enum": ["minimal", "low", "moderate", "high", "critical"], + "enum": [ + "minimal", + "low", + "moderate", + "high", + "critical" + ], "description": "Business criticality level", "meta:enum": { "minimal": "Minimal impact on business operations", diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index 4bf449320..eb4655331 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -3,7 +3,7 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-threat-2.0.schema.json", "type": "null", "title": "CycloneDX Threat Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "threatScenario": { "type": "object", @@ -85,7 +85,11 @@ }, "threatActor": { "type": "object", - "required": ["bom-ref", "name", "type"], + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -101,7 +105,13 @@ }, "type": { "type": "string", - "enum": ["individual", "group", "organization", "nation-state", "unknown"], + "enum": [ + "individual", + "group", + "organization", + "nation-state", + "unknown" + ], "meta:enum": { "individual": "Individual threat actor", "group": "Organized group or collective", @@ -151,7 +161,13 @@ "properties": { "sophistication": { "type": "string", - "enum": ["none", "minimal", "intermediate", "advanced", "expert"], + "enum": [ + "none", + "minimal", + "intermediate", + "advanced", + "expert" + ], "meta:enum": { "none": "No technical sophistication", "minimal": "Script kiddie level", @@ -183,17 +199,34 @@ }, "intent": { "type": "string", - "enum": ["accidental", "opportunistic", "targeted", "persistent"], + "enum": [ + "accidental", + "opportunistic", + "targeted", + "persistent" + ], "description": "Intent level" }, "resources": { "type": "string", - "enum": ["minimal", "limited", "moderate", "substantial", "unlimited"], + "enum": [ + "minimal", + "limited", + "moderate", + "substantial", + "unlimited" + ], "description": "Resource availability" }, "accessLevel": { "type": "string", - "enum": ["none", "external", "internal", "privileged", "physical"], + "enum": [ + "none", + "external", + "internal", + "privileged", + "physical" + ], "description": "Level of access to target systems" }, "skillSet": { @@ -211,7 +244,12 @@ "properties": { "type": { "type": "string", - "enum": ["network", "adjacent", "local", "physical"], + "enum": [ + "network", + "adjacent", + "local", + "physical" + ], "meta:enum": { "network": "Remotely exploitable via network", "adjacent": "Exploitable from adjacent network", @@ -229,24 +267,37 @@ }, "privileges": { "type": "string", - "enum": ["none", "low", "high"], + "enum": [ + "none", + "low", + "high" + ], "description": "Privileges required" }, "userInteraction": { "type": "string", - "enum": ["none", "required"], + "enum": [ + "none", + "required" + ], "description": "User interaction requirement" }, "scope": { "type": "string", - "enum": ["unchanged", "changed"], + "enum": [ + "unchanged", + "changed" + ], "description": "Scope impact" } } }, "abuseCase": { "type": "object", - "required": ["bom-ref", "name"], + "required": [ + "bom-ref", + "name" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -261,15 +312,15 @@ "description": "Narrative describing how the system can be misused or abused" }, "abuser": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference (bom-ref) to a threat actor involved in the abuse case" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to a threat actor involved in the abuse case." }, "targets": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References (bom-refs) to assets or flows targeted in this abuse case" + "description": "References using bom-link or bom-ref to assets or flows targeted in this abuse case." }, "steps": { "type": "array", @@ -282,7 +333,10 @@ }, "attackPattern": { "type": "object", - "required": ["bom-ref", "name"], + "required": [ + "bom-ref", + "name" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -317,9 +371,9 @@ "mitigations": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to mitigations" + "description": "References using bom-link or bom-ref to mitigations." }, "examples": { "type": "array", @@ -335,8 +389,8 @@ "additionalProperties": false, "properties": { "patternRef": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to attack pattern" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to an attack pattern." }, "capecId": { "type": "integer", @@ -379,7 +433,9 @@ }, "weakness": { "type": "object", - "required": ["bom-ref"], + "required": [ + "bom-ref" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -399,7 +455,13 @@ }, "abstraction": { "type": "string", - "enum": ["pillar", "class", "base", "variant", "compound"], + "enum": [ + "pillar", + "class", + "base", + "variant", + "compound" + ], "meta:enum": { "pillar": "Most abstract type of weakness", "class": "Weakness described in generic terms", @@ -410,7 +472,11 @@ }, "ordinality": { "type": "string", - "enum": ["primary", "resultant", "indirect"], + "enum": [ + "primary", + "resultant", + "indirect" + ], "meta:enum": { "primary": "Weakness exists independent of other weaknesses", "resultant": "Weakness is caused by another weakness", @@ -420,13 +486,19 @@ "affectedAssets": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Assets affected by this weakness" + "description": "References using bom-link or bom-ref to assets affected by this weakness." }, "exploitationDifficulty": { "type": "string", - "enum": ["trivial", "easy", "moderate", "difficult", "impractical"], + "enum": [ + "trivial", + "easy", + "moderate", + "difficult", + "impractical" + ], "description": "Difficulty of exploiting this weakness" }, "detectionMethods": { @@ -443,8 +515,8 @@ "additionalProperties": false, "properties": { "weaknessRef": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to weakness" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to a weakness." }, "cweId": { "type": "integer", @@ -462,7 +534,12 @@ "properties": { "level": { "type": "string", - "enum": ["theoretical", "proof-of-concept", "functional", "weaponized"], + "enum": [ + "theoretical", + "proof-of-concept", + "functional", + "weaponized" + ], "meta:enum": { "theoretical": "Theoretically possible but not demonstrated", "proof-of-concept": "Proof of concept exists", @@ -472,12 +549,24 @@ }, "complexity": { "type": "string", - "enum": ["trivial", "low", "medium", "high", "very-high"], + "enum": [ + "trivial", + "low", + "medium", + "high", + "very-high" + ], "description": "Complexity to exploit" }, "skillRequired": { "type": "string", - "enum": ["none", "basic", "intermediate", "advanced", "expert"], + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" + ], "description": "Skill level required" }, "toolsRequired": { @@ -493,7 +582,12 @@ }, "reliability": { "type": "string", - "enum": ["unreliable", "occasional", "reliable", "highly-reliable"], + "enum": [ + "unreliable", + "occasional", + "reliable", + "highly-reliable" + ], "description": "Reliability of exploitation" }, "automatable": { @@ -538,12 +632,21 @@ }, "signature": { "type": "object", - "required": ["type", "value"], + "required": [ + "type", + "value" + ], "additionalProperties": false, "properties": { "type": { "type": "string", - "enum": ["yara", "snort", "regex", "hash", "behavior"], + "enum": [ + "yara", + "snort", + "regex", + "hash", + "behavior" + ], "description": "Type of signature" }, "value": { @@ -556,7 +659,11 @@ }, "confidence": { "type": "string", - "enum": ["low", "medium", "high"], + "enum": [ + "low", + "medium", + "high" + ], "description": "Confidence level of detection" } } @@ -594,7 +701,9 @@ }, "tool": { "type": "object", - "required": ["name"], + "required": [ + "name" + ], "additionalProperties": false, "properties": { "name": { @@ -603,7 +712,14 @@ }, "type": { "type": "string", - "enum": ["exploit", "scanner", "fuzzer", "proxy", "framework", "custom"], + "enum": [ + "exploit", + "scanner", + "fuzzer", + "proxy", + "framework", + "custom" + ], "description": "Type of tool" }, "version": { @@ -655,12 +771,21 @@ }, "detectionMethod": { "type": "object", - "required": ["method"], + "required": [ + "method" + ], "additionalProperties": false, "properties": { "method": { "type": "string", - "enum": ["static-analysis", "dynamic-analysis", "penetration-test", "code-review", "architecture-review", "automated-scan"], + "enum": [ + "static-analysis", + "dynamic-analysis", + "penetration-test", + "code-review", + "architecture-review", + "automated-scan" + ], "description": "Detection method type" }, "description": { @@ -669,7 +794,11 @@ }, "effectiveness": { "type": "string", - "enum": ["low", "medium", "high"], + "enum": [ + "low", + "medium", + "high" + ], "description": "Effectiveness of the method" }, "tools": { @@ -683,7 +812,11 @@ }, "securityPolicy": { "type": "object", - "required": ["bom-ref", "name", "type"], + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -695,7 +828,14 @@ }, "type": { "type": "string", - "enum": ["access-control", "data-protection", "network-security", "application-security", "operational-security", "compliance"], + "enum": [ + "access-control", + "data-protection", + "network-security", + "application-security", + "operational-security", + "compliance" + ], "description": "Type of security policy" }, "description": { @@ -711,15 +851,19 @@ }, "enforcement": { "type": "string", - "enum": ["mandatory", "recommended", "optional"], + "enum": [ + "mandatory", + "recommended", + "optional" + ], "description": "Enforcement level" }, "appliesTo": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Assets this policy applies to" + "description": "References using bom-link or bom-ref to assets this policy applies to." }, "exceptions": { "type": "array", @@ -740,7 +884,12 @@ "properties": { "trustLevel": { "type": "string", - "enum": ["untrusted", "semi-trusted", "trusted", "highly-trusted"], + "enum": [ + "untrusted", + "semi-trusted", + "trusted", + "highly-trusted" + ], "description": "Trust level differential" }, "securityRequirements": { @@ -749,16 +898,16 @@ "threatsAtBoundary": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Threats that could exploit this boundary" + "description": "References using bom-link or bom-ref to threats that could exploit this boundary." }, "controlsAtBoundary": { "type": "array", "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Controls implemented at this boundary" + "description": "References using bom-link or bom-ref to controls implemented at this boundary." } } } @@ -770,12 +919,23 @@ "properties": { "authenticationStrength": { "type": "string", - "enum": ["none", "weak", "moderate", "strong", "very-strong"], + "enum": [ + "none", + "weak", + "moderate", + "strong", + "very-strong" + ], "description": "Required authentication strength" }, "authorizationGranularity": { "type": "string", - "enum": ["coarse", "medium", "fine", "very-fine"], + "enum": [ + "coarse", + "medium", + "fine", + "very-fine" + ], "description": "Authorization granularity required" }, "integrityVerification": { @@ -788,7 +948,12 @@ }, "auditingLevel": { "type": "string", - "enum": ["none", "basic", "detailed", "comprehensive"], + "enum": [ + "none", + "basic", + "detailed", + "comprehensive" + ], "description": "Level of auditing required" }, "dataValidationRules": { diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json index d1d35303f..e3fb3350c 100644 --- a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -3,7 +3,7 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-usecase-2.0.schema.json", "type": "null", "title": "CycloneDX Use Case Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "useCases": { "type": "array", @@ -18,7 +18,9 @@ "type": "object", "title": "Use Case", "description": "A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.", - "required": ["name"], + "required": [ + "name" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -40,9 +42,9 @@ "title": "Actors", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." + "description": "References using bom-link or bom-ref to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." }, "preconditions": { "type": "array", @@ -102,9 +104,9 @@ "title": "Requirements", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References to the requirements that are implemented, validated, or addressed by this use case" + "description": "References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case." }, "notes": { "type": "array", @@ -124,7 +126,10 @@ "type": "object", "title": "Step", "description": "A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.", - "required": ["number", "description"], + "required": [ + "number", + "description" + ], "additionalProperties": false, "properties": { "number": { @@ -140,8 +145,8 @@ "description": "A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'." }, "actor": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." } } }, @@ -149,7 +154,10 @@ "type": "object", "title": "Flow", "description": "An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.", - "required": ["name", "condition"], + "required": [ + "name", + "condition" + ], "additionalProperties": false, "properties": { "name": { @@ -183,7 +191,10 @@ "type": "object", "title": "Exception", "description": "An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.", - "required": ["name", "condition"], + "required": [ + "name", + "condition" + ], "additionalProperties": false, "properties": { "name": { @@ -209,6 +220,72 @@ "description": "The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support." } } + }, + "useCaseAssertions": { + "type": "array", + "title": "Use Case Assertions", + "description": "A list of assertions describing how a component relates to use cases defined in the BOM.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Use Case Assertion", + "description": "An assertion linking one or more use cases to a component, specifying the nature of the relationship.", + "required": [ + "assertionType", + "useCaseRefs" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the relationship between the component and the use case.", + "enum": [ + "extends", + "implements", + "inhibits", + "not-applicable", + "not-assessed", + "other", + "participates-in", + "supports", + "triggers", + "validates" + ], + "meta:enum": { + "extends": "The component adds optional or conditional behavior to the use case, augmenting its primary flow with additional capability.", + "implements": "The component implements or realises the use case, providing the primary capability that makes the use case functional.", + "inhibits": "The component is known to interfere with or block the correct execution of the use case.", + "not-applicable": "The use case does not pertain to this component. The evaluator has reviewed the use case and determined it is irrelevant.", + "not-assessed": "The relationship between the component and the use case has not yet been evaluated.", + "other": "A relationship that does not fit into the other predefined assertion types.", + "participates-in": "The component participates in the use case but is not solely responsible for its implementation.", + "supports": "The component provides enabling infrastructure for the use case without directly implementing or participating in it.", + "triggers": "The component initiates or kicks off the use case without being responsible for its implementation.", + "validates": "The component validates, tests, or verifies the correct execution of the use case." + } + }, + "useCaseRefs": { + "type": "array", + "title": "Use Case References", + "description": "A list of BOM references linking to use case objects defined in the BOM.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "Additional context or clarification regarding the assertion." + } + } + } } } } From 8a147167db06ccbe56a74a12c09431ac5ba786b2 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Jun 2026 15:49:25 -0500 Subject: [PATCH 25/44] WIP 2.0 threat-modeling schema set - threat: rewrite into `threat` (catalog) plus `threatScenario` (realization); add attackTree, methodology-gated categories, trustBoundary, threatProfiles - weakness: created new cyclonedx-weakness-2.0 model - vulnerability: replace `cwes` with `weaknesses` - profile: added threatProfiles to threat model; - risk: add `risks` collection, fix kebab-case, drop orphan control - behavior, usecase, requirement: refLinkType refs, required bom-ref, uniqueItems - root: wire in `threats` and `risks` - tests: update vulnerability test for 2.0 BREAKING: removes vulnerability.cwes and common.weakness. Signed-off-by: Steve Springett --- schema/2.0/cyclonedx-2.0.schema.json | 6 + .../model/cyclonedx-behavior-2.0.schema.json | 16 +- .../model/cyclonedx-profile-2.0.schema.json | 5 +- .../cyclonedx-requirement-2.0.schema.json | 15 +- .../2.0/model/cyclonedx-risk-2.0.schema.json | 55 +- .../model/cyclonedx-threat-2.0.schema.json | 1414 ++++++++++------- .../model/cyclonedx-usecase-2.0.schema.json | 2 + .../cyclonedx-vulnerability-2.0.schema.json | 17 +- .../model/cyclonedx-weakness-2.0.schema.json | 71 + .../2.0/valid-vulnerability-2.0.json | 12 +- 10 files changed, 946 insertions(+), 667 deletions(-) create mode 100644 schema/2.0/model/cyclonedx-weakness-2.0.schema.json diff --git a/schema/2.0/cyclonedx-2.0.schema.json b/schema/2.0/cyclonedx-2.0.schema.json index bcd14808c..806d82581 100644 --- a/schema/2.0/cyclonedx-2.0.schema.json +++ b/schema/2.0/cyclonedx-2.0.schema.json @@ -64,6 +64,12 @@ "vulnerabilities": { "$ref": "model/cyclonedx-vulnerability-2.0.schema.json#/$defs/vulnerabilities" }, + "threats": { + "$ref": "model/cyclonedx-threat-2.0.schema.json#/$defs/threats" + }, + "risks": { + "$ref": "model/cyclonedx-risk-2.0.schema.json#/$defs/risks" + }, "annotations": { "$ref": "model/cyclonedx-annotation-2.0.schema.json#/$defs/annotations" }, diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json index c9ac42d7a..abc489e66 100644 --- a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -55,19 +55,19 @@ "actors": { "type": "array", "title": "Actors", - "description": "References to objects that perform this behavior.", + "description": "References using bom-link or bom-ref to objects that perform this behavior.", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" } }, "targets": { "type": "array", "title": "Targets", - "description": "References to objects affected by this behavior.", + "description": "References using bom-link or bom-ref to objects affected by this behavior.", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" } } } @@ -220,19 +220,19 @@ "actors": { "type": "array", "title": "Actors", - "description": "References to objects that perform this step.", + "description": "References using bom-link or bom-ref to objects that perform this step.", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" } }, "targets": { "type": "array", "title": "Targets", - "description": "References to objects affected by this step.", + "description": "References using bom-link or bom-ref to objects affected by this step.", "uniqueItems": true, "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" } } }, diff --git a/schema/2.0/model/cyclonedx-profile-2.0.schema.json b/schema/2.0/model/cyclonedx-profile-2.0.schema.json index 8f92babe6..0adbe8eb1 100644 --- a/schema/2.0/model/cyclonedx-profile-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-profile-2.0.schema.json @@ -8,11 +8,14 @@ "profiles": { "type": "object", "title": "Profiles", - "description": "A reusable, named characterization of how a subject behaves or is governed within a domain. Profiles separate characterization from identity: identity describes who or what the subject is; the profile describes the durable attributes that characterize it.", + "description": "A registry of reusable, named characterizations of how a subject behaves or is governed within a domain. Profiles separate characterization from identity: identity describes who or what the subject is; the profile describes the durable attributes that characterize it. A profile is referenced by its bom-ref from the elements it characterizes, so a single profile can be reused by many subjects.", "additionalProperties": false, "properties": { "dataProfiles": { "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfiles" + }, + "threatProfiles": { + "$ref": "cyclonedx-threat-2.0.schema.json#/$defs/threatProfiles" } } } diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json index 94c22b000..d141b1b67 100644 --- a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -18,6 +18,9 @@ "type": "object", "title": "Requirement", "description": "A requirement represents a specific need, constraint, or capability that must be met.", + "required": [ + "bom-ref" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -72,7 +75,8 @@ "description": "The individuals or groups who have an interest in the requirement.", "items": { "type": "string" - } + }, + "uniqueItems": true }, "acceptanceCriteria": { "type": "array", @@ -80,7 +84,8 @@ "description": "Criteria that must be met for the requirement to be considered satisfied.", "items": { "$ref": "#/$defs/acceptanceCriterion" - } + }, + "uniqueItems": true }, "dependencies": { "type": "array", @@ -88,7 +93,8 @@ "description": "Other requirements that this requirement depends on.", "items": { "$ref": "#/$defs/dependency" - } + }, + "uniqueItems": true }, "parent": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", @@ -127,7 +133,8 @@ "description": "Files or documents attached to the requirement.", "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment" - } + }, + "uniqueItems": true }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index 6a7f83065..eecea7e61 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -4,51 +4,16 @@ "type": "null", "title": "CycloneDX Risk Model", "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "An optional identifier which can be used to reference the risk assessment elsewhere in the BOM" - }, - "domains": { - "type": "array", - "description": "Risk domains covered by this assessment", - "items": { - "$ref": "#/$defs/riskDomain" - } - }, - "scenarios": { - "type": "array", - "items": { - "$ref": "#/$defs/scenario" - }, - "description": "Risk scenarios identified" - }, + "$defs": { "risks": { "type": "array", + "title": "Risks", + "uniqueItems": true, "items": { "$ref": "#/$defs/risk" }, - "description": "Documented risks derived from scenarios" + "description": "The documented risks identified through risk analysis." }, - "mitigations": { - "type": "array", - "items": { - "$ref": "#/$defs/mitigation" - }, - "description": "Controls, countermeasures, or mitigations to address identified risks" - }, - "assessments": { - "type": "array", - "items": { - "$ref": "#/$defs/assessment" - }, - "description": "Risk assessments and evaluations" - }, - "properties": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" - } - }, - "$defs": { "riskDomain": { "type": "object", "required": [ @@ -68,7 +33,7 @@ "reputational", "safety", "environmental", - "supply_chain", + "supply-chain", "technical", "project" ], @@ -82,7 +47,7 @@ "reputational": "Brand and reputation damage risks", "safety": "Human safety and physical security risks", "environmental": "Environmental impact and sustainability risks", - "supply_chain": "Supply chain and third-party risks", + "supply-chain": "Supply chain and third-party risks", "technical": "Technical and technology risks", "project": "Project delivery and execution risks" } @@ -109,13 +74,13 @@ "confidentiality", "connectivity", "control", - "data_subject_rights", + "data-subject-rights", "integrity", "minimisation", "non-repudiation", "possession", "privacy", - "purpose_limitation", + "purpose-limitation", "transparency", "utility" ], @@ -129,13 +94,13 @@ "confidentiality": "Preventing unauthorised access to or disclosure of information", "connectivity": "Maintaining secure and reliable communication between systems or components", "control": "Enabling individuals to manage how their personal data is used and shared", - "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", + "data-subject-rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", "possession": "Ensuring control or custody over data or assets, regardless of ownership", "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", - "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", + "purpose-limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", "utility": "Ensuring data is usable and in a format suitable for the intended purpose" } diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index eb4655331..a254b1609 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -5,179 +5,355 @@ "title": "CycloneDX Threat Model", "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { - "threatScenario": { + "threats": { "type": "object", - "allOf": [ - { - "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/scenario" - }, - { - "properties": { - "threatCategory": { - "type": "string", - "description": "Threat category based on methodology (e.g., STRIDE category)" - }, - "threatActor": { - "$ref": "#/$defs/threatActorProfile" - }, - "attackVector": { - "$ref": "#/$defs/attackVector" - }, - "attackPattern": { - "$ref": "#/$defs/attackPatternReference" - }, - "abuseCases": { - "type": "array", - "items": { - "$ref": "#/$defs/abuseCase" - }, - "description": "Abuse or misuse cases that illustrate how this threat can be exercised" - }, - "weakness": { - "$ref": "#/$defs/weaknessReference" - }, - "exploitability": { - "$ref": "#/$defs/exploitability" - }, - "indicators": { - "$ref": "#/$defs/indicators" - }, - "killChainPhase": { - "type": "string", - "enum": [ - "reconnaissance", - "weaponization", - "delivery", - "exploitation", - "installation", - "command-and-control", - "actions-on-objectives" - ], - "meta:enum": { - "reconnaissance": "Gathering information about the target", - "weaponization": "Creating malicious payloads", - "delivery": "Transmitting weapon to target", - "exploitation": "Exploiting vulnerabilities", - "installation": "Installing malware or backdoors", - "command-and-control": "Establishing C2 channel", - "actions-on-objectives": "Achieving attack goals" - } - }, - "technicalImpact": { - "type": "array", - "items": { - "type": "string", - "enum": [ - "unauthorized-access", - "data-breach", - "data-corruption", - "service-disruption", - "privilege-escalation", - "code-execution", - "information-disclosure", - "denial-of-service" - ] - } - } - } + "title": "Threats", + "description": "Threat-modelling content, including the documented threats, the scenarios that realize them, the attack patterns and attack trees that describe how they are carried out, the trust boundaries they cross, and the security policies that govern the system.", + "additionalProperties": false, + "properties": { + "threats": { + "type": "array", + "title": "Threats", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/threat" + }, + "description": "The documented threats. Each describes what can go wrong, independent of any specific actor or occurrence." + }, + "scenarios": { + "type": "array", + "title": "Scenarios", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/threatScenario" + }, + "description": "The threat scenarios, each realizing one or more documented threats in a specific way." + }, + "attackPatterns": { + "type": "array", + "title": "Attack Patterns", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/attackPattern" + }, + "description": "A library of attack patterns, typically aligned with CAPEC, that threats and scenarios can reference." + }, + "attackTrees": { + "type": "array", + "title": "Attack Trees", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/attackTree" + }, + "description": "Attack trees that decompose attacker goals into sub-goals and techniques." + }, + "abuseCases": { + "type": "array", + "title": "Abuse Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that describe how the system can be exercised by an adversary." + }, + "trustBoundaries": { + "type": "array", + "title": "Trust Boundaries", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/trustBoundary" + }, + "description": "The trust boundaries of the system, extending the architectural boundaries defined in a blueprint with trust semantics." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } - ] + } }, - "threatActor": { + "threat": { "type": "object", + "title": "Threat", + "description": "A documented threat, describing what can go wrong independent of any specific actor or occurrence. A threat can be catalogued on its own; a threat scenario references it to describe a specific realization.", + "additionalProperties": false, "required": [ "bom-ref", - "name", - "type" + "name" ], - "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the threat elsewhere using a bom-ref or bom-link." }, "name": { "type": "string", - "description": "Name or identifier of the threat actor" + "minLength": 1, + "title": "Name", + "description": "The name of the threat." }, "description": { "type": "string", - "description": "Description of the threat actor" + "title": "Description", + "description": "A description of the threat." }, - "type": { + "source": { + "type": "string", + "title": "Source", + "description": "The source of the threat, such as a threat intelligence feed, a threat catalogue, or an analysis activity." + }, + "categories": { + "type": "array", + "title": "Categories", + "uniqueItems": true, + "description": "The methodology-specific categories that this threat falls under. A threat may be categorized under more than one methodology, for example STRIDE and MAESTRO. The methodology is one of the supported threat-modelling methodologies, and it determines which category values are permitted.", + "items": { + "type": "object", + "title": "Threat Category", + "description": "A threat category. The methodology determines the permitted category values.", + "additionalProperties": false, + "required": ["methodology", "category"], + "properties": { + "methodology": { + "type": "string", + "title": "Methodology", + "description": "The threat-modelling methodology that the category is drawn from.", + "enum": ["STRIDE", "LINDDUN", "MAESTRO", "MITRE-ATTACK"], + "meta:enum": { + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome, whose categories are its seven architectural layers.", + "MITRE-ATTACK": "The MITRE ATT&CK framework, whose categories are its Enterprise tactics." + } + }, + "category": { + "type": "string", + "minLength": 1, + "title": "Category", + "description": "The category within the methodology. The permitted values are determined by the methodology." + } + }, + "allOf": [ + { + "if": { + "required": ["methodology"], + "properties": { "methodology": { "const": "STRIDE" } } + }, + "then": { + "properties": { + "category": { + "enum": ["spoofing", "tampering", "repudiation", "information-disclosure", "denial-of-service", "elevation-of-privilege"], + "meta:enum": { + "spoofing": "Impersonating something or someone, violating authenticity.", + "tampering": "Modifying data or code, violating integrity.", + "repudiation": "Denying having performed an action, violating non-repudiation.", + "information-disclosure": "Exposing information to unauthorized parties, violating confidentiality.", + "denial-of-service": "Denying or degrading service to legitimate users, violating availability.", + "elevation-of-privilege": "Gaining capabilities without proper authorization, violating authorization." + } + } + } + } + }, + { + "if": { + "required": ["methodology"], + "properties": { "methodology": { "const": "LINDDUN" } } + }, + "then": { + "properties": { + "category": { + "enum": ["linkability", "identifiability", "non-repudiation", "detectability", "disclosure-of-information", "unawareness", "non-compliance"], + "meta:enum": { + "linkability": "Linking data items to learn more about an individual.", + "identifiability": "Identifying an individual from data.", + "non-repudiation": "Being unable to deny a claim, harming plausible deniability.", + "detectability": "Detecting that an item of interest exists.", + "disclosure-of-information": "Revealing personal data, violating confidentiality.", + "unawareness": "Individuals being unaware of the processing of their data.", + "non-compliance": "Deviating from policy, regulation, or best practice." + } + } + } + } + }, + { + "if": { + "required": ["methodology"], + "properties": { "methodology": { "const": "MAESTRO" } } + }, + "then": { + "properties": { + "category": { + "enum": ["foundation-models", "data-operations", "agent-frameworks", "deployment-and-infrastructure", "evaluation-and-observability", "security-and-compliance", "agent-ecosystem"], + "meta:enum": { + "foundation-models": "Layer 1. The core models that provide the agent's capabilities.", + "data-operations": "Layer 2. Storage, retrieval, and processing of the agent's data.", + "agent-frameworks": "Layer 3. The frameworks and tools that build and run agents.", + "deployment-and-infrastructure": "Layer 4. The infrastructure on which agents are deployed and scaled.", + "evaluation-and-observability": "Layer 5. Evaluation, monitoring, and observability of agent behaviour.", + "security-and-compliance": "Layer 6. The cross-cutting security and compliance controls.", + "agent-ecosystem": "Layer 7. The applications and marketplace where agents deliver value to end-users." + } + } + } + } + }, + { + "if": { + "required": ["methodology"], + "properties": { "methodology": { "const": "MITRE-ATTACK" } } + }, + "then": { + "properties": { + "category": { + "enum": ["reconnaissance", "resource-development", "initial-access", "execution", "persistence", "privilege-escalation", "defense-evasion", "credential-access", "discovery", "lateral-movement", "collection", "command-and-control", "exfiltration", "impact"] + } + } + } + } + ] + } + }, + "weaknesses": { + "$ref": "cyclonedx-weakness-2.0.schema.json#/$defs/weaknesses", + "description": "The weaknesses, such as CWE classifications, that this threat exploits." + }, + "attackPatterns": { + "type": "array", + "title": "Attack Patterns", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the attack patterns by which this threat is carried out." + }, + "attackTrees": { + "type": "array", + "title": "Attack Trees", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the attack trees that decompose this threat." + }, + "abuseCases": { + "type": "array", + "title": "Abuse Cases", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the abuse cases that illustrate how this threat can be exercised." + }, + "killChainPhase": { "type": "string", + "title": "Kill Chain Phase", + "description": "The phase of the cyber kill chain at which this threat operates.", "enum": [ - "individual", - "group", - "organization", - "nation-state", - "unknown" + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" ], "meta:enum": { - "individual": "Individual threat actor", - "group": "Organized group or collective", - "organization": "Corporate or criminal organization", - "nation-state": "Nation-state sponsored actor", - "unknown": "Unknown threat actor type" + "reconnaissance": "Gathering information about the target.", + "weaponization": "Creating a malicious payload.", + "delivery": "Transmitting the payload to the target.", + "exploitation": "Exploiting a vulnerability or weakness.", + "installation": "Installing malicious software or establishing a foothold.", + "command-and-control": "Establishing a command and control channel.", + "actions-on-objectives": "Achieving the goals of the attack." } }, - "aliases": { + "behaviors": { "type": "array", + "title": "Behaviors", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Known aliases or alternative names" + "description": "References using bom-link or bom-ref to the declared behaviors that constitute the intent of this threat, drawn from the behavior taxonomy." }, - "profile": { - "$ref": "#/$defs/threatActorProfile" + "indicators": { + "$ref": "#/$defs/indicators" }, - "observedTTPs": { + "affectedAssets": { "type": "array", + "title": "Affected Assets", + "uniqueItems": true, "items": { - "$ref": "#/$defs/ttp" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Observed tactics, techniques, and procedures" + "description": "References using bom-link or bom-ref to the kinds of assets this threat affects." }, - "attributedAttacks": { + "mitigations": { "type": "array", + "title": "Mitigations", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Attacks attributed to this actor" - }, - "targeting": { - "$ref": "#/$defs/targeting" + "description": "References using bom-link or bom-ref to the controls that mitigate this threat." }, "externalReferences": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" - } + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } } }, - "threatActorProfile": { + "threatScenario": { "type": "object", + "title": "Threat Scenario", + "description": "A specific realization of a threat, in which an actor seeks to cause harm. The scenario references the threat it realizes, supplies the actor by reference to a party, and carries the scenario-specific traits and risk assessment, such as motivation, intent, access level, likelihood, and impact.", "additionalProperties": false, + "required": [ + "bom-ref", + "name", + "threats" + ], "properties": { - "sophistication": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the threat scenario elsewhere using a bom-ref or bom-link." + }, + "name": { "type": "string", - "enum": [ - "none", - "minimal", - "intermediate", - "advanced", - "expert" - ], - "meta:enum": { - "none": "No technical sophistication", - "minimal": "Script kiddie level", - "intermediate": "Intermediate technical skills", - "advanced": "Advanced persistent threat", - "expert": "Nation-state level capabilities" - } + "minLength": 1, + "title": "Name", + "description": "The name of the threat scenario." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the threat scenario." + }, + "threats": { + "type": "array", + "title": "Threats", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this scenario realizes. A scenario realizes one or more threats." + }, + "actor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party that is the actor in this scenario. Named adversary groups are organizations and abstract attacker classes are personas." + }, + "threatProfile": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to a reusable threat profile that describes the durable capabilities of the actor." }, "motivation": { "type": "array", + "title": "Motivation", + "uniqueItems": true, + "description": "The motivations of the actor in this scenario.", "items": { "type": "string", "enum": [ @@ -193,33 +369,44 @@ "competitive", "revenge", "activism" - ] - }, - "description": "Primary motivations" + ], + "meta:enum": { + "financial": "Motivated by financial gain.", + "political": "Motivated by political objectives.", + "personal": "Motivated by personal reasons.", + "ideological": "Motivated by ideology or belief.", + "espionage": "Motivated by intelligence gathering.", + "destruction": "Motivated by the desire to destroy.", + "disruption": "Motivated by the desire to disrupt operations.", + "reputation": "Motivated by reputational gain or harm.", + "curiosity": "Motivated by curiosity.", + "competitive": "Motivated by competitive advantage.", + "revenge": "Motivated by revenge.", + "activism": "Motivated by activism." + } + } }, "intent": { "type": "string", + "title": "Intent", + "description": "The intent of the actor in this scenario.", "enum": [ "accidental", "opportunistic", "targeted", "persistent" ], - "description": "Intent level" - }, - "resources": { - "type": "string", - "enum": [ - "minimal", - "limited", - "moderate", - "substantial", - "unlimited" - ], - "description": "Resource availability" + "meta:enum": { + "accidental": "The harm is caused without intent.", + "opportunistic": "The actor takes advantage of an opportunity as it arises.", + "targeted": "The actor deliberately targets the subject.", + "persistent": "The actor pursues the target persistently over time." + } }, "accessLevel": { "type": "string", + "title": "Access Level", + "description": "The level of access the actor is assumed to have in this scenario.", "enum": [ "none", "external", @@ -227,23 +414,147 @@ "privileged", "physical" ], - "description": "Level of access to target systems" + "meta:enum": { + "none": "No access.", + "external": "External access only.", + "internal": "Internal access, such as that of an ordinary user.", + "privileged": "Privileged or administrative access.", + "physical": "Physical access to the target." + } + }, + "attackVector": { + "$ref": "#/$defs/attackVector" + }, + "exploitability": { + "$ref": "#/$defs/exploitability" + }, + "likelihood": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/likelihood" + }, + "impact": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/impact" + }, + "riskScore": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "title": "Risk Attributes", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/riskAttribute" + }, + "description": "The security and privacy attributes that this threat would compromise if realized." + }, + "affectedAssets": { + "type": "array", + "title": "Affected Assets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets affected in this scenario." + }, + "relatedRisks": { + "type": "array", + "title": "Related Risks", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risks that this scenario contributes to." + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "threatProfiles": { + "type": "array", + "title": "Threat Profiles", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/threatProfile" + }, + "description": "Reusable threat profiles, each describing the durable characteristics of an actor that may pose a threat." + }, + "threatProfile": { + "type": "object", + "title": "Threat Profile", + "description": "A durable, actor-level characterization of the capability to pose a threat, capturing attributes that persist across scenarios. Scenario-specific attributes, such as motivation, intent, and access level, belong on a threat scenario rather than on this profile.", + "additionalProperties": false, + "required": [ + "bom-ref" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference this threat profile elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the threat profile." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the threat profile." + }, + "sophistication": { + "type": "string", + "title": "Sophistication", + "description": "The level of technical sophistication an actor characterized by this profile is assumed to possess.", + "enum": ["none", "minimal", "intermediate", "advanced", "expert"], + "meta:enum": { + "none": "No technical sophistication.", + "minimal": "Minimal sophistication, relying on readily available tools and techniques.", + "intermediate": "Intermediate technical skills.", + "advanced": "Advanced skills consistent with a persistent and well-resourced actor.", + "expert": "Expert skills consistent with the most capable actors." + } + }, + "resources": { + "type": "string", + "title": "Resources", + "description": "The level of resources an actor characterized by this profile is assumed to have available.", + "enum": ["minimal", "limited", "moderate", "substantial", "unlimited"], + "meta:enum": { + "minimal": "Minimal resources.", + "limited": "Limited resources.", + "moderate": "Moderate resources.", + "substantial": "Substantial resources.", + "unlimited": "Effectively unlimited resources." + } }, "skillSet": { "type": "array", + "title": "Skill Set", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Specific skills possessed" + "description": "The specific skills an actor characterized by this profile is assumed to possess." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } } }, "attackVector": { "type": "object", + "title": "Attack Vector", + "description": "The conditions under which an attack is possible, following the convention of common vulnerability scoring systems.", "additionalProperties": false, "properties": { "type": { "type": "string", + "title": "Type", + "description": "The context by which an attack is possible.", "enum": [ "network", "adjacent", @@ -251,289 +562,421 @@ "physical" ], "meta:enum": { - "network": "Remotely exploitable via network", - "adjacent": "Exploitable from adjacent network", - "local": "Requires local access", - "physical": "Requires physical access" + "network": "Remotely exploitable via a network.", + "adjacent": "Exploitable from an adjacent network.", + "local": "Requires local access.", + "physical": "Requires physical access." } }, "complexity": { "type": "string", + "title": "Complexity", + "description": "The complexity of the attack.", "enum": [ "low", "high" ], - "description": "Attack complexity" + "meta:enum": { + "low": "The attack has low complexity.", + "high": "The attack has high complexity." + } }, "privileges": { "type": "string", + "title": "Privileges", + "description": "The level of privileges required to carry out the attack.", "enum": [ "none", "low", "high" ], - "description": "Privileges required" + "meta:enum": { + "none": "No privileges are required.", + "low": "Low privileges are required.", + "high": "High privileges are required." + } }, "userInteraction": { "type": "string", + "title": "User Interaction", + "description": "Whether the attack requires interaction from a user other than the attacker.", "enum": [ "none", "required" ], - "description": "User interaction requirement" + "meta:enum": { + "none": "No user interaction is required.", + "required": "User interaction is required." + } }, "scope": { "type": "string", + "title": "Scope", + "description": "Whether a successful attack affects resources beyond the vulnerable component.", "enum": [ "unchanged", "changed" ], - "description": "Scope impact" - } - } - }, - "abuseCase": { - "type": "object", - "required": [ - "bom-ref", - "name" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "name": { - "type": "string", - "description": "Name of the abuse case" - }, - "description": { - "type": "string", - "description": "Narrative describing how the system can be misused or abused" - }, - "abuser": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", - "description": "Reference using bom-link or bom-ref to a threat actor involved in the abuse case." - }, - "targets": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" - }, - "description": "References using bom-link or bom-ref to assets or flows targeted in this abuse case." - }, - "steps": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Ordered steps the abuser follows" + "meta:enum": { + "unchanged": "The attack affects only the vulnerable component.", + "changed": "The attack affects resources beyond the vulnerable component." + } } } }, "attackPattern": { "type": "object", + "title": "Attack Pattern", + "description": "A description of the common attributes and approach of an attack, typically aligned with CAPEC. Techniques are aligned with MITRE ATT&CK.", + "additionalProperties": false, "required": [ "bom-ref", "name" ], - "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the attack pattern elsewhere using a bom-ref or bom-link." }, "capecId": { "type": "integer", - "description": "CAPEC (Common Attack Pattern Enumeration and Classification) ID" + "minimum": 1, + "title": "CAPEC Identifier", + "description": "The Common Attack Pattern Enumeration and Classification (CAPEC) identifier for this attack pattern." }, "name": { "type": "string", - "description": "Name of the attack pattern" + "minLength": 1, + "title": "Name", + "description": "The name of the attack pattern." }, "description": { "type": "string", - "description": "Description of the attack pattern" + "title": "Description", + "description": "A description of the attack pattern." }, "prerequisites": { "type": "array", + "title": "Prerequisites", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Prerequisites for the attack" + "description": "The conditions that must hold for the attack to be possible." }, "techniques": { "type": "array", + "title": "Techniques", + "uniqueItems": true, "items": { "$ref": "#/$defs/technique" }, - "description": "Techniques used in the attack" + "description": "The techniques used to carry out the attack, typically aligned with MITRE ATT&CK." }, "mitigations": { "type": "array", + "title": "Mitigations", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References using bom-link or bom-ref to mitigations." + "description": "References using bom-link or bom-ref to the controls that mitigate this attack pattern." }, "examples": { "type": "array", + "title": "Examples", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Real-world examples" - } - } - }, - "attackPatternReference": { - "type": "object", - "additionalProperties": false, - "properties": { - "patternRef": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", - "description": "Reference using bom-link or bom-ref to an attack pattern." - }, - "capecId": { - "type": "integer", - "description": "CAPEC ID if not referencing internal pattern" - }, - "customization": { - "type": "string", - "description": "How this pattern is customized for the specific scenario" + "description": "Real-world examples of the attack pattern." } } }, "technique": { "type": "object", + "title": "Technique", + "description": "A specific technique used to carry out an attack, typically aligned with MITRE ATT&CK.", "additionalProperties": false, "properties": { "id": { "type": "string", - "description": "Technique ID (e.g., MITRE ATT&CK ID)" + "title": "Identifier", + "description": "The identifier of the technique, such as a MITRE ATT&CK technique identifier." }, "name": { "type": "string", - "description": "Name of the technique" + "title": "Name", + "description": "The name of the technique." }, "tactic": { "type": "string", - "description": "Associated tactic" + "title": "Tactic", + "description": "The tactic that the technique supports, such as a MITRE ATT&CK tactic." }, "procedure": { "type": "string", - "description": "Specific procedure" - }, - "tools": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Tools used with this technique" + "title": "Procedure", + "description": "The specific procedure by which the technique is carried out." } } }, - "weakness": { + "attackTree": { "type": "object", + "title": "Attack Tree", + "description": "A decomposition of an attacker goal into sub-goals and techniques, expressed as a flat collection of nodes. Each node lists its child nodes by reference together with an operator that says how those children combine, so the tree is expressed without nesting. One node is the root, representing the attacker goal.", + "additionalProperties": false, "required": [ - "bom-ref" + "bom-ref", + "nodes" ], - "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "cweId": { - "type": "integer", - "description": "CWE (Common Weakness Enumeration) ID" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the attack tree elsewhere using a bom-ref or bom-link." }, "name": { "type": "string", - "description": "Name of the weakness" + "title": "Name", + "description": "The name of the attack tree." }, "description": { "type": "string", - "description": "Description of the weakness" + "title": "Description", + "description": "A description of the attack tree." }, - "abstraction": { - "type": "string", - "enum": [ - "pillar", - "class", - "base", - "variant", - "compound" - ], - "meta:enum": { - "pillar": "Most abstract type of weakness", - "class": "Weakness described in generic terms", - "base": "Weakness described in abstract terms", - "variant": "Weakness specific to a resource/technology", - "compound": "Combination of two or more weaknesses" - } + "root": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Root BOM Reference", + "description": "Optional reference using bom-link or bom-ref to the root node within nodes, representing the attacker goal. When omitted, the root is the node that no other node lists as a child." + }, + "nodes": { + "type": "array", + "title": "Nodes", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/attackTreeNode" + }, + "description": "The nodes of the attack tree. Each node references its child nodes, which are themselves entries in this array, forming the hierarchy without nesting." + } + } + }, + "attackTreeNode": { + "type": "object", + "title": "Attack Tree Node", + "description": "A node in an attack tree, representing an attacker goal, sub-goal, or technique. A node references its child nodes and carries an operator that says how those children combine. The hierarchy is expressed by these references rather than by nesting.", + "additionalProperties": false, + "required": [ + "bom-ref", + "name" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the node elsewhere using a bom-ref or bom-link." }, - "ordinality": { + "name": { "type": "string", + "minLength": 1, + "title": "Name", + "description": "The goal, sub-goal, or technique that the node represents." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the node." + }, + "operator": { + "type": "string", + "title": "Operator", + "description": "Specifies how the nodes listed in 'children' combine to achieve this node. A value of 'and' requires every child node; a value of 'or' requires any single child node. For example, a node whose children are a phishing node and a credential-stuffing node uses 'or' when either alone achieves it, or 'and' when both are needed together. A node with no children is a leaf and omits this property.", "enum": [ - "primary", - "resultant", - "indirect" + "and", + "or" ], "meta:enum": { - "primary": "Weakness exists independent of other weaknesses", - "resultant": "Weakness is caused by another weakness", - "indirect": "Weakness is indirectly caused by another weakness" + "and": "All child nodes are required to achieve this node.", + "or": "Any one child node is sufficient to achieve this node." } }, - "affectedAssets": { + "children": { "type": "array", + "title": "Children", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References using bom-link or bom-ref to assets affected by this weakness." + "description": "References using bom-link or bom-ref to the child nodes that decompose this node. Each child node is a separate entry in the same nodes array, so the hierarchy is expressed without nesting. A child node may be shared by more than one parent." + }, + "attackPattern": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the attack pattern that this node represents." + }, + "weakness": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the weakness that this node exploits." }, - "exploitationDifficulty": { + "cost": { "type": "string", + "title": "Cost", + "description": "The relative cost to an attacker of achieving this node.", "enum": [ - "trivial", - "easy", + "negligible", + "low", + "moderate", + "high", + "prohibitive" + ], + "meta:enum": { + "negligible": "Negligible cost.", + "low": "Low cost.", + "moderate": "Moderate cost.", + "high": "High cost.", + "prohibitive": "Prohibitive cost." + } + }, + "skill": { + "type": "string", + "title": "Skill", + "description": "The skill level required to achieve this node.", + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" + ], + "meta:enum": { + "none": "No special skill is required.", + "basic": "Basic skill is required.", + "intermediate": "Intermediate skill is required.", + "advanced": "Advanced skill is required.", + "expert": "Expert skill is required." + } + }, + "detectability": { + "type": "string", + "title": "Detectability", + "description": "How readily an attempt to achieve this node can be detected.", + "enum": [ + "undetectable", + "low", "moderate", - "difficult", - "impractical" + "high" ], - "description": "Difficulty of exploiting this weakness" + "meta:enum": { + "undetectable": "The attempt is effectively undetectable.", + "low": "The attempt is difficult to detect.", + "moderate": "The attempt is moderately detectable.", + "high": "The attempt is readily detectable." + } }, - "detectionMethods": { + "mitigations": { "type": "array", + "title": "Mitigations", + "uniqueItems": true, "items": { - "$ref": "#/$defs/detectionMethod" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Methods for detecting this weakness" + "description": "References using bom-link or bom-ref to the controls that mitigate this node." } } }, - "weaknessReference": { + "abuseCase": { "type": "object", + "title": "Abuse Case", + "description": "A description of how an adversary can misuse the system to achieve a malicious goal. An abuse case is the security counterpart of a use case and reuses its flow structure.", "additionalProperties": false, + "required": [ + "bom-ref", + "name" + ], "properties": { - "weaknessRef": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", - "description": "Reference using bom-link or bom-ref to a weakness." + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the abuse case elsewhere using a bom-ref or bom-link." }, - "cweId": { - "type": "integer", - "description": "CWE ID if not referencing internal weakness" + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the abuse case, typically expressed as a malicious goal." }, - "instance": { + "description": { "type": "string", - "description": "Specific instance or manifestation of the weakness" + "title": "Description", + "description": "A narrative describing how the system can be misused or abused." + }, + "abuser": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party that abuses the system, typically an attacker persona." + }, + "realizes": { + "type": "array", + "title": "Realizes", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this abuse case realizes." + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The conditions that must hold before the abuse case can begin." + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/step" + }, + "description": "The ordered steps the abuser follows." + }, + "targets": { + "type": "array", + "title": "Targets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets or flows targeted in this abuse case." + }, + "detectionOpportunities": { + "type": "array", + "title": "Detection Opportunities", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The signals, logs, or controls that present an opportunity to detect the abuse." + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this abuse case." } } }, "exploitability": { "type": "object", + "title": "Exploitability", + "description": "The degree to which a threat can be exploited in practice.", "additionalProperties": false, "properties": { "level": { "type": "string", + "title": "Level", + "description": "The maturity of available exploitation capability.", "enum": [ "theoretical", "proof-of-concept", @@ -541,14 +984,16 @@ "weaponized" ], "meta:enum": { - "theoretical": "Theoretically possible but not demonstrated", - "proof-of-concept": "Proof of concept exists", - "functional": "Functional exploit exists", - "weaponized": "Weaponized exploit in the wild" + "theoretical": "Exploitation is theoretically possible but has not been demonstrated.", + "proof-of-concept": "A proof of concept exists.", + "functional": "A functional exploit exists.", + "weaponized": "A weaponized exploit is in use." } }, "complexity": { "type": "string", + "title": "Complexity", + "description": "The complexity of exploitation.", "enum": [ "trivial", "low", @@ -556,10 +1001,18 @@ "high", "very-high" ], - "description": "Complexity to exploit" + "meta:enum": { + "trivial": "Exploitation is trivial.", + "low": "Exploitation has low complexity.", + "medium": "Exploitation has medium complexity.", + "high": "Exploitation has high complexity.", + "very-high": "Exploitation has very high complexity." + } }, "skillRequired": { "type": "string", + "title": "Skill Required", + "description": "The skill level required to exploit the threat.", "enum": [ "none", "basic", @@ -567,79 +1020,70 @@ "advanced", "expert" ], - "description": "Skill level required" - }, - "toolsRequired": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Tools required for exploitation" - }, - "timeRequired": { - "type": "string", - "description": "Estimated time to develop exploit" - }, - "reliability": { - "type": "string", - "enum": [ - "unreliable", - "occasional", - "reliable", - "highly-reliable" - ], - "description": "Reliability of exploitation" + "meta:enum": { + "none": "No special skill is required.", + "basic": "Basic skill is required.", + "intermediate": "Intermediate skill is required.", + "advanced": "Advanced skill is required.", + "expert": "Expert skill is required." + } }, "automatable": { "type": "boolean", - "description": "Whether exploitation can be automated" + "title": "Automatable", + "description": "Whether exploitation can be automated." } } }, "indicators": { "type": "object", + "title": "Indicators", + "description": "The observable indicators associated with a threat.", "additionalProperties": false, "properties": { "compromise": { "type": "array", + "title": "Indicators of Compromise", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Indicators of compromise" + "description": "The indicators that a compromise has occurred." }, "attack": { "type": "array", + "title": "Indicators of Attack", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Indicators of attack" - }, - "behavioral": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Behavioral indicators" + "description": "The indicators that an attack is under way." }, "signatures": { "type": "array", + "title": "Signatures", + "uniqueItems": true, "items": { "$ref": "#/$defs/signature" }, - "description": "Detection signatures" + "description": "The detection signatures associated with the threat." } } }, "signature": { "type": "object", + "title": "Signature", + "description": "A detection signature for a threat.", + "additionalProperties": false, "required": [ "type", "value" ], - "additionalProperties": false, "properties": { "type": { "type": "string", + "title": "Type", + "description": "The type of signature.", "enum": [ "yara", "snort", @@ -647,321 +1091,107 @@ "hash", "behavior" ], - "description": "Type of signature" + "meta:enum": { + "yara": "A YARA rule.", + "snort": "A Snort rule.", + "regex": "A regular expression.", + "hash": "A cryptographic hash.", + "behavior": "A behavioural signature." + } }, "value": { "type": "string", - "description": "Signature value or pattern" + "minLength": 1, + "title": "Value", + "description": "The signature value or pattern." }, "description": { "type": "string", - "description": "Description of what the signature detects" + "title": "Description", + "description": "A description of what the signature detects." }, "confidence": { "type": "string", + "title": "Confidence", + "description": "The confidence level of a detection by this signature.", "enum": [ "low", "medium", "high" ], - "description": "Confidence level of detection" - } - } - }, - "ttp": { - "type": "object", - "additionalProperties": false, - "properties": { - "tactic": { - "type": "string", - "description": "High-level tactic" - }, - "technique": { - "$ref": "#/$defs/technique" - }, - "procedure": { - "type": "string", - "description": "Specific implementation" - }, - "tools": { - "type": "array", - "items": { - "$ref": "#/$defs/tool" - }, - "description": "Tools used" - }, - "infrastructure": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Infrastructure used" - } - } - }, - "tool": { - "type": "object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "description": "Tool name" - }, - "type": { - "type": "string", - "enum": [ - "exploit", - "scanner", - "fuzzer", - "proxy", - "framework", - "custom" - ], - "description": "Type of tool" - }, - "version": { - "type": "string", - "description": "Tool version" - }, - "capabilities": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Tool capabilities" + "meta:enum": { + "low": "Low confidence.", + "medium": "Medium confidence.", + "high": "High confidence." + } } } }, - "targeting": { + "trustBoundary": { "type": "object", + "title": "Trust Boundary", + "description": "A security annotation marking an architectural boundary as one across which trust changes. It references a boundary defined in a blueprint, where the zones, type, and crossing requirements already live, and adds only the trust differential and the threats and controls at that boundary.", "additionalProperties": false, - "properties": { - "sectors": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Targeted sectors or industries" - }, - "regions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Targeted geographic regions" - }, - "technologies": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Targeted technologies or platforms" - }, - "dataTypes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Types of data targeted" - } - } - }, - "detectionMethod": { - "type": "object", - "required": [ - "method" - ], - "additionalProperties": false, - "properties": { - "method": { - "type": "string", - "enum": [ - "static-analysis", - "dynamic-analysis", - "penetration-test", - "code-review", - "architecture-review", - "automated-scan" - ], - "description": "Detection method type" - }, - "description": { - "type": "string", - "description": "Description of the detection method" - }, - "effectiveness": { - "type": "string", - "enum": [ - "low", - "medium", - "high" - ], - "description": "Effectiveness of the method" - }, - "tools": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Tools that implement this method" - } - } - }, - "securityPolicy": { - "type": "object", "required": [ "bom-ref", - "name", - "type" + "boundary" ], - "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the trust boundary elsewhere using a bom-ref or bom-link." + }, + "boundary": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the blueprint boundary that this trust boundary annotates." }, "name": { "type": "string", - "description": "Policy name" - }, - "type": { - "type": "string", - "enum": [ - "access-control", - "data-protection", - "network-security", - "application-security", - "operational-security", - "compliance" - ], - "description": "Type of security policy" + "title": "Name", + "description": "The name of the trust boundary." }, "description": { "type": "string", - "description": "Policy description" + "title": "Description", + "description": "A description of the trust boundary." }, - "requirements": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Policy requirements" - }, - "enforcement": { + "trustLevel": { "type": "string", + "title": "Trust Level", + "description": "The trust level differential across the boundary.", "enum": [ - "mandatory", - "recommended", - "optional" + "untrusted", + "semi-trusted", + "trusted", + "highly-trusted" ], - "description": "Enforcement level" + "meta:enum": { + "untrusted": "The boundary separates an untrusted zone.", + "semi-trusted": "The boundary separates a semi-trusted zone.", + "trusted": "The boundary separates a trusted zone.", + "highly-trusted": "The boundary separates a highly trusted zone." + } }, - "appliesTo": { + "threatsAtBoundary": { "type": "array", + "title": "Threats At Boundary", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References using bom-link or bom-ref to assets this policy applies to." + "description": "References using bom-link or bom-ref to the threats that could exploit this boundary." }, - "exceptions": { + "controlsAtBoundary": { "type": "array", + "title": "Controls At Boundary", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Policy exceptions" - } - } - }, - "trustBoundary": { - "type": "object", - "allOf": [ - { - "$ref": "cyclonedx-blueprint-2.0.schema.json#/$defs/boundary" - }, - { - "properties": { - "trustLevel": { - "type": "string", - "enum": [ - "untrusted", - "semi-trusted", - "trusted", - "highly-trusted" - ], - "description": "Trust level differential" - }, - "securityRequirements": { - "$ref": "#/$defs/boundarySecurityRequirements" - }, - "threatsAtBoundary": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" - }, - "description": "References using bom-link or bom-ref to threats that could exploit this boundary." - }, - "controlsAtBoundary": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" - }, - "description": "References using bom-link or bom-ref to controls implemented at this boundary." - } - } - } - ] - }, - "boundarySecurityRequirements": { - "type": "object", - "additionalProperties": false, - "properties": { - "authenticationStrength": { - "type": "string", - "enum": [ - "none", - "weak", - "moderate", - "strong", - "very-strong" - ], - "description": "Required authentication strength" - }, - "authorizationGranularity": { - "type": "string", - "enum": [ - "coarse", - "medium", - "fine", - "very-fine" - ], - "description": "Authorization granularity required" - }, - "integrityVerification": { - "type": "boolean", - "description": "Whether integrity verification is required" + "description": "References using bom-link or bom-ref to the controls implemented at this boundary." }, - "confidentialityProtection": { - "type": "boolean", - "description": "Whether confidentiality protection is required" - }, - "auditingLevel": { - "type": "string", - "enum": [ - "none", - "basic", - "detailed", - "comprehensive" - ], - "description": "Level of auditing required" - }, - "dataValidationRules": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Data validation rules at boundary" + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } } } diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json index e3fb3350c..a04c62e02 100644 --- a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -19,6 +19,7 @@ "title": "Use Case", "description": "A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.", "required": [ + "bom-ref", "name" ], "additionalProperties": false, @@ -67,6 +68,7 @@ "mainFlow": { "type": "array", "title": "Main Flow", + "uniqueItems": true, "items": { "$ref": "#/$defs/step" }, diff --git a/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json index cd9e7fd00..fc72dad9a 100644 --- a/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json @@ -74,14 +74,9 @@ "$ref": "#/$defs/rating" } }, - "cwes": { - "type": "array", - "title": "CWEs", - "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", - "examples": [399], - "items": { - "$ref": "#/$defs/cwe" - } + "weaknesses": { + "$ref": "cyclonedx-weakness-2.0.schema.json#/$defs/weaknesses", + "description": "The weaknesses, such as CWE classifications, that give rise to this vulnerability." }, "description": { "type": "string", @@ -346,12 +341,6 @@ } } }, - "cwe": { - "type": "integer", - "minimum": 1, - "title": "CWE", - "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" - }, "severity": { "type": "string", "title": "Severity", diff --git a/schema/2.0/model/cyclonedx-weakness-2.0.schema.json b/schema/2.0/model/cyclonedx-weakness-2.0.schema.json new file mode 100644 index 000000000..6680e8d07 --- /dev/null +++ b/schema/2.0/model/cyclonedx-weakness-2.0.schema.json @@ -0,0 +1,71 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-weakness-2.0.schema.json", + "type": "null", + "title": "CycloneDX Weakness Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "weaknesses": { + "type": "array", + "title": "Weaknesses", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/weakness" + }, + "description": "A collection of weaknesses, such as CWE classifications, that classify an underlying flaw." + }, + "weakness": { + "title": "Weakness", + "description": "A classification of an underlying weakness, given either by a Common Weakness Enumeration (CWE) identifier or by a free-text name with an optional description. The exploitability and the affected scope are expressed by the vulnerability or threat that references the weakness, not on the weakness itself.", + "oneOf": [ + { + "type": "object", + "title": "CWE Weakness", + "description": "A weakness identified by its CWE identifier.", + "additionalProperties": false, + "required": [ + "cweId" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link." + }, + "cweId": { + "type": "integer", + "minimum": 1, + "title": "CWE Identifier", + "description": "The Common Weakness Enumeration (CWE) identifier that classifies this weakness." + } + } + }, + { + "type": "object", + "title": "Named Weakness", + "description": "A weakness identified by a free-text name, used where no CWE classification applies.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the weakness." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the weakness." + } + } + } + ] + } + } +} diff --git a/tools/src/test/resources/2.0/valid-vulnerability-2.0.json b/tools/src/test/resources/2.0/valid-vulnerability-2.0.json index 6fbe030a7..dbdf49796 100644 --- a/tools/src/test/resources/2.0/valid-vulnerability-2.0.json +++ b/tools/src/test/resources/2.0/valid-vulnerability-2.0.json @@ -44,9 +44,15 @@ "justification": "An optional reason for rating the vulnerability as it was" } ], - "cwes": [ - 184, - 502 + "weaknesses": [ + { + "bom-ref": "weakness-184", + "cweId": 184 + }, + { + "bom-ref": "weakness-502", + "cweId": 502 + } ], "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.", "detail": "", From cf91c5c969bd6b5cdd22399b2ff23f878d7f7123 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Jun 2026 20:42:31 -0500 Subject: [PATCH 26/44] Minor refactor and expansion of risk schema Signed-off-by: Steve Springett --- .../2.0/model/cyclonedx-risk-2.0.schema.json | 1096 ++++++++++------- 1 file changed, 664 insertions(+), 432 deletions(-) diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index eecea7e61..d00650029 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -12,7 +12,7 @@ "items": { "$ref": "#/$defs/risk" }, - "description": "The documented risks identified through risk analysis." + "description": "A collection of risks identified through risk analysis. The risk model is methodology-neutral and can document risk regardless of the risk rating framework used. It supports qualitative, semi-quantitative, and quantitative approaches by recording a qualitative `level`, a numeric `score`, or quantified loss, with the originating methodology identified on each score. Each risk distinguishes the risk before responses are applied (`inherentRisk`) from the risk that remains after them (`residualRisk`), with an optional `targetRisk` reflecting risk appetite, consistent with the process described in [ISO 31000](https://www.iso.org/iso-31000-risk-management.html). Specific rating techniques are not prescribed; [IEC 31010](https://www.iso.org/standard/72140.html) catalogues the available techniques." }, "riskDomain": { "type": "object", @@ -22,88 +22,153 @@ "additionalProperties": false, "properties": { "type": { - "type": "string", - "enum": [ - "security", - "privacy", - "operational", - "financial", - "compliance", - "strategic", - "reputational", - "safety", - "environmental", - "supply-chain", - "technical", - "project" - ], - "meta:enum": { - "security": "Information security and cybersecurity risks", - "privacy": "Data protection and privacy risks", - "operational": "Business operations and continuity risks", - "financial": "Financial loss and economic impact risks", - "compliance": "Regulatory and legal compliance risks", - "strategic": "Strategic business and market risks", - "reputational": "Brand and reputation damage risks", - "safety": "Human safety and physical security risks", - "environmental": "Environmental impact and sustainability risks", - "supply-chain": "Supply chain and third-party risks", - "technical": "Technical and technology risks", - "project": "Project delivery and execution risks" - } + "title": "Type", + "description": "The domain or category of risk. Use the custom option for domains specific to an organization's risk taxonomy.", + "oneOf": [ + { + "title": "Predefined Risk Domain", + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply-chain", + "technical", + "project", + "ethical", + "societal", + "human-rights", + "health", + "legal" + ], + "meta:enum": { + "security": "Information security and cybersecurity risks.", + "privacy": "Data protection and privacy risks.", + "operational": "Business operations and continuity risks.", + "financial": "Financial loss and economic impact risks.", + "compliance": "Regulatory and legal compliance risks.", + "strategic": "Strategic business and market risks.", + "reputational": "Brand and reputation damage risks.", + "safety": "Human safety and physical security risks.", + "environmental": "Environmental impact and sustainability risks.", + "supply-chain": "Supply chain and third-party risks.", + "technical": "Technical and technology risks.", + "project": "Project delivery and execution risks.", + "ethical": "Ethical risks, including the responsible use of automated decision-making and artificial intelligence.", + "societal": "Risks to society, communities, or democratic and civic processes.", + "human-rights": "Risks to fundamental human rights, including discrimination and loss of autonomy.", + "health": "Risks to physical or mental health and wellbeing.", + "legal": "Legal exposure, including liability and contractual risks." + } + }, + { + "title": "Custom Risk Domain", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk domain." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk domain." + } + } + } + ] }, "priority": { "$ref": "#/$defs/priority" }, "description": { "type": "string", - "description": "Additional context for this risk domain" + "description": "Additional context for this risk domain." } } }, "riskAttribute": { - "type": "string", - "description": "A classification of security and privacy attributes that represent potential impact areas when a risk is realized", - "enum": [ - "accountability", - "authentication", - "authorization", - "authenticity", - "availability", - "compliance", - "confidentiality", - "connectivity", - "control", - "data-subject-rights", - "integrity", - "minimisation", - "non-repudiation", - "possession", - "privacy", - "purpose-limitation", - "transparency", - "utility" - ], - "meta:enum": { - "accountability": "Assigning responsibility for actions and decisions to individuals or entities", - "authentication": "Verifying the identity of users, devices, or systems before granting access", - "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources", - "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified", - "availability": "Ensuring systems, data, and services are accessible and operational when needed", - "compliance": "Adherence to applicable laws, regulations, policies, and standards", - "confidentiality": "Preventing unauthorised access to or disclosure of information", - "connectivity": "Maintaining secure and reliable communication between systems or components", - "control": "Enabling individuals to manage how their personal data is used and shared", - "data-subject-rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", - "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", - "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", - "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", - "possession": "Ensuring control or custody over data or assets, regardless of ownership", - "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", - "purpose-limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", - "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", - "utility": "Ensuring data is usable and in a format suitable for the intended purpose" - } + "title": "Risk Attribute", + "description": "A security or privacy attribute representing a potential impact area when a risk is realized. Use the custom option for attributes specific to an organization's risk taxonomy.", + "oneOf": [ + { + "title": "Predefined Risk Attribute", + "type": "string", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data-subject-rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose-limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities.", + "authentication": "Verifying the identity of users, devices, or systems before granting access.", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources.", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified.", + "availability": "Ensuring systems, data, and services are accessible and operational when needed.", + "compliance": "Adherence to applicable laws, regulations, policies, and standards.", + "confidentiality": "Preventing unauthorised access to or disclosure of information.", + "connectivity": "Maintaining secure and reliable communication between systems or components.", + "control": "Enabling individuals to manage how their personal data is used and shared.", + "data-subject-rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors.", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications.", + "possession": "Ensuring control or custody over data or assets, regardless of ownership.", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards.", + "purpose-limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection.", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing.", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose." + } + }, + { + "title": "Custom Risk Attribute", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk attribute." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk attribute." + } + } + } + ] }, "scenario": { "type": "object", @@ -119,32 +184,60 @@ }, "name": { "type": "string", - "description": "Name of the risk scenario" + "description": "The name of the scenario." }, "description": { "type": "string", - "description": "Detailed description of the scenario" + "description": "A description of the scenario." }, "type": { - "type": "string", - "enum": [ - "threat", - "vulnerability", - "weakness", - "risk", - "incident", - "opportunity", - "hazard" - ], - "meta:enum": { - "threat": "Threat scenario", - "vulnerability": "Exploitable vulnerability", - "weakness": "System or design weakness", - "risk": "General risk scenario", - "incident": "Potential incident scenario", - "opportunity": "Positive risk (opportunity)", - "hazard": "Safety hazard scenario" - } + "title": "Type", + "description": "The kind of scenario. Use the custom option for kinds specific to an organization's methodology.", + "oneOf": [ + { + "title": "Predefined Scenario Type", + "type": "string", + "enum": [ + "threat", + "vulnerability", + "weakness", + "risk", + "incident", + "opportunity", + "hazard" + ], + "meta:enum": { + "threat": "Threat scenario.", + "vulnerability": "Exploitable vulnerability.", + "weakness": "System or design weakness.", + "risk": "General risk scenario.", + "incident": "Potential incident scenario.", + "opportunity": "Positive risk, an opportunity.", + "hazard": "Safety hazard scenario." + } + }, + { + "title": "Custom Scenario Type", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom scenario type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom scenario type." + } + } + } + ] }, "domain": { "$ref": "#/$defs/riskDomain" @@ -163,7 +256,7 @@ "items": { "$ref": "#/$defs/riskAttribute" }, - "description": "Risk attributes affected by this scenario" + "description": "The risk attributes affected by this scenario." }, "affectedAssets": { "type": "array", @@ -197,23 +290,23 @@ "properties": { "framework": { "type": "string", - "description": "Name of the compliance program or framework" + "description": "The name of the compliance program or framework." }, "controlId": { "type": "string", - "description": "Identifier of the control within the framework" + "description": "The identifier of the control within the framework." }, "reference": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference", - "description": "Link or citation to the requirement or control documentation" + "description": "A link or citation to the requirement or control documentation." }, "description": { "type": "string", - "description": "Optional notes describing the mapping" + "description": "Optional notes describing the mapping." } } }, - "description": "Compliance frameworks and control references this mitigation supports" + "description": "Compliance frameworks and control references this scenario maps to." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -234,78 +327,112 @@ }, "name": { "type": "string", - "description": "Name or identifier for the risk" + "description": "A human-readable name for the risk." }, "statement": { "type": "string", - "description": "Structured risk statement describing source, event, and impact" + "description": "Structured risk statement describing source, event, and impact." }, "description": { "type": "string", - "description": "Additional narrative about the risk" + "description": "Additional narrative about the risk." }, "domains": { "type": "array", "items": { "$ref": "#/$defs/riskDomain" }, - "description": "Risk domains impacted" + "description": "The risk domains this risk affects." }, - "scenarios": { + "affects": { "type": "array", - "minItems": 1, + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References using bom-link or bom-ref to scenarios this risk addresses." - }, - "likelihood": { - "$ref": "#/$defs/likelihood" - }, - "impact": { - "$ref": "#/$defs/impact" - }, - "riskScore": { - "$ref": "#/$defs/riskScore" + "description": "References using bom-link or bom-ref to the subjects this risk concerns. A subject may be a component, service, dataset, or model, or a party such as a person, persona, or organization, including a group at risk of being systematically disadvantaged." }, - "riskAttributes": { + "relatedScenarios": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/riskAttribute" - } + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risk scenarios related to this risk. A risk scenario is a scenario object in this model and may be of type vulnerability, weakness, incident, opportunity, or hazard. Threat scenarios from a threat model are referenced separately through relatedThreats." }, - "responses": { + "relatedThreats": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/riskResponse" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Risk responses or mitigation plans applied to this risk" + "description": "References using bom-link or bom-ref to the threats or threat scenarios from a threat model that inform this risk. A reference may point to a discrete threat or to a threat scenario." }, - "relatedThreats": { + "inherentRisk": { + "$ref": "#/$defs/rating", + "description": "The assessed risk before any responses are applied." + }, + "residualRisk": { + "$ref": "#/$defs/rating", + "description": "The assessed risk remaining after responses are applied." + }, + "targetRisk": { + "$ref": "#/$defs/rating", + "description": "The risk level the organization aims to reach, reflecting its risk appetite." + }, + "responses": { "type": "array", "items": { - "$ref": "cyclonedx-threat-2.0.schema.json#/$defs/threatScenario" + "$ref": "#/$defs/riskResponse" }, - "description": "Related threat scenarios informing this risk" + "description": "The responses applied to this risk." }, "status": { - "type": "string", - "enum": [ - "identified", - "assessed", - "mitigated", - "accepted", - "transferred", - "retired" - ], - "meta:enum": { - "identified": "Risk has been identified but not yet evaluated", - "assessed": "Risk has been assessed and prioritized", - "mitigated": "Mitigations are in place reducing this risk", - "accepted": "Risk has been formally accepted", - "transferred": "Risk has been transferred to another party", - "retired": "Risk no longer applies" - } + "title": "Status", + "description": "The lifecycle status of the risk. Use the custom option for a status specific to an organization's risk process.", + "oneOf": [ + { + "title": "Predefined Risk Status", + "type": "string", + "enum": [ + "identified", + "assessed", + "mitigated", + "accepted", + "transferred", + "retired" + ], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated.", + "assessed": "Risk has been assessed and prioritized.", + "mitigated": "Responses are in place reducing this risk.", + "accepted": "Risk has been formally accepted.", + "transferred": "Risk has been transferred to another party.", + "retired": "Risk no longer applies." + } + }, + { + "title": "Custom Risk Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] }, "owner": { "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", @@ -316,6 +443,35 @@ } } }, + "rating": { + "type": "object", + "title": "Rating", + "description": "A methodology-neutral assessment of risk along likelihood and impact, with an overall score. The same shape expresses inherent, residual, and target risk so reductions can be compared. A rating can be qualitative (a `level`), semi-quantitative (a numeric `score` on a bounded scale), or quantitative (for example a probable monetary loss under [FAIR](https://www.fairinstitute.org/)). For a catalogue of assessment techniques, see [IEC 31010](https://www.iso.org/standard/72140.html).", + "additionalProperties": false, + "properties": { + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "score": { + "$ref": "#/$defs/riskScore" + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "Confidence in this rating, expressed as a decimal from 0 to 1, where 1 is full confidence. Supports quantitative methods that reason over uncertainty." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The justification for this rating, including the method and the evidence considered." + } + } + }, "likelihood": { "type": "object", "required": [ @@ -328,51 +484,50 @@ "title": "Level", "description": "The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.", "enum": [ - "certain", - "high", + "very-low", "low", "medium", - "veryHigh", - "veryLow" + "high", + "very-high", + "certain" ], "meta:enum": { - "certain": "Almost certain to occur (> 90% probability).", - "high": "Likely to occur (60-90% probability).", - "low": "Unlikely to occur (10-30% probability).", - "medium": "Possible to occur (30-60% probability).", - "veryHigh": "Very likely to occur (75-90% probability).", - "veryLow": "Very unlikely to occur (< 10% probability)." + "very-low": "Very unlikely to occur (less than 10% probability).", + "low": "Unlikely to occur (10 to 30% probability).", + "medium": "Possible to occur (30 to 60% probability).", + "high": "Likely to occur (60 to 85% probability).", + "very-high": "Very likely to occur (85 to 99% probability).", + "certain": "Almost certain to occur (greater than 99% probability)." } }, "score": { "type": "number", "minimum": 0, - "maximum": 5, - "description": "Numeric likelihood score" + "description": "Numeric likelihood score on the scale defined by the methodology." }, "probability": { "type": "number", "minimum": 0, "maximum": 1, - "description": "Probability as a decimal (0-1)" + "description": "Probability as a decimal from 0 to 1." }, "factors": { "type": "array", "items": { "$ref": "#/$defs/likelihoodFactor" }, - "description": "Factors considered when determining the likelihood level" + "description": "The factors considered when determining the likelihood level." }, "rationale": { "type": "string", - "description": "Justification for the likelihood rating" + "description": "The justification for the likelihood rating." } } }, "likelihoodFactor": { "type": "object", "title": "Likelihood Factor", - "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", + "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment. It is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", "required": [ "name", "type" @@ -391,29 +546,34 @@ "oneOf": [ { "title": "Predefined Likelihood Factor Type", - "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.", + "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", "type": "string", - "additionalProperties": false, "enum": [ - "attackVector", - "controlEffectiveness", - "exploitMaturity", + "attack-vector", + "contact-frequency", + "control-effectiveness", + "detectability", + "discoverability", + "exploit-maturity", "exposure", "motivation", "opportunity", - "other", - "threatCapability", + "targeting", + "threat-capability", "vulnerability" ], "meta:enum": { - "attackVector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", - "controlEffectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.", - "exploitMaturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", + "attack-vector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", + "contact-frequency": "How often the threat actor comes into contact with the target asset, independent of any intent to act. Aligns with the FAIR contact frequency factor.", + "control-effectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation. Corresponds to resistance strength in FAIR.", + "detectability": "Likelihood that the activity is detected before the risk is realized. Lower detectability increases the chance of a successful action. Aligns with the OWASP Risk Rating intrusion detection factor and the FMEA detection axis.", + "discoverability": "Ease with which the weakness or opportunity can be found by a potential actor. Aligns with the OWASP Risk Rating ease of discovery factor.", + "exploit-maturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", "exposure": "Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.", "motivation": "Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.", "opportunity": "Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.", - "other": "A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.", - "threatCapability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", + "targeting": "Degree to which the threat actor specifically selects this asset or organization rather than acting opportunistically. Aligns with the NIST SP 800-30 targeting factor.", + "threat-capability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", "vulnerability": "Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor." } }, @@ -446,28 +606,27 @@ "title": "Level", "description": "The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.", "enum": [ - "certain", - "high", + "very-low", "low", "medium", - "veryHigh", - "veryLow" + "high", + "very-high", + "certain" ], "meta:enum": { - "certain": "This factor almost certainly contributes to risk realization (> 90% influence).", - "high": "This factor strongly contributes to risk realization (60-90% influence).", - "low": "This factor has limited contribution to risk realization (10-30% influence).", - "medium": "This factor moderately contributes to risk realization (30-60% influence).", - "veryHigh": "This factor very strongly contributes to risk realization (75-90% influence).", - "veryLow": "This factor has minimal contribution to risk realization (< 10% influence)." + "very-low": "This factor has minimal contribution to risk realization (less than 10% influence).", + "low": "This factor has limited contribution to risk realization (10 to 30% influence).", + "medium": "This factor moderately contributes to risk realization (30 to 60% influence).", + "high": "This factor strongly contributes to risk realization (60 to 85% influence).", + "very-high": "This factor very strongly contributes to risk realization (85 to 99% influence).", + "certain": "This factor almost certainly contributes to risk realization (greater than 99% influence)." } }, "score": { "type": "number", "title": "Score", - "description": "A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.", - "minimum": 0, - "maximum": 5 + "description": "A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to likelihood.", + "minimum": 0 }, "weight": { "type": "number", @@ -502,65 +661,122 @@ "major", "catastrophic" ], - "description": "Impact severity level", + "description": "The qualitative impact severity level.", "meta:enum": { - "negligible": "Minimal impact with no significant consequences", - "low": "Minor impact with limited consequences", - "moderate": "Moderate impact affecting some operations", - "major": "Significant impact with serious consequences", - "catastrophic": "Catastrophic impact with existential consequences" + "negligible": "Minimal impact with no significant consequences.", + "low": "Minor impact with limited consequences.", + "moderate": "Moderate impact affecting some operations.", + "major": "Significant impact with serious consequences.", + "catastrophic": "Catastrophic impact with existential consequences." + } + }, + "polarity": { + "type": "string", + "title": "Polarity", + "description": "Whether the impact represents a harm or a benefit. Benefits support modeling opportunities and positive risk.", + "enum": [ + "harm", + "benefit" + ], + "meta:enum": { + "harm": "A negative impact or downside.", + "benefit": "A positive impact or upside." } }, "score": { "type": "number", "minimum": 0, - "maximum": 10, - "description": "Numeric impact score" + "description": "Numeric impact score on the scale defined by the methodology." }, "categories": { "type": "array", + "uniqueItems": true, "items": { - "type": "string", - "enum": [ - "confidentiality", - "integrity", - "availability", - "financial", - "reputation", - "regulatory", - "safety", - "privacy", - "operational", - "strategic" - ], - "meta:enum": { - "confidentiality": "Impact on data confidentiality", - "integrity": "Impact on data or system integrity", - "availability": "Impact on service availability", - "financial": "Financial loss or impact", - "reputation": "Reputational damage", - "regulatory": "Regulatory compliance impact", - "safety": "Human safety impact", - "privacy": "Privacy violation impact", - "operational": "Operational disruption", - "strategic": "Strategic business impact" - } + "oneOf": [ + { + "title": "Predefined Impact Category", + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic", + "bias", + "discrimination", + "fairness", + "human-rights", + "environmental", + "societal", + "psychological", + "physical", + "health" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality.", + "integrity": "Impact on data or system integrity.", + "availability": "Impact on service availability.", + "financial": "Financial loss or impact.", + "reputation": "Reputational damage.", + "regulatory": "Regulatory compliance impact.", + "safety": "Human safety impact.", + "privacy": "Privacy violation impact.", + "operational": "Operational disruption.", + "strategic": "Strategic business impact.", + "bias": "Systematic bias in automated outputs or decisions.", + "discrimination": "Unfair treatment of individuals or groups, including on the basis of protected attributes.", + "fairness": "Impact on the fair and equitable treatment of affected groups.", + "human-rights": "Impact on fundamental human rights, including autonomy and dignity.", + "environmental": "Environmental impact, including energy use and carbon emissions.", + "societal": "Impact on society, communities, or civic processes.", + "psychological": "Psychological or emotional harm.", + "physical": "Physical harm to people or property.", + "health": "Impact on physical or mental health." + } + }, + { + "title": "Custom Impact Category", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom impact category." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom impact category." + } + } + } + ] }, - "description": "Categories of impact" + "description": "The categories of impact, including harms relevant to AI and societal risk." }, "riskAttributes": { "type": "array", "items": { "$ref": "#/$defs/riskAttribute" }, - "description": "Risk attributes affected" + "description": "The risk attributes affected." }, "quantification": { "$ref": "#/$defs/impactQuantification" }, "description": { "type": "string", - "description": "Description of the potential impact" + "description": "A description of the potential impact." } } }, @@ -570,35 +786,62 @@ "properties": { "financialLoss": { "type": "number", - "description": "Estimated financial loss in currency units" + "description": "The estimated financial loss, in the units given by currency." }, "currency": { "type": "string", "pattern": "^[A-Z]{3}$", - "description": "ISO 4217 currency code" + "description": "The currency of the financial values, as an [ISO 4217](https://www.iso.org/iso-4217-currency-codes.html) code." }, "affectedUsers": { "type": "integer", - "description": "Number of affected users" + "description": "The number of affected users." }, "downtime": { "type": "string", "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", - "description": "Expected downtime as ISO 8601 duration" + "description": "The expected downtime, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration." }, "dataRecords": { "type": "integer", - "description": "Number of data records affected" + "description": "The number of data records affected." }, "recovery": { "type": "string", "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", - "description": "Recovery time as ISO 8601 duration" + "description": "The recovery time, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration." + }, + "financialLossRange": { + "type": "object", + "title": "Financial Loss Range", + "additionalProperties": false, + "description": "A distribution of estimated financial loss, supporting quantitative methods such as FAIR that reason over ranges.", + "properties": { + "minimum": { + "type": "number", + "description": "The minimum estimated financial loss." + }, + "mostLikely": { + "type": "number", + "description": "The most likely estimated financial loss." + }, + "maximum": { + "type": "number", + "description": "The maximum estimated financial loss." + } + } + }, + "affectedGroups": { + "type": "integer", + "minimum": 0, + "description": "The number of distinct groups or populations affected." } } }, "riskScore": { "type": "object", + "title": "Risk Score", + "description": "The overall risk score, expressed as a qualitative `level`, a numeric `score`, or both, with `vector` and `methodology` recording how it was derived. The scale of `score` is defined by the methodology, since rating systems differ. For example, [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) averages factors from 0 to 9, [DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) averages five 1 to 10 ratings, [FMEA](https://asq.org/quality-resources/fmea) multiplies three 1 to 10 axes into a 1 to 1000 risk priority number, and [FAIR](https://www.fairinstitute.org/) expresses probable loss in monetary terms.", "required": [ "level" ], @@ -613,128 +856,191 @@ "high", "critical" ], - "description": "Overall risk level", + "description": "The overall qualitative risk level.", "meta:enum": { - "info": "Informational - no immediate action required", - "low": "Low risk - monitor and address in normal cycle", - "medium": "Medium risk - plan mitigation activities", - "high": "High risk - prioritize mitigation efforts", - "critical": "Critical risk - immediate action required" + "info": "Informational.", + "low": "Low risk.", + "medium": "Medium risk.", + "high": "High risk.", + "critical": "Critical risk." } }, "score": { "type": "number", - "minimum": 1, - "description": "Numeric risk score" + "minimum": 0, + "description": "Numeric risk score on the scale defined by the methodology." }, "vector": { "type": "string", - "description": "Risk scoring vector (e.g., L:H/I:M)" + "description": "A textual representation of the metric values used to derive the score, in the format defined by the methodology." }, "methodology": { - "type": "string", - "description": "Risk scoring methodology used" + "title": "Methodology", + "description": "The risk rating methodology used to derive this score. Only methodologies that define a scoring calculation are listed; governance frameworks such as [ISO 31000](https://www.iso.org/iso-31000-risk-management.html) are recorded as standards rather than as a score methodology. Use the custom option for methodologies not listed.", + "oneOf": [ + { + "title": "Predefined Risk Methodology", + "type": "string", + "enum": [ + "dread", + "fair", + "fmea", + "nist-sp-800-30", + "octave", + "owasp-risk-rating" + ], + "meta:enum": { + "dread": "[DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) risk rating model, the average of five ratings (damage, reproducibility, exploitability, affected users, discoverability) each scored 1 to 10.", + "fair": "[Factor Analysis of Information Risk (FAIR)](https://www.fairinstitute.org/), a quantitative methodology expressing risk as loss event frequency multiplied by loss magnitude.", + "fmea": "[Failure Mode and Effects Analysis (FMEA)](https://asq.org/quality-resources/fmea), using a risk priority number of severity multiplied by occurrence multiplied by detection.", + "nist-sp-800-30": "[NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final) guide for conducting risk assessments, using its exemplary likelihood and impact scales.", + "octave": "[OCTAVE Allegro](https://www.sei.cmu.edu/documents/786/2007_005_001_14885.pdf), using its relative risk score.", + "owasp-risk-rating": "[OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), averaging likelihood and impact factors each scored 0 to 9." + } + }, + { + "title": "Custom Risk Methodology", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk methodology." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk methodology." + } + } + } + ] } } }, "riskResponse": { "type": "object", + "title": "Risk Response", + "description": "An action taken to modify a risk, pairing the chosen strategy with the controls that implement it. Covers the full set of dispositions, from avoiding or reducing a risk to accepting it or, for a positive risk, pursuing it.", "required": [ "bom-ref", - "mitigations", - "mitigationPlan" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "mitigations": { - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/$defs/mitigation" - }, - "description": "Mitigations applied to this risk response" - }, - "mitigationPlan": { - "$ref": "#/$defs/mitigationPlan" - } - } - }, - "mitigation": { - "type": "object", - "required": [ - "bom-ref", - "reference" + "strategy" ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Unique identifier for this mitigation entry so it can be referenced by a plan" - }, - "reference": { - "description": "Reference using bom-link or bom-ref to a mitigation or control implementing the response.", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + "description": "An identifier which can be used to reference this response elsewhere using a bom-ref or bom-link." }, "strategy": { "type": "string", + "title": "Strategy", + "description": "The disposition chosen for the risk.", "enum": [ - "prevent", - "detect", - "respond", - "recover" + "avoid", + "reduce", + "transfer", + "accept", + "exploit", + "enhance" ], "meta:enum": { - "prevent": "Prevents the risk from occurring", - "detect": "Detects when the risk occurs", - "respond": "Responds to the risk when detected", - "recover": "Recovers from the impact" + "avoid": "Eliminate the risk by removing its source or not proceeding with the activity.", + "reduce": "Lower the likelihood or impact of the risk through controls.", + "transfer": "Shift the risk to another party, for example through insurance or contract.", + "accept": "Take no further action and retain the risk.", + "exploit": "Pursue an opportunity so that a positive risk occurs.", + "enhance": "Increase the likelihood or benefit of a positive risk." } }, - "type": { + "description": { "type": "string", - "enum": [ - "control", - "countermeasure", - "procedure", - "removal" - ], - "meta:enum": { - "control": "Protective, preventive or detective control", - "countermeasure": "Reactive measure to counter risks", - "procedure": "Documented procedure", - "removal": "Removing a risky component or asset" - } + "title": "Description", + "description": "A description of the response." }, - "status": { + "controls": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls, requirements, or components that implement this response." + }, + "function": { "type": "string", + "title": "Function", + "description": "The control function this response performs, following a prevent, detect, respond, and recover model.", "enum": [ - "proposed", - "approved", - "planned", - "inProgress", - "implemented", - "verified" + "prevent", + "detect", + "respond", + "recover" ], "meta:enum": { - "proposed": "Mitigation has been proposed", - "approved": "Mitigation has been approved", - "planned": "Implementation is planned", - "inProgress": "Implementation is in progress", - "implemented": "Mitigation has been implemented", - "verified": "Effectiveness has been verified" + "prevent": "Prevents the risk from occurring.", + "detect": "Detects when the risk occurs.", + "respond": "Responds to the risk when detected.", + "recover": "Recovers from the impact." } }, - "priority": { - "$ref": "#/$defs/priority" + "status": { + "title": "Status", + "description": "The implementation status of the response. Use the custom option for a status specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Response Status", + "type": "string", + "enum": [ + "proposed", + "approved", + "planned", + "in-progress", + "implemented", + "verified" + ], + "meta:enum": { + "proposed": "The response has been proposed.", + "approved": "The response has been approved.", + "planned": "Implementation is planned.", + "in-progress": "Implementation is in progress.", + "implemented": "The response has been implemented.", + "verified": "Effectiveness has been verified." + } + }, + { + "title": "Custom Response Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] }, "effectiveness": { "$ref": "#/$defs/effectiveness" }, "cost": { "type": "string", + "title": "Cost", "enum": [ "trivial", "low", @@ -743,99 +1049,33 @@ "extreme" ], "meta:enum": { - "trivial": "Minimal cost and effort", - "low": "Low cost and effort", - "medium": "Moderate cost and effort", - "high": "High cost and significant effort", - "extreme": "Extreme cost and major effort" + "trivial": "Minimal cost and effort.", + "low": "Low cost and effort.", + "medium": "Moderate cost and effort.", + "high": "High cost and significant effort.", + "extreme": "Extreme cost and major effort." } }, - "addresses": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" - }, - "description": "References using bom-link or bom-ref to scenarios this plan addresses." + "priority": { + "$ref": "#/$defs/priority" }, - "implementedBy": { + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for this response. May be an inline party object or a reference to a previously declared party." + }, + "targetDate": { + "type": "string", + "format": "date-time", + "title": "Target Date", + "description": "The date by which this response is targeted to be implemented." + }, + "addresses": { "type": "array", + "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References using bom-link or bom-ref to assets that implement this plan." - }, - "externalReferences": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" - } - }, - "properties": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" - } - } - }, - "mitigationPlan": { - "type": "object", - "required": [ - "name", - "type", - "status", - "mitigations" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "description": "Name of the mitigation plan" - }, - "description": { - "type": "string", - "description": "Description of what the plan covers" - }, - "type": { - "type": "string", - "enum": [ - "avoid", - "reduce", - "transfer", - "accept", - "control", - "countermeasure", - "safeguard", - "practice", - "procedure" - ], - "meta:enum": { - "avoid": "Avoid the risk entirely", - "reduce": "Reduce likelihood or impact", - "transfer": "Transfer risk to another party", - "accept": "Accept the risk", - "control": "Protective, preventive or detective control", - "countermeasure": "Reactive measure to counter risks", - "safeguard": "Safeguards mitigating adverse events", - "practice": "Operational or governance practice", - "procedure": "Documented procedure" - } - }, - "status": { - "type": "string", - "enum": [ - "proposed", - "approved", - "planned", - "inProgress", - "implemented", - "verified" - ], - "meta:enum": { - "proposed": "Mitigation has been proposed", - "approved": "Mitigation has been approved", - "planned": "Implementation is planned", - "inProgress": "Implementation is in progress", - "implemented": "Mitigation has been implemented", - "verified": "Effectiveness has been verified" - } + "description": "References using bom-link or bom-ref to the items this response addresses, such as a threat, vulnerability, weakness, or another risk." }, "externalReferences": { "type": "array", @@ -845,14 +1085,6 @@ }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" - }, - "mitigations": { - "type": "array", - "minItems": 1, - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" - }, - "description": "References using bom-link or bom-ref to mitigations chosen for this plan." } } }, @@ -864,7 +1096,7 @@ "type": "number", "minimum": 0, "maximum": 1, - "description": "Effectiveness as decimal" + "description": "Effectiveness as a decimal from 0 to 1." }, "rating": { "type": "string", @@ -876,11 +1108,11 @@ "excellent" ], "meta:enum": { - "ineffective": "Does not meaningfully reduce risk", - "marginal": "Slightly reduces risk", - "adequate": "Adequately reduces risk", - "good": "Significantly reduces risk", - "excellent": "Nearly eliminates risk" + "ineffective": "Does not meaningfully reduce risk.", + "marginal": "Slightly reduces risk.", + "adequate": "Adequately reduces risk.", + "good": "Significantly reduces risk.", + "excellent": "Nearly eliminates risk." } } } @@ -906,16 +1138,16 @@ "triggered" ], "meta:enum": { - "initial": "Initial risk assessment", - "periodic": "Scheduled periodic assessment", - "continuous": "Continuous monitoring assessment", - "triggered": "Event-triggered assessment" + "initial": "Initial risk assessment.", + "periodic": "Scheduled periodic assessment.", + "continuous": "Continuous monitoring assessment.", + "triggered": "Event-triggered assessment." } }, "timestamp": { "type": "string", "format": "date-time", - "description": "When the assessment was performed" + "description": "When the assessment was performed." }, "assessor": { "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", @@ -923,7 +1155,7 @@ }, "summary": { "type": "string", - "description": "Executive summary of the assessment" + "description": "An executive summary of the assessment." }, "risks": { "type": "array", @@ -947,29 +1179,29 @@ "average", "custom" ], - "description": "Aggregation method used to derive the overall risk" + "description": "The aggregation method used to derive the overall risk." }, "score": { "$ref": "#/$defs/riskScore" }, "description": { "type": "string", - "description": "Optional explanation for custom aggregation approaches" + "description": "An optional explanation for custom aggregation approaches." } }, - "description": "Aggregated risk result for this assessment" + "description": "The aggregated risk result for this assessment." }, "recommendations": { "type": "array", "items": { "type": "string" }, - "description": "Recommendations from the assessment" + "description": "Recommendations from the assessment." }, "nextReview": { "type": "string", "format": "date-time", - "description": "When the next review should occur" + "description": "When the next review should occur." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -985,13 +1217,13 @@ "high", "critical" ], - "description": "Priority level", + "description": "Priority level.", "meta:enum": { - "none": "No priority assigned", - "low": "Low priority - address when convenient", - "medium": "Medium priority - address in normal cycle", - "high": "High priority - address soon", - "critical": "Critical priority - address immediately" + "none": "No priority.", + "low": "Low priority.", + "medium": "Medium priority.", + "high": "High priority.", + "critical": "Critical priority." } }, "severity": { @@ -1003,13 +1235,13 @@ "high", "critical" ], - "description": "Severity level", + "description": "Severity level.", "meta:enum": { - "info": "Informational finding", - "low": "Low severity issue", - "medium": "Medium severity issue", - "high": "High severity issue", - "critical": "Critical severity issue" + "info": "Informational finding.", + "low": "Low severity issue.", + "medium": "Medium severity issue.", + "high": "High severity issue.", + "critical": "Critical severity issue." } }, "criticality": { @@ -1021,13 +1253,13 @@ "high", "critical" ], - "description": "Business criticality level", + "description": "Business criticality level.", "meta:enum": { - "minimal": "Minimal impact on business operations", - "low": "Low impact with minor inconvenience", - "moderate": "Moderate impact affecting some operations", - "high": "High impact affecting critical operations", - "critical": "Critical impact with severe business consequences" + "minimal": "Minimal impact on business operations.", + "low": "Low impact with minor inconvenience.", + "moderate": "Moderate impact affecting some operations.", + "high": "High impact affecting critical operations.", + "critical": "Critical impact with severe business consequences." } } } From 05375fdab1ffe8038a20393c342e80c3e6e9e337 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Jun 2026 21:04:51 -0500 Subject: [PATCH 27/44] Removed unnecessary risk scenario. Added related vulnerabilities and weaknesses. Added assessments - was previously orphaned. Minor other changes. Signed-off-by: Steve Springett --- .../2.0/model/cyclonedx-risk-2.0.schema.json | 478 ++++++++---------- 1 file changed, 220 insertions(+), 258 deletions(-) diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index d00650029..b3f4dbd60 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -6,13 +6,33 @@ "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "risks": { - "type": "array", + "type": "object", "title": "Risks", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/risk" - }, - "description": "A collection of risks identified through risk analysis. The risk model is methodology-neutral and can document risk regardless of the risk rating framework used. It supports qualitative, semi-quantitative, and quantitative approaches by recording a qualitative `level`, a numeric `score`, or quantified loss, with the originating methodology identified on each score. Each risk distinguishes the risk before responses are applied (`inherentRisk`) from the risk that remains after them (`residualRisk`), with an optional `targetRisk` reflecting risk appetite, consistent with the process described in [ISO 31000](https://www.iso.org/iso-31000-risk-management.html). Specific rating techniques are not prescribed; [IEC 31010](https://www.iso.org/standard/72140.html) catalogues the available techniques." + "description": "A collection of risks identified through risk analysis, together with the assessments that evaluate them. The risk model is methodology-neutral and can document risk regardless of the risk rating framework used. It supports qualitative, semi-quantitative, and quantitative approaches by recording a qualitative `level`, a numeric `score`, or quantified loss, with the originating methodology identified on each score. Each risk distinguishes the risk before responses are applied (`inherentRisk`) from the risk that remains after them (`residualRisk`), with an optional `targetRisk` reflecting risk appetite, consistent with the process described in [ISO 31000](https://www.iso.org/iso-31000-risk-management.html). Specific rating techniques are not prescribed; [IEC 31010](https://www.iso.org/standard/72140.html) catalogues the available techniques.", + "additionalProperties": false, + "properties": { + "risks": { + "type": "array", + "title": "Risks", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/risk" + }, + "description": "The documented risks identified through risk analysis." + }, + "assessments": { + "type": "array", + "title": "Assessments", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/assessment" + }, + "description": "Point-in-time risk assessment events, each evaluating one or more of the documented risks." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } }, "riskDomain": { "type": "object", @@ -170,149 +190,6 @@ } ] }, - "scenario": { - "type": "object", - "required": [ - "bom-ref", - "name", - "type" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "name": { - "type": "string", - "description": "The name of the scenario." - }, - "description": { - "type": "string", - "description": "A description of the scenario." - }, - "type": { - "title": "Type", - "description": "The kind of scenario. Use the custom option for kinds specific to an organization's methodology.", - "oneOf": [ - { - "title": "Predefined Scenario Type", - "type": "string", - "enum": [ - "threat", - "vulnerability", - "weakness", - "risk", - "incident", - "opportunity", - "hazard" - ], - "meta:enum": { - "threat": "Threat scenario.", - "vulnerability": "Exploitable vulnerability.", - "weakness": "System or design weakness.", - "risk": "General risk scenario.", - "incident": "Potential incident scenario.", - "opportunity": "Positive risk, an opportunity.", - "hazard": "Safety hazard scenario." - } - }, - { - "title": "Custom Scenario Type", - "type": "object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "minLength": 1, - "title": "Name", - "description": "The name of the custom scenario type." - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the custom scenario type." - } - } - } - ] - }, - "domain": { - "$ref": "#/$defs/riskDomain" - }, - "likelihood": { - "$ref": "#/$defs/likelihood" - }, - "impact": { - "$ref": "#/$defs/impact" - }, - "riskScore": { - "$ref": "#/$defs/riskScore" - }, - "riskAttributes": { - "type": "array", - "items": { - "$ref": "#/$defs/riskAttribute" - }, - "description": "The risk attributes affected by this scenario." - }, - "affectedAssets": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" - }, - "description": "References using bom-link or bom-ref to affected assets." - }, - "mitigations": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" - }, - "description": "References using bom-link or bom-ref to mitigations that address this scenario." - }, - "externalReferences": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" - } - }, - "compliance": { - "type": "array", - "items": { - "type": "object", - "required": [ - "framework", - "controlId" - ], - "additionalProperties": false, - "properties": { - "framework": { - "type": "string", - "description": "The name of the compliance program or framework." - }, - "controlId": { - "type": "string", - "description": "The identifier of the control within the framework." - }, - "reference": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference", - "description": "A link or citation to the requirement or control documentation." - }, - "description": { - "type": "string", - "description": "Optional notes describing the mapping." - } - } - }, - "description": "Compliance frameworks and control references this scenario maps to." - }, - "properties": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" - } - } - }, "risk": { "type": "object", "required": [ @@ -352,21 +229,29 @@ }, "description": "References using bom-link or bom-ref to the subjects this risk concerns. A subject may be a component, service, dataset, or model, or a party such as a person, persona, or organization, including a group at risk of being systematically disadvantaged." }, - "relatedScenarios": { + "relatedThreats": { "type": "array", "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References using bom-link or bom-ref to the risk scenarios related to this risk. A risk scenario is a scenario object in this model and may be of type vulnerability, weakness, incident, opportunity, or hazard. Threat scenarios from a threat model are referenced separately through relatedThreats." + "description": "References using bom-link or bom-ref to the threats or threat scenarios from a threat model that inform this risk. A reference may point to a discrete threat or to a threat scenario." }, - "relatedThreats": { + "relatedVulnerabilities": { "type": "array", "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References using bom-link or bom-ref to the threats or threat scenarios from a threat model that inform this risk. A reference may point to a discrete threat or to a threat scenario." + "description": "References using bom-link or bom-ref to the vulnerabilities that inform this risk." + }, + "relatedWeaknesses": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the weaknesses that inform this risk." }, "inherentRisk": { "$ref": "#/$defs/rating", @@ -458,6 +343,23 @@ "score": { "$ref": "#/$defs/riskScore" }, + "detectability": { + "type": "object", + "title": "Detectability", + "additionalProperties": false, + "description": "The ease or likelihood of detecting the event before or as it is realized, used as a third axis by methodologies such as [FMEA](https://asq.org/quality-resources/fmea), whose risk priority number multiplies severity, occurrence, and detection.", + "properties": { + "score": { + "type": "number", + "minimum": 0, + "description": "The detection value on the scale defined by the methodology. For FMEA, a higher value indicates that the event is harder to detect and therefore riskier." + }, + "description": { + "type": "string", + "description": "A narrative explanation of the detectability assessment." + } + } + }, "confidence": { "type": "number", "minimum": 0, @@ -511,6 +413,21 @@ "maximum": 1, "description": "Probability as a decimal from 0 to 1." }, + "frequency": { + "type": "number", + "minimum": 0, + "title": "Frequency", + "description": "The expected number of events within the timeframe, for frequency-based methods such as the [FAIR](https://www.fairinstitute.org/) loss event frequency. Unlike a probability, a frequency may exceed 1." + }, + "timeframe": { + "type": "string", + "title": "Timeframe", + "description": "The period over which the probability or frequency is assessed, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year." + }, + "range": { + "$ref": "#/$defs/estimateRange", + "description": "A range for the probability or frequency, supporting quantitative methods that reason over distributions." + }, "factors": { "type": "array", "items": { @@ -692,78 +609,22 @@ "type": "array", "uniqueItems": true, "items": { - "oneOf": [ - { - "title": "Predefined Impact Category", - "type": "string", - "enum": [ - "confidentiality", - "integrity", - "availability", - "financial", - "reputation", - "regulatory", - "safety", - "privacy", - "operational", - "strategic", - "bias", - "discrimination", - "fairness", - "human-rights", - "environmental", - "societal", - "psychological", - "physical", - "health" - ], - "meta:enum": { - "confidentiality": "Impact on data confidentiality.", - "integrity": "Impact on data or system integrity.", - "availability": "Impact on service availability.", - "financial": "Financial loss or impact.", - "reputation": "Reputational damage.", - "regulatory": "Regulatory compliance impact.", - "safety": "Human safety impact.", - "privacy": "Privacy violation impact.", - "operational": "Operational disruption.", - "strategic": "Strategic business impact.", - "bias": "Systematic bias in automated outputs or decisions.", - "discrimination": "Unfair treatment of individuals or groups, including on the basis of protected attributes.", - "fairness": "Impact on the fair and equitable treatment of affected groups.", - "human-rights": "Impact on fundamental human rights, including autonomy and dignity.", - "environmental": "Environmental impact, including energy use and carbon emissions.", - "societal": "Impact on society, communities, or civic processes.", - "psychological": "Psychological or emotional harm.", - "physical": "Physical harm to people or property.", - "health": "Impact on physical or mental health." - } - }, - { - "title": "Custom Impact Category", - "type": "object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "minLength": 1, - "title": "Name", - "description": "The name of the custom impact category." - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the custom impact category." - } - } - } - ] + "$ref": "#/$defs/impactCategory" }, "description": "The categories of impact, including harms relevant to AI and societal risk." }, + "factors": { + "type": "array", + "title": "Factors", + "items": { + "$ref": "#/$defs/impactFactor" + }, + "description": "The factors considered when determining the impact, allowing methodologies that derive impact from multiple weighted dimensions to record the breakdown." + }, + "range": { + "$ref": "#/$defs/estimateRange", + "description": "A range for the impact score, supporting quantitative methods that reason over distributions." + }, "riskAttributes": { "type": "array", "items": { @@ -780,6 +641,141 @@ } } }, + "impactCategory": { + "title": "Impact Category", + "description": "A category of impact, including harms relevant to AI and societal risk. Use the custom option for categories specific to an organization's risk taxonomy.", + "oneOf": [ + { + "title": "Predefined Impact Category", + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic", + "bias", + "discrimination", + "fairness", + "human-rights", + "environmental", + "societal", + "psychological", + "physical", + "health" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality.", + "integrity": "Impact on data or system integrity.", + "availability": "Impact on service availability.", + "financial": "Financial loss or impact.", + "reputation": "Reputational damage.", + "regulatory": "Regulatory compliance impact.", + "safety": "Human safety impact.", + "privacy": "Privacy violation impact.", + "operational": "Operational disruption.", + "strategic": "Strategic business impact.", + "bias": "Systematic bias in automated outputs or decisions.", + "discrimination": "Unfair treatment of individuals or groups, including on the basis of protected attributes.", + "fairness": "Impact on the fair and equitable treatment of affected groups.", + "human-rights": "Impact on fundamental human rights, including autonomy and dignity.", + "environmental": "Environmental impact, including energy use and carbon emissions.", + "societal": "Impact on society, communities, or civic processes.", + "psychological": "Psychological or emotional harm.", + "physical": "Physical harm to people or property.", + "health": "Impact on physical or mental health." + } + }, + { + "title": "Custom Impact Category", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom impact category." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom impact category." + } + } + } + ] + }, + "impactFactor": { + "type": "object", + "title": "Impact Factor", + "description": "An individual contributing factor used to determine the overall impact of a risk or scenario. Methodologies such as OWASP Risk Rating, DREAD, and OCTAVE Allegro derive impact from several weighted dimensions, and each factor captures one dimension with its own rating.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the impact factor being evaluated, such as 'Financial damage' or 'Reputation damage'." + }, + "category": { + "$ref": "#/$defs/impactCategory", + "description": "The impact dimension this factor measures." + }, + "score": { + "type": "number", + "minimum": 0, + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to impact." + }, + "weight": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Weight", + "description": "The relative importance of this factor in the overall impact calculation, expressed as a decimal from 0 to 1. OCTAVE Allegro, for example, ranks impact areas and multiplies the ranking by the factor value." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated and how it contributes to the overall impact assessment." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "estimateRange": { + "type": "object", + "title": "Estimate Range", + "description": "A three-point estimate, supporting quantitative methods such as FAIR that reason over distributions rather than single values.", + "additionalProperties": false, + "properties": { + "minimum": { + "type": "number", + "description": "The minimum, or lower bound, estimate." + }, + "mostLikely": { + "type": "number", + "description": "The most likely estimate." + }, + "maximum": { + "type": "number", + "description": "The maximum, or upper bound, estimate." + } + } + }, "impactQuantification": { "type": "object", "additionalProperties": false, @@ -812,24 +808,8 @@ "description": "The recovery time, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration." }, "financialLossRange": { - "type": "object", - "title": "Financial Loss Range", - "additionalProperties": false, - "description": "A distribution of estimated financial loss, supporting quantitative methods such as FAIR that reason over ranges.", - "properties": { - "minimum": { - "type": "number", - "description": "The minimum estimated financial loss." - }, - "mostLikely": { - "type": "number", - "description": "The most likely estimated financial loss." - }, - "maximum": { - "type": "number", - "description": "The maximum estimated financial loss." - } - } + "$ref": "#/$defs/estimateRange", + "description": "A distribution of estimated financial loss, supporting quantitative methods such as FAIR that reason over ranges." }, "affectedGroups": { "type": "integer", @@ -1226,24 +1206,6 @@ "critical": "Critical priority." } }, - "severity": { - "type": "string", - "enum": [ - "info", - "low", - "medium", - "high", - "critical" - ], - "description": "Severity level.", - "meta:enum": { - "info": "Informational finding.", - "low": "Low severity issue.", - "medium": "Medium severity issue.", - "high": "High severity issue.", - "critical": "Critical severity issue." - } - }, "criticality": { "type": "string", "enum": [ From e14fa3fef89a233c0689b2bf81289322cdf2350e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Jun 2026 21:14:39 -0500 Subject: [PATCH 28/44] Minor changes to incorporate risks into CDXA Signed-off-by: Steve Springett --- .../2.0/model/cyclonedx-risk-2.0.schema.json | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index b3f4dbd60..a0b0702d2 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -253,6 +253,30 @@ }, "description": "References using bom-link or bom-ref to the weaknesses that inform this risk." }, + "relatedRequirements": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements whose absence or non-conformance gives rise to this risk, such as a requirement that is unmet or only partially met." + }, + "relatedStandards": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the standards whose non-conformance gives rise to this risk." + }, + "relatedClaims": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the conformance claims that give rise to this risk, such as a [CycloneDX Attestations](https://cyclonedx.org/capabilities/attestations/) claim recording that a requirement is unmet or only partially met. The degree of conformance is carried by the claim, not by the risk." + }, "inherentRisk": { "$ref": "#/$defs/rating", "description": "The assessed risk before any responses are applied." From c6956ea579cb57c202f942833375d5d5d2054bfb Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Jun 2026 21:26:10 -0500 Subject: [PATCH 29/44] Minor updates to assessment Signed-off-by: Steve Springett --- .../2.0/model/cyclonedx-risk-2.0.schema.json | 183 +++++++++++++++--- 1 file changed, 160 insertions(+), 23 deletions(-) diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index a0b0702d2..90080c1f6 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -1133,29 +1133,118 @@ "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "type": { + "name": { "type": "string", - "enum": [ - "initial", - "periodic", - "continuous", - "triggered" - ], - "meta:enum": { - "initial": "Initial risk assessment.", - "periodic": "Scheduled periodic assessment.", - "continuous": "Continuous monitoring assessment.", - "triggered": "Event-triggered assessment." - } + "title": "Name", + "description": "A human-readable name for the assessment." + }, + "type": { + "title": "Type", + "description": "The kind of risk assessment. Use the custom option for kinds specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Assessment Type", + "type": "string", + "enum": [ + "initial", + "periodic", + "continuous", + "triggered", + "ad-hoc" + ], + "meta:enum": { + "initial": "Initial, baseline risk assessment.", + "periodic": "Scheduled, recurring assessment.", + "continuous": "Continuous, automated monitoring, as in a GRC engineering or continuous controls monitoring practice.", + "triggered": "Assessment triggered by a specific event, such as a change or an incident.", + "ad-hoc": "Unplanned, one-off assessment, neither scheduled nor triggered by a defined event." + } + }, + { + "title": "Custom Assessment Type", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assessment type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assessment type." + } + } + } + ] }, "timestamp": { "type": "string", "format": "date-time", "description": "When the assessment was performed." }, - "assessor": { - "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", - "description": "The party that performed the assessment. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `auditor` or `assessor` (custom) depending on the assessment type." + "scope": { + "type": "string", + "title": "Scope", + "description": "The scope of the assessment, including the systems, boundaries, and what is in or out of scope." + }, + "status": { + "title": "Status", + "description": "The lifecycle status of the assessment. Use the custom option for a status specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Assessment Status", + "type": "string", + "enum": [ + "draft", + "in-progress", + "completed", + "approved", + "superseded" + ], + "meta:enum": { + "draft": "The assessment is being prepared.", + "in-progress": "The assessment is underway.", + "completed": "The assessment is finished.", + "approved": "The assessment has been reviewed and approved.", + "superseded": "The assessment has been replaced by a later one." + } + }, + { + "title": "Custom Assessment Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] + }, + "assessors": { + "type": "array", + "title": "Assessors", + "items": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice" + }, + "description": "The parties that performed the assessment. Each may be an inline party or a reference to a previously declared party, and may be a person or an automated system, agent, or tool. Automated assessors support continuous and automated assessment, as in a GRC engineering practice. A party's `roles` should include `auditor` or `assessor`." }, "summary": { "type": "string", @@ -1177,13 +1266,47 @@ "additionalProperties": false, "properties": { "method": { - "type": "string", - "enum": [ - "sum", - "average", - "custom" - ], - "description": "The aggregation method used to derive the overall risk." + "title": "Method", + "description": "The aggregation method used to derive the overall risk from the assessed risks. Use the custom option for methods not listed, such as a quantitative roll-up of loss distributions under FAIR.", + "oneOf": [ + { + "title": "Predefined Aggregation Method", + "type": "string", + "enum": [ + "maximum", + "sum", + "average", + "weighted-average" + ], + "meta:enum": { + "maximum": "The overall risk equals the highest individual risk.", + "sum": "The overall risk is the sum of the individual risks, representing total exposure.", + "average": "The overall risk is the mean of the individual risks.", + "weighted-average": "The overall risk is a weighted mean of the individual risks." + } + }, + { + "title": "Custom Aggregation Method", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom aggregation method." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom aggregation method." + } + } + } + ] }, "score": { "$ref": "#/$defs/riskScore" @@ -1195,6 +1318,14 @@ }, "description": "The aggregated risk result for this assessment." }, + "assumptions": { + "type": "array", + "title": "Assumptions", + "items": { + "type": "string" + }, + "description": "The assumptions, constraints, and limitations under which the assessment was made, to be re-evaluated when they change." + }, "recommendations": { "type": "array", "items": { @@ -1207,6 +1338,12 @@ "format": "date-time", "description": "When the next review should occur." }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } From d305f2eea840c94b69f69fd9094cfc15d6ff9674 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jun 2026 00:24:37 -0500 Subject: [PATCH 30/44] Minor refactoring of specific parts of blueprint schema along with some enhancements and corrections to the risk and threat schema. Signed-off-by: Steve Springett --- .../model/cyclonedx-blueprint-2.0.schema.json | 1080 +++++++++-------- .../2.0/model/cyclonedx-risk-2.0.schema.json | 2 +- .../model/cyclonedx-threat-2.0.schema.json | 90 +- 3 files changed, 680 insertions(+), 492 deletions(-) diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index b2abd7ca2..b313f0c6d 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -47,7 +47,7 @@ "title": "Model Types", "minItems": 1, "uniqueItems": true, - "description": "The types of models being represented", + "description": "The types of models being represented.", "items": { "$ref": "#/$defs/modelType" } @@ -56,7 +56,7 @@ "type": "array", "title": "Methodologies", "uniqueItems": true, - "description": "The modeling methodologies used", + "description": "The modeling methodologies used.", "items": { "$ref": "#/$defs/methodology" } @@ -71,7 +71,7 @@ "items": { "$ref": "#/$defs/asset" }, - "description": "The assets (components, services, data, actors) included in the model" + "description": "The assets (components, services, data, actors) included in the model." }, "behaviors": { "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behaviors" @@ -83,7 +83,7 @@ "items": { "$ref": "#/$defs/dataStore" }, - "description": "Structured description of data stores used in the model" + "description": "Structured description of data stores used in the model." }, "dataSets": { "type": "array", @@ -92,7 +92,7 @@ "items": { "$ref": "#/$defs/dataSet" }, - "description": "Datasets handled by the system, including placements and sensitivity" + "description": "Datasets handled by the system, including placements and sensitivity." }, "zones": { "type": "array", @@ -101,7 +101,7 @@ "items": { "$ref": "#/$defs/zone" }, - "description": "Logical, physical, or trust zones that group assets with similar characteristics" + "description": "Logical, physical, or trust zones that group assets with similar characteristics." }, "boundaries": { "type": "array", @@ -110,7 +110,7 @@ "items": { "$ref": "#/$defs/boundary" }, - "description": "Boundaries between zones" + "description": "Boundaries between zones." }, "flows": { "type": "array", @@ -119,7 +119,7 @@ "items": { "$ref": "#/$defs/flow" }, - "description": "Data, control, or process flows between assets" + "description": "Data, control, or process flows between assets." }, "actors": { "type": "array", @@ -128,7 +128,7 @@ "items": { "$ref": "#/$defs/actor" }, - "description": "Human or system actors involved in the model, distinct from assets" + "description": "Human or system actors involved in the model, distinct from assets." }, "assumptions": { "type": "array", @@ -137,7 +137,7 @@ "items": { "$ref": "#/$defs/assumption" }, - "description": "Assumptions made during the modeling process" + "description": "Assumptions made during the modeling process." }, "visualizations": { "type": "array", @@ -146,7 +146,7 @@ "items": { "$ref": "#/$defs/visualization" }, - "description": "Visual representations of the model" + "description": "Visual representations of the model." }, "useCases": { "type": "array", @@ -193,10 +193,11 @@ }, "requirements": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirement" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "Requirements derived from or related to the model" + "description": "References using bom-link or bom-ref to the requirements, declared in definitions, that are derived from or related to this model." }, "externalReferences": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" @@ -208,7 +209,7 @@ }, "modelType": { "title": "Model Type", - "description": "The type of model being represented, either a predefined value from the enumeration or a custom name and description for types not covered by the enumeration.", + "description": "The type of model being represented, either a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. Threat, risk, and privacy analyses are represented in their own models, which reference the blueprint, rather than as blueprint model types.", "oneOf": [ { "type": "string", @@ -218,33 +219,25 @@ "architecture", "behavioral", "conceptual", - "dataFlow", + "data-flow", "deployment", "logical", "network", "operational", "physical", - "privacy", - "process", - "risk", - "structural", - "threat" + "process" ], "meta:enum": { - "architecture": "System or software architecture model.", - "behavioral": "System behaviour model.", - "conceptual": "High-level conceptual model.", - "dataFlow": "Data flow model showing how data moves through the system.", - "deployment": "Deployment or infrastructure model.", - "logical": "Logical system model.", - "network": "Network topology or connectivity model.", - "operational": "Operational model.", - "physical": "Physical infrastructure model.", - "privacy": "Privacy impact assessment model.", - "process": "Business or system process model.", - "risk": "Risk assessment model.", - "structural": "System structure model.", - "threat": "Security threat model." + "architecture": "An architecture model of the system or software, capturing its major components, their responsibilities, and the interfaces and relationships between them. Broader than a single view, it frames the overall design.", + "behavioral": "A behavioural model, capturing how the system acts over time through its processes, state changes, interactions, and control flow, as opposed to its static structure.", + "conceptual": "A conceptual model at the highest level of abstraction, capturing the key entities, concepts, and relationships in technology-neutral terms without implementation detail. The first level of the conceptual, logical, and physical progression.", + "data-flow": "A data flow model showing how data moves between processes, data stores, and external entities. This is the substrate most commonly used for STRIDE per-element threat analysis.", + "deployment": "A deployment model showing how software is allocated to runtime and infrastructure, including nodes, containers, environments, and the artifacts placed on them.", + "logical": "A logical model detailing the structure and behaviour of the system independent of any specific implementation technology. The middle level of the conceptual, logical, and physical progression.", + "network": "A network model showing topology and connectivity, including segments, links, and the paths over which components communicate.", + "operational": "An operational model describing how the system is run and supported in production, including procedures, responsibilities, and operational dependencies.", + "physical": "A physical model at the implementation level, capturing the tangible realization of the system such as hardware, devices, infrastructure, topology, and physical locations. The most concrete level of the conceptual, logical, and physical progression.", + "process": "A process model describing a business or system process as an ordered set of activities and decisions and the actors that carry them out." } }, { @@ -273,7 +266,7 @@ }, "methodology": { "title": "Methodology", - "description": "The modelling methodology used, either a predefined value from the enumeration or a custom object for methodologies not covered. The object form may also be used to annotate a predefined methodology with a version or external references.", + "description": "The system or architecture modelling notation used to produce the blueprint, either a predefined value from the enumeration or a custom object. The object form may also annotate a predefined methodology with a version or external references. Threat modelling methodologies such as STRIDE and PASTA are recorded in the threat model, not here.", "oneOf": [ { "type": "string", @@ -282,56 +275,36 @@ "enum": [ "4+1", "Archimate", - "ATFAA", "BPMN", "C4", "DFD", "DODAF", "ERD", "IDEF", - "LINDDUN", - "MAESTRO", - "MITRE-ATTACK", "MODAF", "NAF", - "OWASP", - "PASTA", "SABSA", - "STRIDE", "SysML", "TOGAF", - "TRIKE", "UML", - "VAST", - "Zachman", - "attackTree" + "Zachman" ], "meta:enum": { "4+1": "4+1 Architectural View Model.", "Archimate": "Enterprise architecture modelling language.", - "ATFAA": "Advanced Threat Framework for Autonomous AI Agents.", "BPMN": "Business Process Model and Notation.", "C4": "C4 Model for software architecture.", "DFD": "Data Flow Diagrams.", "DODAF": "Department of Defense Architecture Framework.", "ERD": "Entity Relationship Diagrams.", "IDEF": "Integration Definition Methods.", - "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.", - "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome.", - "MITRE-ATTACK": "MITRE ATT&CK adversarial tactics, techniques, and procedures framework.", "MODAF": "Ministry of Defence Architecture Framework.", "NAF": "NATO Architecture Framework.", - "OWASP": "OWASP threat modelling methodology.", - "PASTA": "Process for Attack Simulation and Threat Analysis.", "SABSA": "Sherwood Applied Business Security Architecture.", - "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.", "SysML": "Systems Modeling Language.", "TOGAF": "The Open Group Architecture Framework.", - "TRIKE": "Risk-based threat modelling methodology.", "UML": "Unified Modeling Language.", - "VAST": "Visual, Agile, and Simple Threat modelling.", - "Zachman": "Zachman Framework.", - "attackTree": "Attack tree methodology for structured threat analysis." + "Zachman": "Zachman Framework." } }, { @@ -381,7 +354,7 @@ "type": "string", "title": "Timestamp", "format": "date-time", - "description": "When the blueprint was created or last updated" + "description": "When the blueprint was created or last updated." }, "authors": { "type": "array", @@ -400,7 +373,7 @@ "type": "string", "title": "Review Date", "format": "date-time", - "description": "When the blueprint was reviewed" + "description": "When the blueprint was reviewed." }, "approver": { "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", @@ -410,7 +383,7 @@ "type": "string", "title": "Approval Date", "format": "date-time", - "description": "When the blueprint was approved" + "description": "When the blueprint was approved." }, "ordinalVersion": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/ordinalVersion" @@ -433,19 +406,19 @@ "type": "string", "title": "Start", "format": "date-time", - "description": "When the blueprint becomes valid" + "description": "When the blueprint becomes valid." }, "end": { "type": "string", "title": "End", "format": "date-time", - "description": "When the blueprint expires" + "description": "When the blueprint expires." }, "reviewFrequency": { "type": "string", "title": "Review Frequency", "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", - "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)." } } }, @@ -465,12 +438,12 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the scope" + "description": "Name of the scope." }, "description": { "type": "string", "title": "Description", - "description": "Description of what is included and excluded from the model" + "description": "Description of what is included and excluded from the model." }, "boundaries": { "type": "array", @@ -480,7 +453,7 @@ "type": "string", "minLength": 1 }, - "description": "Explicit boundaries of the model" + "description": "Explicit boundaries of the model." }, "includedComponents": { "type": "array", @@ -508,12 +481,12 @@ "asset": { "type": "object", "title": "Asset", - "description": "A component, service, data store, or other element included in the blueprint model.", + "description": "A component, service, data store, actor, or other element included in the blueprint model. An actor asset references a party, since a party such as a person, persona, system, or organization may itself be an asset, including a person in the intelligence sense of a human source.", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "description": "Unique identifier for the asset" + "description": "Unique identifier for the asset." }, "componentRef": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", @@ -523,76 +496,107 @@ "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", "description": "Reference using bom-link or bom-ref to the service this asset represents." }, + "partyRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party this asset represents, such as a person, persona, system, or organization. Used when the asset is an actor." + }, "type": { - "type": "string", "title": "Asset Type", - "enum": [ - "actor", - "agent", - "api", - "broker", - "cache", - "component", - "container", - "data", - "dataStore", - "device", - "endpoint", - "function", - "gateway", - "infrastructure", - "interface", - "model", - "module", - "network", - "other", - "process", - "queue", - "resource", - "service", - "stream", - "subsystem", - "system" - ], - "meta:enum": { - "actor": "User, system, or external entity", - "agent": "Autonomous AI or software agent", - "api": "API endpoint or interface", - "broker": "Message broker or event bus infrastructure", - "cache": "Caching layer or in-memory data store", - "component": "Software component or application", - "container": "Container or orchestration unit", - "data": "Dataset", - "dataStore": "Database, file system, or data repository", - "device": "Physical or IoT device", - "endpoint": "Service endpoint or URL", - "function": "Serverless function or lambda", - "gateway": "API gateway, load balancer, or proxy", - "infrastructure": "Infrastructure component", - "interface": "System interface or contract", - "model": "AI or machine learning model", - "module": "Software module or package", - "network": "Network segment or resource", - "other": "Asset type not covered by predefined values", - "process": "Business or system process", - "queue": "Message queue or task queue", - "resource": "Generic resource or artifact", - "service": "Service or microservice", - "stream": "Data stream or event stream", - "subsystem": "Part of a larger system", - "system": "Complete system or application" - } + "description": "The kind of asset. Use the custom option for kinds not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Asset Type", + "enum": [ + "actor", + "agent", + "api", + "broker", + "cache", + "component", + "container", + "data", + "data-store", + "device", + "endpoint", + "function", + "gateway", + "infrastructure", + "interface", + "model", + "module", + "network", + "process", + "queue", + "resource", + "service", + "stream", + "subsystem", + "system", + "tool" + ], + "meta:enum": { + "actor": "An actor that is an asset in its own right, referencing a party via partyRef. A party such as a system or organization is commonly an asset, and a person may be an asset in the intelligence sense of a human source.", + "agent": "Autonomous AI or software agent.", + "api": "API endpoint or interface.", + "broker": "Message broker or event bus infrastructure.", + "cache": "Caching layer or in-memory data store.", + "component": "Software component or application.", + "container": "Container or orchestration unit.", + "data": "Dataset.", + "data-store": "Database, file system, or data repository.", + "device": "Physical or IoT device.", + "endpoint": "Service endpoint or URL.", + "function": "Serverless function or lambda.", + "gateway": "API gateway, load balancer, or proxy.", + "infrastructure": "Infrastructure component.", + "interface": "System interface or contract.", + "model": "AI or machine learning model.", + "module": "Software module or package.", + "network": "Network segment or resource.", + "process": "Business or system process.", + "queue": "Message queue or task queue.", + "resource": "Generic resource or artifact.", + "service": "Service or microservice.", + "stream": "Data stream or event stream.", + "subsystem": "Part of a larger system.", + "system": "Complete system or application.", + "tool": "A tool or capability invoked by an agent, such as a function, API, or service exposed to an AI agent." + } + }, + { + "type": "object", + "title": "Custom Asset Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom asset type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom asset type." + } + } + } + ] }, "name": { "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the asset" + "description": "Name of the asset." }, "description": { "type": "string", "title": "Description", - "description": "Description of the asset's role and purpose" + "description": "Description of the asset's role and purpose." }, "zone": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", @@ -616,7 +620,7 @@ "type": "string", "minLength": 1 }, - "description": "Responsibilities or functions of this asset" + "description": "Responsibilities or functions of this asset." }, "interfaces": { "type": "array", @@ -625,7 +629,7 @@ "items": { "$ref": "#/$defs/interface" }, - "description": "Interfaces exposed by this asset" + "description": "Interfaces exposed by this asset." }, "dependencies": { "type": "array", @@ -652,7 +656,7 @@ "items": { "$ref": "#/$defs/authenticationType" }, - "description": "Authentication methods supported/required" + "description": "Authentication methods supported/required." }, "authorization": { "type": "array", @@ -661,7 +665,7 @@ "items": { "$ref": "#/$defs/authorizationType" }, - "description": "Authorization models supported/required" + "description": "Authorization models supported/required." }, "ownership": { "$ref": "#/$defs/ownership" @@ -690,6 +694,14 @@ "serviceRef" ] }, + { + "title": "Party Reference Asset", + "description": "An asset defined by reference to a party declared elsewhere in the BOM, such as a person, persona, system, or organization that is itself an asset.", + "required": [ + "bom-ref", + "partyRef" + ] + }, { "title": "Inline Asset", "description": "An asset defined inline within the blueprint with an explicit type and name.", @@ -719,84 +731,113 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the data store" + "description": "Name of the data store." }, "description": { "type": "string", "title": "Description", - "description": "Purpose and contents of the store" + "description": "Purpose and contents of the store." }, "type": { - "type": "string", "title": "Type", - "enum": [ - "blob", - "blockchain", - "cache", - "columnFamily", - "custom", - "dataLake", - "dataWarehouse", - "document", - "eventLog", - "file", - "graph", - "inMemory", - "keyValue", - "messageQueue", - "object", - "other", - "registry", - "search", - "spatial", - "sql", - "timeSeries", - "vector" - ], - "meta:enum": { - "blob": "Binary/blob storage", - "blockchain": "Distributed ledger or blockchain storage", - "cache": "Caching tier", - "columnFamily": "Wide-column or column-family store (e.g., Cassandra, HBase)", - "custom": "Custom or mixed storage technology", - "dataLake": "Data lake or lakehouse for raw and semi-structured data", - "dataWarehouse": "Analytical data warehouse optimised for OLAP workloads", - "document": "Document database (e.g., MongoDB)", - "eventLog": "Event log or append-only streaming store (e.g., Kafka)", - "file": "File system or NAS", - "graph": "Graph database", - "inMemory": "In-memory data store used as a primary store", - "keyValue": "Key-value store", - "messageQueue": "Message queue or broker with persistent storage", - "object": "Object storage", - "other": "Other storage technology not listed", - "registry": "Configuration or service registry (e.g., etcd, Consul)", - "search": "Search index or full-text search engine (e.g., Elasticsearch)", - "spatial": "Spatial or geospatial database", - "sql": "Relational database", - "timeSeries": "Time-series database", - "vector": "Vector database for embeddings and similarity search" - } + "description": "The type of data store. Use the custom option for technologies not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Data Store Type", + "enum": [ + "block", + "blockchain", + "cache", + "column-family", + "data-lake", + "data-warehouse", + "document", + "event-log", + "file", + "graph", + "hierarchical", + "in-memory", + "key-value", + "ledger", + "message-queue", + "multi-model", + "object", + "registry", + "relational", + "search", + "spatial", + "time-series", + "vector" + ], + "meta:enum": { + "block": "Block storage exposing raw volumes.", + "blockchain": "Distributed ledger or blockchain storage.", + "cache": "Caching tier.", + "column-family": "Wide-column or column-family store.", + "data-lake": "Data lake or lakehouse for raw and semi-structured data.", + "data-warehouse": "Analytical data warehouse optimised for OLAP workloads.", + "document": "Document database.", + "event-log": "Event log or append-only streaming store.", + "file": "File system or network-attached storage.", + "graph": "Graph database.", + "hierarchical": "Hierarchical or tree-structured database, such as a directory store.", + "in-memory": "In-memory data store used as a primary store.", + "key-value": "Key-value store.", + "ledger": "Immutable, append-only ledger database.", + "message-queue": "Message queue or broker with persistent storage.", + "multi-model": "A store supporting multiple data models.", + "object": "Object storage.", + "registry": "Configuration or service registry.", + "relational": "Relational database.", + "search": "Search index or full-text search engine.", + "spatial": "Spatial or geospatial database.", + "time-series": "Time-series database.", + "vector": "Vector database for embeddings and similarity search." + } + }, + { + "type": "object", + "title": "Custom Data Store Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom data store type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom data store type." + } + } + } + ] }, "vendor": { "type": "string", "title": "Vendor", - "description": "The vendor or publisher of the data store product" + "description": "The vendor or publisher of the data store product." }, "product": { "type": "string", "title": "Product", - "description": "The name of the data store product" + "description": "The name of the data store product." }, "version": { "type": "string", "title": "Version", - "description": "The version of the data store product" + "description": "The version of the data store product." }, "environment": { "type": "string", "title": "Environment", - "description": "Deployment environment (prod, test, etc.)" + "description": "Deployment environment (prod, test, etc.)." }, "zone": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", @@ -805,7 +846,7 @@ "location": { "type": "string", "title": "Location", - "description": "Physical or logical hosting location" + "description": "Physical or logical hosting location." }, "technologies": { "type": "array", @@ -814,7 +855,7 @@ "items": { "type": "string" }, - "description": "Supporting technologies or services" + "description": "Supporting technologies or services." }, "dataSets": { "type": "array", @@ -832,7 +873,7 @@ "items": { "$ref": "#/$defs/authorizationType" }, - "description": "Authorization models supported/required" + "description": "Authorization models supported/required." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -857,13 +898,13 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the dataset" + "description": "Name of the dataset." }, "description": { "type": "string", "title": "Description", "minLength": 1, - "description": "What information is contained and why it exists" + "description": "What information is contained and why it exists." }, "dataProfiles": { "type": "array", @@ -904,7 +945,7 @@ "items": { "$ref": "#/$defs/authorizationType" }, - "description": "Authorization models supported/required" + "description": "Authorization models supported/required." }, "placements": { "type": "array", @@ -926,21 +967,21 @@ "encrypted": { "type": "boolean", "title": "Encrypted", - "description": "Whether the dataset is encrypted at this location" + "description": "Whether the dataset is encrypted at this location." }, "retention": { "type": "string", "title": "Retention", - "description": "Retention policy for this placement" + "description": "Retention policy for this placement." }, "replicated": { "type": "boolean", "title": "Replicated", - "description": "Indicates if this placement is a replica" + "description": "Indicates if this placement is a replica." } } }, - "description": "Where the dataset resides" + "description": "Where the dataset resides." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -957,41 +998,68 @@ "properties": { "name": { "type": "string", - "description": "Name of the interface" + "description": "Name of the interface." }, "type": { - "type": "string", - "enum": [ - "rest", - "graphql", - "grpc", - "soap", - "messaging", - "file", - "database", - "cli", - "gui", - "api", - "event", - "stream" - ], - "description": "Type of interface" + "title": "Type", + "description": "The type of interface. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Interface Type", + "enum": [ + "rest", + "graphql", + "grpc", + "soap", + "messaging", + "file", + "database", + "cli", + "gui", + "api", + "event", + "stream" + ] + }, + { + "type": "object", + "title": "Custom Interface Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom interface type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom interface type." + } + } + } + ] }, "description": { "type": "string", - "description": "Description of the interface" + "description": "Description of the interface." }, "specification": { "type": "string", - "description": "Link or reference to interface specification" + "description": "Link or reference to interface specification." }, "protocol": { "type": "string", - "description": "Communication protocol used" + "description": "Communication protocol used." }, "dataFormat": { "type": "string", - "description": "Data format (e.g., JSON, XML, Protocol Buffers)" + "description": "Data format (e.g., JSON, XML, Protocol Buffers)." }, "authentication": { "type": "array", @@ -1004,14 +1072,14 @@ "items": { "type": "string" }, - "description": "Operations or methods exposed" + "description": "Operations or methods exposed." } } }, "zone": { "type": "object", "title": "Zone", - "description": "A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.", + "description": "A grouping of assets that share a common characteristic, security posture, or administrative control, so they can be reasoned about as a unit. A zone may be logical, physical, network, trust, or another kind, may nest within a parent zone, and is connected to or separated from other zones by boundaries.", "required": [ "bom-ref", "name", @@ -1026,36 +1094,73 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the zone" + "description": "Name of the zone." }, "description": { "type": "string", "title": "Description", - "description": "Description of the zone's characteristics" + "description": "Description of the zone's characteristics." }, "type": { - "type": "string", "title": "Type", - "enum": [ - "deployment", - "functional", - "logical", - "network", - "organizational", - "other", - "physical", - "trust" - ], - "meta:enum": { - "deployment": "Deployment environment (e.g., dev, staging, prod)", - "functional": "Functional grouping", - "logical": "Logical grouping or boundary", - "network": "Network segmentation zone", - "organizational": "Organizational or administrative boundary", - "other": "Other zone type not listed", - "physical": "Physical location or boundary", - "trust": "Security trust zone" - } + "description": "The type of zone. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Zone Type", + "enum": [ + "availability", + "compliance", + "data", + "deployment", + "functional", + "geographic", + "logical", + "network", + "organizational", + "physical", + "process", + "tenant", + "trust" + ], + "meta:enum": { + "availability": "An availability or fault-isolation zone, such as a cloud availability zone, used to bound the blast radius of failures and reason about redundancy and resilience.", + "compliance": "A compliance scope zone whose assets fall under a specific regulatory regime, such as PCI DSS, HIPAA, or FedRAMP, delineating what is in scope and the controls applied.", + "data": "A data classification zone grouping assets by the sensitivity of the data they hold or process, such as public, internal, confidential, or restricted.", + "deployment": "A deployment environment grouping assets by lifecycle stage, such as development, staging, or production.", + "functional": "A functional grouping of assets that serve a common purpose or capability, independent of where or how they are deployed.", + "geographic": "A geographic or data-residency zone bounding assets to a region, country, or jurisdiction, used to reason about sovereignty and cross-border data flows.", + "logical": "A logical grouping of assets defined by architecture or design rather than physical placement.", + "network": "A network segmentation zone, such as a subnet, VLAN, or security group, within which assets share network-level reachability and controls.", + "organizational": "An organizational or administrative zone grouping assets under a common owner, team, or authority.", + "physical": "A physical zone bounding assets to a tangible location, such as a data centre, building, or device enclosure.", + "process": "A process or execution isolation zone, such as a sandbox, container runtime, or trusted execution environment, within which code runs with a defined level of isolation.", + "tenant": "A tenancy isolation zone separating the assets and data of one tenant from another in a multi-tenant system.", + "trust": "A security trust zone whose assets share a common level of trust, so that movement between trust zones is where authentication, authorization, and validation are enforced." + } + }, + { + "type": "object", + "title": "Custom Zone Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom zone type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom zone type." + } + } + } + ] }, "parent": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", @@ -1068,7 +1173,7 @@ "items": { "type": "string" }, - "description": "Key characteristics of this zone" + "description": "Key characteristics of this zone." }, "constraints": { "type": "array", @@ -1077,7 +1182,7 @@ "items": { "type": "string" }, - "description": "Constraints or limitations of this zone" + "description": "Constraints or limitations of this zone." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -1087,7 +1192,7 @@ "boundary": { "type": "object", "title": "Boundary", - "description": "Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.", + "description": "An edge that separates or connects two or more zones, marking a point where security controls, policies, or trust levels change. The controls expected when data or actors cross it are captured in crossingRequirements, and the threat model's trust boundary extends a boundary with trust semantics.", "required": [ "bom-ref", "zones" @@ -1101,31 +1206,56 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the boundary" + "description": "Name of the boundary." }, "type": { - "type": "string", "title": "Type", - "enum": [ - "data", - "functional", - "network", - "organizational", - "other", - "physical", - "process", - "trust" - ], - "meta:enum": { - "data": "Data classification boundary", - "functional": "Functional boundary", - "network": "Network boundary or firewall", - "organizational": "Organizational boundary", - "other": "A boundary type not covered by the predefined enumeration", - "physical": "Physical security boundary", - "process": "Process or execution boundary", - "trust": "Trust boundary between different security zones" - } + "description": "The type of boundary. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Boundary Type", + "enum": [ + "data", + "functional", + "network", + "organizational", + "physical", + "process", + "trust" + ], + "meta:enum": { + "data": "A data classification boundary, crossed when data moves between zones of differing sensitivity, where reclassification, masking, or validation may apply.", + "functional": "A functional boundary between areas of differing responsibility or capability.", + "network": "A network boundary, such as a firewall, gateway, or security group, controlling reachability between network zones.", + "organizational": "An organizational or administrative boundary between assets under different ownership or authority.", + "physical": "A physical security boundary, such as a facility perimeter or device enclosure, between physical zones.", + "process": "A process or execution boundary between isolation contexts, such as between a sandbox and its host.", + "trust": "A trust boundary between zones of differing trust, the primary point at which authentication, authorization, and input validation are enforced and a key trigger for threat analysis." + } + }, + { + "type": "object", + "title": "Custom Boundary Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom boundary type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom boundary type." + } + } + } + ] }, "zones": { "type": "array", @@ -1158,7 +1288,7 @@ "items": { "$ref": "#/$defs/authenticationType" }, - "description": "Authentication required to cross this boundary" + "description": "Authentication required to cross this boundary." }, "authorization": { "type": "array", @@ -1167,32 +1297,32 @@ "items": { "$ref": "#/$defs/authorizationType" }, - "description": "Authorization models enforced at this boundary" + "description": "Authorization models enforced at this boundary." }, "dataValidation": { "type": "boolean", "title": "Data Validation", - "description": "Whether data is validated when crossing this boundary" + "description": "Whether data is validated when crossing this boundary." }, "dataTransformation": { "type": "boolean", "title": "Data Transformation", - "description": "Whether data is transformed when crossing this boundary" + "description": "Whether data is transformed when crossing this boundary." }, "logging": { "type": "boolean", "title": "Logging", - "description": "Whether crossings are logged" + "description": "Whether crossings are logged." }, "monitoring": { "type": "boolean", "title": "Monitoring", - "description": "Whether crossings are monitored" + "description": "Whether crossings are monitored." }, "rateLimit": { "type": "string", "title": "Rate Limit", - "description": "Rate limiting policy" + "description": "Rate limiting policy." }, "protocols": { "type": "array", @@ -1201,7 +1331,7 @@ "items": { "type": "string" }, - "description": "Allowed protocols for crossing" + "description": "Allowed protocols for crossing." } } }, @@ -1225,40 +1355,65 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name or description of the flow" + "description": "Name or description of the flow." }, "description": { "type": "string", "title": "Description", - "description": "Detailed description of what flows and why" + "description": "Detailed description of what flows and why." }, "type": { - "type": "string", "title": "Type", - "enum": [ - "control", - "data", - "dependency", - "event", - "interaction", - "message", - "other", - "physical", - "process", - "signal" - ], - "meta:enum": { - "control": "Control or command flow", - "data": "Data or information flow", - "dependency": "Dependency relationship", - "event": "Event or notification flow", - "interaction": "User or system interaction", - "message": "Message or communication flow", - "other": "A flow type not covered by the predefined enumeration", - "physical": "Physical movement of goods or materials", - "process": "Business process flow", - "signal": "Hardware or system signal" - } + "description": "The type of flow. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Flow Type", + "enum": [ + "control", + "data", + "energy", + "event", + "financial", + "message", + "physical", + "process", + "signal" + ], + "meta:enum": { + "control": "Control or command flow.", + "data": "Data or information flow.", + "energy": "Power or energy flow.", + "event": "Event or notification flow.", + "financial": "Financial, value, or payment flow.", + "message": "Message or communication flow.", + "physical": "Physical movement of goods or materials.", + "process": "Business process flow.", + "signal": "Hardware or system signal." + } + }, + { + "type": "object", + "title": "Custom Flow Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom flow type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom flow type." + } + } + } + ] }, "source": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", @@ -1272,22 +1427,22 @@ "type": "boolean", "title": "Bidirectional", "default": false, - "description": "Whether flow occurs in both directions" + "description": "Whether flow occurs in both directions." }, "synchronous": { "type": "boolean", "title": "Synchronous", - "description": "Whether the flow is synchronous or asynchronous" + "description": "Whether the flow is synchronous or asynchronous." }, "volume": { "type": "string", "title": "Volume", - "description": "Expected volume or frequency of flow" + "description": "Expected volume or frequency of flow." }, "timing": { "type": "string", "title": "Timing", - "description": "Timing characteristics (real-time, batch, scheduled)" + "description": "Timing characteristics (real-time, batch, scheduled)." }, "protocols": { "type": "array", @@ -1296,7 +1451,7 @@ "items": { "type": "string" }, - "description": "Communication protocols used by this flow" + "description": "Communication protocols used by this flow." }, "dataProfiles": { "type": "array", @@ -1323,7 +1478,7 @@ "items": { "$ref": "#/$defs/authenticationType" }, - "description": "Authentication required for this flow" + "description": "Authentication required for this flow." }, "authorization": { "type": "array", @@ -1332,13 +1487,13 @@ "items": { "$ref": "#/$defs/authorizationType" }, - "description": "Authorization models enforced on this flow" + "description": "Authorization models enforced on this flow." }, "sequence": { "type": "integer", "title": "Sequence", "minimum": 0, - "description": "Ordering hint so flows can be assembled into sequence diagrams" + "description": "Ordering hint so flows can be assembled into sequence diagrams." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -1404,31 +1559,56 @@ "type": "string", "title": "Description", "minLength": 1, - "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies" + "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies." }, "topic": { - "type": "string", "title": "Topic", - "enum": [ - "availability", - "business", - "compliance", - "operational", - "other", - "performance", - "security", - "technical" - ], - "meta:enum": { - "availability": "Assumption about system uptime, redundancy, or failover capabilities", - "business": "Assumption about business requirements, constraints, or organizational context", - "compliance": "Assumption about regulatory, legal, or policy compliance obligations", - "operational": "Assumption about operational procedures, staffing, or maintenance practices", - "other": "An assumption topic not covered by the predefined enumeration", - "performance": "Assumption about throughput, latency, capacity, or scalability characteristics", - "security": "Assumption about threat landscape, trust boundaries, or security controls", - "technical": "Assumption about technology choices, capabilities, or technical constraints" - } + "description": "The topic of the assumption. Use the custom option for topics not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Assumption Topic", + "enum": [ + "availability", + "business", + "compliance", + "operational", + "performance", + "security", + "technical" + ], + "meta:enum": { + "availability": "Assumption about system uptime, redundancy, or failover capabilities.", + "business": "Assumption about business requirements, constraints, or organizational context.", + "compliance": "Assumption about regulatory, legal, or policy compliance obligations.", + "operational": "Assumption about operational procedures, staffing, or maintenance practices.", + "performance": "Assumption about throughput, latency, capacity, or scalability characteristics.", + "security": "Assumption about threat landscape, trust boundaries, or security controls.", + "technical": "Assumption about technology choices, capabilities, or technical constraints." + } + }, + { + "type": "object", + "title": "Custom Assumption Topic", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assumption topic." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assumption topic." + } + } + } + ] }, "relatedAssets": { "type": "array", @@ -1449,18 +1629,18 @@ "verified" ], "meta:enum": { - "invalid": "The assumption has been disproven or is no longer applicable", - "unknown": "The validity of the assumption has not yet been assessed", - "unverified": "The assumption has been identified but not yet validated", - "verified": "The assumption has been confirmed as true through validation" + "invalid": "The assumption has been disproven or is no longer applicable.", + "unknown": "The validity of the assumption has not yet been assessed.", + "unverified": "The assumption has been identified but not yet validated.", + "verified": "The assumption has been confirmed as true through validation." }, "default": "unknown", - "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound" + "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound." }, "impact": { "type": "string", "title": "Impact", - "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components" + "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components." }, "owner": { "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", @@ -1469,20 +1649,20 @@ "validationMethod": { "type": "string", "title": "Validation Method", - "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement" + "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement." }, "validationDate": { "type": "string", "title": "Validation Date", "format": "date-time", - "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation" + "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation." } } }, "visualization": { "type": "object", "title": "Visualization", - "description": "A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.", + "description": "A visual representation of the model or a subset of its elements, capturing the diagram type, its content, and the elements depicted.", "required": [ "name", "type" @@ -1496,29 +1676,24 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name or title of the visualization" + "description": "Name or title of the visualization." }, "description": { "type": "string", "title": "Description", - "description": "Description of what the visualization shows" + "description": "Description of what the visualization shows." }, "type": { "$ref": "#/$defs/visualizationType" }, - "format": { - "$ref": "#/$defs/visualizationFormat" - }, - "content": { - "type": "string", - "title": "Content", - "description": "The diagram content (source code or base64 encoded image)" + "attachment": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment" }, "url": { "type": "string", "title": "URL", "format": "iri-reference", - "description": "URL to the diagram if stored externally" + "description": "URL to the diagram if stored externally." }, "level": { "type": "string", @@ -1530,12 +1705,12 @@ "overview" ], "meta:enum": { - "detailed": "Fine-grained view showing implementation-level specifics", - "high": "High-level view showing major components and relationships", - "medium": "Intermediate view balancing breadth and depth", - "overview": "Top-level summary providing a broad perspective of the system" + "detailed": "Fine-grained view showing implementation-level specifics.", + "high": "High-level view showing major components and relationships.", + "medium": "Intermediate view balancing breadth and depth.", + "overview": "Top-level summary providing a broad perspective of the system." }, - "description": "Level of detail in the visualization" + "description": "Level of detail in the visualization." }, "elements": { "type": "array", @@ -1549,7 +1724,7 @@ "interactive": { "type": "boolean", "title": "Interactive", - "description": "Whether the visualization is interactive" + "description": "Whether the visualization is interactive." }, "layers": { "type": "array", @@ -1558,7 +1733,7 @@ "items": { "type": "string" }, - "description": "Layers or views available in the visualization" + "description": "Layers or views available in the visualization." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" @@ -1584,38 +1759,50 @@ "enum": [ "activity", "architecture", + "attack-tree", + "block", "class", "code", - "collaboration", + "communication", "component", "container", "context", - "dataFlow", + "data-flow", "deployment", "entity", + "flowchart", + "matrix", + "mind-map", "network", "process", "sequence", "state", - "useCase" + "timing", + "use-case" ], "meta:enum": { - "activity": "Activity or workflow diagram", - "architecture": "System architecture diagram", - "class": "Class or object diagram", - "code": "Code structure diagram", - "collaboration": "Collaboration diagram", - "component": "Component diagram", - "container": "Container diagram (C4)", - "context": "Context diagram", - "dataFlow": "Data flow diagram (DFD)", - "deployment": "Deployment or infrastructure diagram", - "entity": "Entity relationship diagram", - "network": "Network topology diagram", - "process": "Business process diagram", - "sequence": "Sequence or interaction diagram", - "state": "State machine diagram", - "useCase": "Use case diagram" + "activity": "Activity or workflow diagram.", + "architecture": "System architecture diagram.", + "attack-tree": "Attack tree diagram showing alternative paths to a goal.", + "block": "Block diagram, including SysML block definition and internal block diagrams.", + "class": "Class or object diagram.", + "code": "Code structure diagram.", + "communication": "Communication diagram, formerly known as the collaboration diagram.", + "component": "Component diagram.", + "container": "Container diagram, as in C4.", + "context": "Context diagram.", + "data-flow": "Data flow diagram, or DFD.", + "deployment": "Deployment or infrastructure diagram.", + "entity": "Entity relationship diagram.", + "flowchart": "Flowchart depicting steps or decision logic.", + "matrix": "Matrix diagram, such as a dependency structure or traceability matrix.", + "mind-map": "Mind map diagram for decomposition or brainstorming.", + "network": "Network topology diagram.", + "process": "Business process diagram.", + "sequence": "Sequence or interaction diagram.", + "state": "State machine diagram.", + "timing": "Timing diagram showing state changes over time.", + "use-case": "Use case diagram." } } } @@ -1632,80 +1819,12 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "The name of the custom visualization type" - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the custom visualization type" - } - } - } - ] - }, - "visualizationFormat": { - "type": "object", - "title": "Visualization Format", - "description": "The rendering format or toolchain used to produce the visualization.", - "oneOf": [ - { - "title": "Predefined Visualization Format", - "description": "A visualization format selected from a predefined set of well-known diagram formats and tools.", - "required": [ - "format" - ], - "additionalProperties": false, - "properties": { - "format": { - "type": "string", - "title": "Format", - "enum": [ - "archimate", - "cytoscape", - "d3", - "drawio", - "graphviz", - "jpeg", - "mermaid", - "plantuml", - "png", - "svg", - "visio" - ], - "meta:enum": { - "archimate": "ArchiMate model format", - "cytoscape": "Cytoscape graph format", - "d3": "D3.js visualization", - "drawio": "Draw.io/diagrams.net format", - "graphviz": "GraphViz DOT language", - "jpeg": "JPEG image format", - "mermaid": "Mermaid diagram language", - "plantuml": "PlantUML diagram language", - "png": "Portable Network Graphics", - "svg": "Scalable Vector Graphics", - "visio": "Microsoft Visio format" - } - } - } - }, - { - "title": "Custom Visualization Format", - "description": "A custom visualization format not covered by the predefined enumeration.", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "minLength": 1, - "description": "The name of the custom visualization format" + "description": "The name of the custom visualization type." }, "description": { "type": "string", "title": "Description", - "description": "A description of the custom visualization format" + "description": "A description of the custom visualization type." } } } @@ -1721,36 +1840,19 @@ "classification": { "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataClassification" }, - "tier": { - "type": "string", - "enum": [ - "tier0", - "tier1", - "tier2", - "tier3", - "tier4" - ], - "meta:enum": { - "tier0": "Mission critical - highest priority", - "tier1": "Business critical - high priority", - "tier2": "Business important - medium priority", - "tier3": "Business supporting - low priority", - "tier4": "Non-critical - minimal priority" - } - }, "categories": { "type": "array", "items": { "type": "string" }, - "description": "Business or technical categories" + "description": "Business or technical categories." }, "tags": { "type": "array", "items": { "type": "string" }, - "description": "Tags for classification and search" + "description": "Tags for classification and search." } } }, @@ -1772,44 +1874,66 @@ "title": "Predefined Authentication Type", "description": "A predefined authentication method from the enumeration.", "enum": [ - "apiKey", + "api-key", "basic", "bearer", + "biometric", "certificate", "digest", + "eap", "fido2", + "form", + "hmac", "jwt", "kerberos", "ldap", - "mfa", - "mTLS", + "magic-link", + "mtls", "none", "ntlm", "oauth1", "oauth2", "oidc", + "pin", + "psk", + "push", + "radius", "saml", - "ssh" + "scram", + "session", + "ssh", + "totp" ], "meta:enum": { - "apiKey": "API key authentication.", - "basic": "Basic authentication (username and password).", + "api-key": "API key authentication.", + "basic": "HTTP Basic authentication (RFC 7617), where the browser presents a native credential dialog and the username and password are sent on each request.", "bearer": "Bearer token authentication.", + "biometric": "Biometric authentication, such as fingerprint or face recognition.", "certificate": "Certificate-based authentication.", "digest": "Digest authentication.", + "eap": "Extensible Authentication Protocol, commonly used with IEEE 802.1X.", "fido2": "FIDO2 or WebAuthn passwordless authentication.", + "form": "Form-based authentication, where credentials such as a username and password are submitted through an application login form rather than the browser-native HTTP Basic dialog.", + "hmac": "HMAC request signing using a shared secret key.", "jwt": "JSON Web Token authentication.", "kerberos": "Kerberos authentication.", "ldap": "LDAP directory authentication.", - "mfa": "Multi-factor authentication.", - "mTLS": "Mutual TLS authentication.", + "magic-link": "Passwordless authentication using a single-use link.", + "mtls": "Mutual TLS authentication.", "none": "No authentication required.", "ntlm": "NTLM authentication.", "oauth1": "OAuth 1.0 authentication.", "oauth2": "OAuth 2.0 authentication.", "oidc": "OpenID Connect authentication.", + "pin": "Personal identification number, a short secret used as a knowledge factor, such as a device or application unlock PIN.", + "psk": "Pre-shared key authentication.", + "push": "Out-of-band push approval, where a prompt is sent to a registered device or application for the user to approve or deny, optionally confirmed by matching a displayed number.", + "radius": "RADIUS authentication.", "saml": "SAML authentication.", - "ssh": "SSH key authentication." + "scram": "Salted Challenge Response Authentication Mechanism.", + "session": "Session authentication, typically using a server-side session and cookie.", + "ssh": "SSH key authentication.", + "totp": "Time-based one-time password authentication." } }, { @@ -1847,22 +1971,24 @@ "enum": [ "abac", "acl", - "cbac", + "capability", "dac", "mac", "none", "pbac", + "radac", "rbac", "rebac" ], "meta:enum": { "abac": "Attribute-Based Access Control.", "acl": "Access Control Lists.", - "cbac": "Claims-Based Access Control.", + "capability": "Capability-Based Access Control.", "dac": "Discretionary Access Control.", "mac": "Mandatory Access Control.", "none": "No authorization controls.", "pbac": "Policy-Based Access Control.", + "radac": "Risk-Adaptive Access Control.", "rbac": "Role-Based Access Control.", "rebac": "Relationship-Based Access Control." } diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index 90080c1f6..f3d47965b 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -8,7 +8,7 @@ "risks": { "type": "object", "title": "Risks", - "description": "A collection of risks identified through risk analysis, together with the assessments that evaluate them. The risk model is methodology-neutral and can document risk regardless of the risk rating framework used. It supports qualitative, semi-quantitative, and quantitative approaches by recording a qualitative `level`, a numeric `score`, or quantified loss, with the originating methodology identified on each score. Each risk distinguishes the risk before responses are applied (`inherentRisk`) from the risk that remains after them (`residualRisk`), with an optional `targetRisk` reflecting risk appetite, consistent with the process described in [ISO 31000](https://www.iso.org/iso-31000-risk-management.html). Specific rating techniques are not prescribed; [IEC 31010](https://www.iso.org/standard/72140.html) catalogues the available techniques.", + "description": "A collection of risks identified through risk analysis, together with the assessments that evaluate them. The model is framework-neutral and can document risk regardless of the risk management framework in use, including [ISO 31000](https://www.iso.org/iso-31000-risk-management.html), [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final), the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework), [COSO ERM](https://www.coso.org/), [ISO/IEC 27005](https://www.iso.org/standard/80585.html), and OCTAVE. It accommodates qualitative, semi-quantitative, and quantitative assessment, and each rating records the scoring methodology used, such as [FAIR](https://www.fairinstitute.org/), [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), DREAD, [FMEA](https://asq.org/quality-resources/fmea), NIST SP 800-30, or OCTAVE Allegro. Each risk separates inherent, residual, and target ratings so risk reduction is explicit.", "additionalProperties": false, "properties": { "risks": { diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index a254b1609..694e8c402 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -65,11 +65,73 @@ }, "description": "The trust boundaries of the system, extending the architectural boundaries defined in a blueprint with trust semantics." }, + "methodologies": { + "type": "array", + "title": "Methodologies", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/methodology" + }, + "description": "The threat modeling methodologies applied to produce this threat model, such as STRIDE, LINDDUN, PASTA, or attack trees." + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } } }, + "methodology": { + "title": "Threat Modeling Methodology", + "description": "A threat modeling methodology applied to produce this threat model. Use the custom option for methodologies not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Threat Modeling Methodology", + "enum": [ + "STRIDE", + "LINDDUN", + "PASTA", + "MAESTRO", + "OWASP", + "TRIKE", + "VAST", + "ATFAA", + "attack-tree" + ], + "meta:enum": { + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.", + "PASTA": "Process for Attack Simulation and Threat Analysis.", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome.", + "OWASP": "OWASP threat modelling methodology.", + "TRIKE": "Risk-based threat modelling methodology.", + "VAST": "Visual, Agile, and Simple Threat modelling.", + "ATFAA": "Advanced Threat Framework for Autonomous AI Agents.", + "attack-tree": "Attack tree methodology, decomposing attacker goals into sub-goals and techniques." + } + }, + { + "type": "object", + "title": "Custom Threat Modeling Methodology", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom threat modeling methodology." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom threat modeling methodology." + } + } + } + ] + }, "threat": { "type": "object", "title": "Threat", @@ -108,14 +170,14 @@ "items": { "type": "object", "title": "Threat Category", - "description": "A threat category. The methodology determines the permitted category values.", + "description": "A threat category. The taxonomy determines the permitted category values.", "additionalProperties": false, - "required": ["methodology", "category"], + "required": ["taxonomy", "category"], "properties": { - "methodology": { + "taxonomy": { "type": "string", - "title": "Methodology", - "description": "The threat-modelling methodology that the category is drawn from.", + "title": "Taxonomy", + "description": "The threat classification taxonomy that the category is drawn from.", "enum": ["STRIDE", "LINDDUN", "MAESTRO", "MITRE-ATTACK"], "meta:enum": { "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.", @@ -128,14 +190,14 @@ "type": "string", "minLength": 1, "title": "Category", - "description": "The category within the methodology. The permitted values are determined by the methodology." + "description": "The category within the taxonomy. The permitted values are determined by the taxonomy." } }, "allOf": [ { "if": { - "required": ["methodology"], - "properties": { "methodology": { "const": "STRIDE" } } + "required": ["taxonomy"], + "properties": { "taxonomy": { "const": "STRIDE" } } }, "then": { "properties": { @@ -155,8 +217,8 @@ }, { "if": { - "required": ["methodology"], - "properties": { "methodology": { "const": "LINDDUN" } } + "required": ["taxonomy"], + "properties": { "taxonomy": { "const": "LINDDUN" } } }, "then": { "properties": { @@ -177,8 +239,8 @@ }, { "if": { - "required": ["methodology"], - "properties": { "methodology": { "const": "MAESTRO" } } + "required": ["taxonomy"], + "properties": { "taxonomy": { "const": "MAESTRO" } } }, "then": { "properties": { @@ -199,8 +261,8 @@ }, { "if": { - "required": ["methodology"], - "properties": { "methodology": { "const": "MITRE-ATTACK" } } + "required": ["taxonomy"], + "properties": { "taxonomy": { "const": "MITRE-ATTACK" } } }, "then": { "properties": { From 354baf4c6368ad11b762508915bf44ee8ed08f2e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jun 2026 00:40:20 -0500 Subject: [PATCH 31/44] Corrected mediaType reference issue Signed-off-by: Steve Springett --- schema/2.0/model/cyclonedx-data-2.0.schema.json | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index 3175c01c6..a783800cf 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -347,14 +347,7 @@ "description": "URL or URN pointing to the format specification." }, "mediaType": { - "type": "string", - "title": "Media Type", - "description": "Media type or encoding format, for example application/json, text/csv, application/hl7-v2.", - "examples": [ - "application/json", - "text/csv", - "application/hl7-v2" - ] + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/mediaType" }, "comment": { "type": "string", From f30e142bbd324d9fecafdbb4ea5b5937d23a5602 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jun 2026 00:51:00 -0500 Subject: [PATCH 32/44] Removed methodology. Provided little value Signed-off-by: Steve Springett --- .../model/cyclonedx-blueprint-2.0.schema.json | 94 +------------------ 1 file changed, 2 insertions(+), 92 deletions(-) diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index b313f0c6d..102faf657 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -20,8 +20,7 @@ "description": "A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.", "required": [ "name", - "modelTypes", - "methodologies" + "modelTypes" ], "additionalProperties": false, "properties": { @@ -52,15 +51,6 @@ "$ref": "#/$defs/modelType" } }, - "methodologies": { - "type": "array", - "title": "Methodologies", - "uniqueItems": true, - "description": "The modeling methodologies used.", - "items": { - "$ref": "#/$defs/methodology" - } - }, "scope": { "$ref": "#/$defs/scope" }, @@ -243,7 +233,7 @@ { "type": "object", "title": "Custom Model Type", - "description": "A custom model type not covered by the predefined enumeration, allowing organisations to define methodology-specific or domain-specific model categories.", + "description": "A custom model type not covered by the predefined enumeration, allowing organisations to define domain-specific model categories.", "additionalProperties": false, "required": [ "name" @@ -264,86 +254,6 @@ } ] }, - "methodology": { - "title": "Methodology", - "description": "The system or architecture modelling notation used to produce the blueprint, either a predefined value from the enumeration or a custom object. The object form may also annotate a predefined methodology with a version or external references. Threat modelling methodologies such as STRIDE and PASTA are recorded in the threat model, not here.", - "oneOf": [ - { - "type": "string", - "title": "Predefined Methodology", - "description": "A predefined methodology from the enumeration.", - "enum": [ - "4+1", - "Archimate", - "BPMN", - "C4", - "DFD", - "DODAF", - "ERD", - "IDEF", - "MODAF", - "NAF", - "SABSA", - "SysML", - "TOGAF", - "UML", - "Zachman" - ], - "meta:enum": { - "4+1": "4+1 Architectural View Model.", - "Archimate": "Enterprise architecture modelling language.", - "BPMN": "Business Process Model and Notation.", - "C4": "C4 Model for software architecture.", - "DFD": "Data Flow Diagrams.", - "DODAF": "Department of Defense Architecture Framework.", - "ERD": "Entity Relationship Diagrams.", - "IDEF": "Integration Definition Methods.", - "MODAF": "Ministry of Defence Architecture Framework.", - "NAF": "NATO Architecture Framework.", - "SABSA": "Sherwood Applied Business Security Architecture.", - "SysML": "Systems Modeling Language.", - "TOGAF": "The Open Group Architecture Framework.", - "UML": "Unified Modeling Language.", - "Zachman": "Zachman Framework." - } - }, - { - "type": "object", - "title": "Custom Methodology", - "description": "A custom methodology not covered by the predefined enumeration, or a predefined methodology that needs to carry a version or external references.", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string", - "title": "Name", - "minLength": 1, - "description": "The name of the methodology. May reference a predefined methodology by its enumerated identifier or a custom methodology name." - }, - "version": { - "type": "string", - "title": "Version", - "description": "The version of the methodology." - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the methodology." - }, - "externalReferences": { - "type": "array", - "title": "External References", - "uniqueItems": true, - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" - } - } - } - } - ] - }, "metadata": { "type": "object", "title": "Blueprint Metadata", From d5aa9b0b8cb40d207e91301936d44040e42e9d17 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jun 2026 02:27:41 -0500 Subject: [PATCH 33/44] Refactor of how behaviors are represented to account for truly event-based scenarios (eg state machines) which cannot be represented in linear flows. Signed-off-by: Steve Springett --- .../model/cyclonedx-behavior-2.0.schema.json | 289 +++++++++++++++--- 1 file changed, 244 insertions(+), 45 deletions(-) diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json index abc489e66..74caf6df1 100644 --- a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -20,13 +20,13 @@ "$ref": "#/$defs/behaviorInstance" } }, - "flows": { + "graphs": { "type": "array", - "title": "Flows", - "description": "Behavior flows that organise behaviors into operational patterns.", + "title": "Graphs", + "description": "Behavior graphs that model behaviour over time as activity flows, state machines, or a mixture of the two.", "uniqueItems": true, "items": { - "$ref": "#/$defs/behaviorFlow" + "$ref": "#/$defs/behaviorGraph" } } } @@ -106,25 +106,22 @@ "ordering": { "type": "string", "title": "Ordering", - "description": "Execution semantics for steps within a flow.", - "default": "sequential", + "description": "Execution semantics for the nodes of a graph when transitions do not fully specify the order.", "enum": [ "sequential", "unordered", - "parallel", - "conditional" + "parallel" ], "meta:enum": { - "sequential": "Steps execute in ordinal order. Each completes before the next begins.", - "unordered": "All steps execute, but order is not guaranteed.", - "parallel": "Steps may execute concurrently.", - "conditional": "Step execution is determined by runtime conditions." + "sequential": "Nodes execute in ordinal order. Each completes before the next begins.", + "unordered": "All nodes execute, but the order is not guaranteed.", + "parallel": "Nodes may execute concurrently." } }, "acknowledgment": { "type": "array", "title": "Acknowledgment", - "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", + "description": "Indicates how the behavior or graph was identified. Multiple values indicate the behavior was both declared and observed.", "uniqueItems": true, "items": { "type": "string", @@ -138,16 +135,49 @@ } } }, - "behaviorFlow": { + "behaviorGraph": { "type": "object", - "title": "Behavior Flow", - "description": "An organised collection of behaviors forming a coherent process.", + "title": "Behavior Graph", + "description": "A graph of nodes joined by transitions that models behaviour over time. A node may be an activity, a state, an event, a gateway, or a start or end point, so the same construct expresses an activity or process flow (where the nodes are activities), a state machine (where the nodes are states), or a mixture of the two.", "additionalProperties": false, - "required": ["bom-ref", "steps"], + "required": [ + "bom-ref", + "nodes" + ], "properties": { "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the graph." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the graph and the behaviour it models." + }, + "kind": { + "type": "string", + "title": "Kind", + "description": "An optional hint at the intent of the graph.", + "enum": [ + "activity", + "state-machine", + "mixed" + ], + "meta:enum": { + "activity": "The graph models a process or activity flow whose nodes are activities.", + "state-machine": "The graph models a state machine whose nodes are states.", + "mixed": "The graph mixes activity and state nodes." + } + }, + "subject": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Subject", + "description": "Reference using bom-link or bom-ref to the object whose behaviour this graph describes." + }, "acknowledgment": { "$ref": "#/$defs/acknowledgment" }, @@ -157,29 +187,45 @@ "trigger": { "$ref": "#/$defs/trigger" }, - "steps": { + "nodes": { "type": "array", - "title": "Steps", - "description": "The steps that comprise this flow.", + "title": "Nodes", + "description": "The nodes of the graph.", "minItems": 1, + "uniqueItems": true, "items": { - "$ref": "#/$defs/flowStep" + "$ref": "#/$defs/behaviorNode" + } + }, + "transitions": { + "type": "array", + "title": "Transitions", + "description": "The transitions between nodes. Transitions express the ordering of an activity flow and the triggered, guarded moves of a state machine.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/transition" } } }, "allOf": [ { "if": { - "anyOf": [ - { "properties": { "ordering": { "const": "sequential" } }, "required": ["ordering"] }, - { "not": { "required": ["ordering"] } } + "properties": { + "ordering": { + "const": "sequential" + } + }, + "required": [ + "ordering" ] }, "then": { "properties": { - "steps": { + "nodes": { "items": { - "required": ["ordinal"] + "required": [ + "ordinal" + ] } } } @@ -187,40 +233,75 @@ } ] }, - "flowStep": { + "behaviorNode": { "type": "object", - "title": "Flow Step", - "description": "A single step within a behavior flow.", + "title": "Behavior Node", + "description": "A single node in a behavior graph. The kind determines what the node represents and which additional properties apply.", "additionalProperties": false, + "required": [ + "bom-ref", + "kind" + ], "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "kind": { + "type": "string", + "title": "Kind", + "description": "The kind of node.", + "enum": [ + "activity", + "state", + "event", + "gateway", + "initial", + "final" + ], + "meta:enum": { + "activity": "An action that is performed, identified by a behavior, a behavior-instance reference, or a nested graph. The activity-flow counterpart of a step.", + "state": "A durable condition the subject rests in until a transition fires. The state-machine counterpart of a node. A composite state references its nested region through 'graph'.", + "event": "An intermediate event that occurs during the graph.", + "gateway": "A branch or merge point whose outgoing transitions carry the guards.", + "initial": "The starting point of the graph or of a composite node.", + "final": "A completion point of the graph or of a composite node." + } + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the node." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the node." + }, "ordinal": { "type": "integer", "title": "Ordinal", - "description": "Position within the flow. Required when ordering is 'sequential' or omitted.", - "minimum": 1 + "minimum": 1, + "description": "Position within a sequential graph. Required when the graph ordering is 'sequential'. Ignored when transitions define the order." }, "behavior": { "$ref": "../behavior-taxonomy.schema.json", "title": "Behavior", - "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'." - }, - "trigger": { - "$ref": "#/$defs/trigger" + "description": "For an activity node, the behavior performed, drawn from the taxonomy. Mutually exclusive with 'ref' and 'graph'." }, "ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", "title": "Behavior Reference", - "description": "Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'." + "description": "For an activity node, a reference to a behavior instance. Mutually exclusive with 'behavior' and 'graph'." }, - "flow": { + "graph": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "title": "Flow Reference", - "description": "Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'." + "title": "Graph Reference", + "description": "A reference to a nested behavior graph. For an activity node it is the sub-process performed and is mutually exclusive with 'behavior' and 'ref'; for a composite node it is the nested region." }, "actors": { "type": "array", "title": "Actors", - "description": "References using bom-link or bom-ref to objects that perform this step.", + "description": "References using bom-link or bom-ref to objects that perform this node.", "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" @@ -229,18 +310,136 @@ "targets": { "type": "array", "title": "Targets", - "description": "References using bom-link or bom-ref to objects affected by this step.", + "description": "References using bom-link or bom-ref to objects affected by this node.", "uniqueItems": true, "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" } + }, + "eventType": { + "$ref": "#/$defs/trigger", + "title": "Event Type", + "description": "For an event node, the nature of the event, reusing the trigger vocabulary, such as signal, scheduled, or event-driven." + }, + "gatewayKind": { + "type": "string", + "title": "Gateway Kind", + "description": "For a gateway node, the branching semantics applied across its outgoing transitions.", + "enum": [ + "exclusive", + "inclusive", + "parallel", + "complex" + ], + "meta:enum": { + "exclusive": "Exactly one outgoing transition is taken, the first whose guard holds.", + "inclusive": "Every outgoing transition whose guard holds is taken.", + "parallel": "All outgoing transitions are taken concurrently, forking and later joining execution.", + "complex": "Branch selection follows a complex condition described in the transition guards." + } + }, + "onEntry": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "On Entry", + "description": "For a state node, a reference to a behavior instance performed when the state is entered." + }, + "onExit": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "On Exit", + "description": "For a state node, a reference to a behavior instance performed when the state is exited." + }, + "doActivity": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Do Activity", + "description": "For a state node, a reference to a behavior instance performed while the subject remains in the state." } }, - "oneOf": [ - { "required": ["behavior"] }, - { "required": ["ref"] }, - { "required": ["flow"] } + "allOf": [ + { + "if": { + "properties": { + "kind": { + "const": "activity" + } + }, + "required": [ + "kind" + ] + }, + "then": { + "oneOf": [ + { + "required": [ + "behavior" + ] + }, + { + "required": [ + "ref" + ] + }, + { + "required": [ + "graph" + ] + } + ] + } + } ] + }, + "transition": { + "type": "object", + "title": "Transition", + "description": "A directed edge from one node to another. In an activity flow it expresses ordering; in a state machine it expresses a triggered, guarded move between states.", + "additionalProperties": false, + "required": [ + "source", + "target" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the transition." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the transition." + }, + "source": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Source", + "description": "Reference to the source node." + }, + "target": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Target", + "description": "Reference to the target node." + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "guard": { + "type": "string", + "title": "Guard", + "description": "A guard condition; the transition fires only when it evaluates to true." + }, + "default": { + "type": "boolean", + "title": "Default", + "description": "Whether this transition is taken when no other guard from the same source node holds." + }, + "effect": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Effect", + "description": "Reference to a behavior instance performed when the transition fires." + } + } } } } From 3dca97b3c739ef8b68db648a5584a45e20ac866d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jun 2026 02:28:36 -0500 Subject: [PATCH 34/44] Minor refactor to introduce blueprint relaltionships. Signed-off-by: Steve Springett --- .../model/cyclonedx-blueprint-2.0.schema.json | 168 ++++++++++++++++-- 1 file changed, 155 insertions(+), 13 deletions(-) diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index 102faf657..3b9def2b4 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -111,6 +111,15 @@ }, "description": "Data, control, or process flows between assets." }, + "relationships": { + "type": "array", + "title": "Relationships", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/relationship" + }, + "description": "Static, structural relationships between elements of the model, complementing the runtime exchanges captured by flows." + }, "actors": { "type": "array", "title": "Actors", @@ -512,10 +521,6 @@ "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", "description": "Reference using bom-link or bom-ref to the zone containing this asset." }, - "parent": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", - "description": "Reference using bom-link or bom-ref to the parent asset if this is a sub-component." - }, "classification": { "$ref": "#/$defs/assetClassification" }, @@ -541,15 +546,6 @@ }, "description": "Interfaces exposed by this asset." }, - "dependencies": { - "type": "array", - "title": "Dependencies", - "uniqueItems": true, - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" - }, - "description": "References using bom-link or bom-ref to assets this asset depends on." - }, "useCases": { "type": "array", "title": "Use Cases", @@ -1245,6 +1241,152 @@ } } }, + "relationship": { + "type": "object", + "title": "Relationship", + "description": "A typed structural relationship from one element to one or more others, complementing the runtime exchanges captured by flows. The subject is `ref`, and the kind of relationship is expressed as a single typed property whose value lists the targets, mirroring the dependency graph for readability.", + "additionalProperties": false, + "required": [ + "ref" + ], + "oneOf": [ + { + "required": [ + "aggregates" + ] + }, + { + "required": [ + "associates" + ] + }, + { + "required": [ + "composes" + ] + }, + { + "required": [ + "contains" + ] + }, + { + "required": [ + "dependsOn" + ] + }, + { + "required": [ + "generalizes" + ] + }, + { + "required": [ + "realizes" + ] + }, + { + "required": [ + "serves" + ] + }, + { + "required": [ + "custom" + ] + } + ], + "properties": { + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to the subject element of the relationship." + }, + "aggregates": { + "$ref": "#/$defs/relationshipTargets", + "title": "Aggregates", + "description": "The subject is the whole in a whole-part relationship in which each target part may exist independently of the whole." + }, + "associates": { + "$ref": "#/$defs/relationshipTargets", + "title": "Associates", + "description": "The subject has a general association with each target." + }, + "composes": { + "$ref": "#/$defs/relationshipTargets", + "title": "Composes", + "description": "The subject is the whole in a whole-part relationship in which each target part cannot exist without the whole." + }, + "contains": { + "$ref": "#/$defs/relationshipTargets", + "title": "Contains", + "description": "The subject contains or nests each target." + }, + "dependsOn": { + "$ref": "#/$defs/relationshipTargets", + "title": "Depends On", + "description": "The subject depends on each target." + }, + "generalizes": { + "$ref": "#/$defs/relationshipTargets", + "title": "Generalizes", + "description": "The subject is a generalisation of each target, as in inheritance." + }, + "realizes": { + "$ref": "#/$defs/relationshipTargets", + "title": "Realizes", + "description": "The subject realises or implements each target." + }, + "serves": { + "$ref": "#/$defs/relationshipTargets", + "title": "Serves", + "description": "The subject provides a service to each target." + }, + "custom": { + "type": "array", + "title": "Custom Relationships", + "description": "Relationships whose kind is not covered by the predefined properties. Each entry names the kind and lists its targets.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Custom Relationship", + "additionalProperties": false, + "required": [ + "type", + "targets" + ], + "properties": { + "type": { + "type": "string", + "title": "Type", + "minLength": 1, + "description": "The name of the custom relationship kind." + }, + "targets": { + "$ref": "#/$defs/relationshipTargets", + "title": "Targets", + "description": "The targets of the custom relationship." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom relationship kind." + } + } + } + } + } + }, + "relationshipTargets": { + "type": "array", + "title": "Relationship Targets", + "description": "References using bom-link or bom-ref to the target elements of a relationship.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, "flow": { "type": "object", "title": "Flow", From d262ad89453c18e3d678a06bc84817adf9192b5b Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jun 2026 02:29:55 -0500 Subject: [PATCH 35/44] Added data relationships and a few minor other things Signed-off-by: Steve Springett --- .../2.0/model/cyclonedx-data-2.0.schema.json | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index a783800cf..cb4ee9b29 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -365,6 +365,15 @@ "$ref": "#/$defs/dataAttribute" } }, + "relationships": { + "type": "array", + "title": "Relationships", + "description": "Relationships from this data object to other data objects, such as the associations between entities in a logical or conceptual data model.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataRelationship" + } + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } @@ -379,6 +388,10 @@ ], "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this attribute, enabling it to be referenced as a key target." + }, "name": { "type": "string", "title": "Name", @@ -411,6 +424,94 @@ "title": "Sensitive", "description": "Indicates whether the attribute carries sensitive content that warrants extra protection beyond the object-level classification, such as masking in logs or stricter access controls." }, + "key": { + "type": "string", + "title": "Key", + "enum": [ + "primary", + "foreign", + "unique" + ], + "meta:enum": { + "primary": "The attribute is part of the primary key that uniquely identifies the data object.", + "foreign": "The attribute is a foreign key referencing another data object.", + "unique": "The attribute carries a uniqueness constraint." + }, + "description": "The key role of the attribute within the data object." + }, + "references": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "References", + "description": "For a foreign key, a reference using bom-link or bom-ref to the data object or attribute it refers to." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataRelationship": { + "type": "object", + "title": "Data Relationship", + "description": "A relationship from one data object to another, such as an association between entities in a logical or conceptual data model, carrying its cardinality and optionally the attributes that participate.", + "additionalProperties": false, + "required": [ + "target", + "cardinality" + ], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the relationship, such as the role or verb that describes it." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the relationship." + }, + "target": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Target", + "description": "Reference using bom-link or bom-ref to the related data object." + }, + "cardinality": { + "type": "string", + "title": "Cardinality", + "enum": [ + "one-to-one", + "one-to-many", + "many-to-one", + "many-to-many" + ], + "meta:enum": { + "one-to-one": "Each record of the source relates to at most one record of the target, and the reverse.", + "one-to-many": "Each record of the source relates to many records of the target.", + "many-to-one": "Many records of the source relate to one record of the target.", + "many-to-many": "Many records of the source relate to many records of the target." + }, + "description": "The cardinality of the relationship." + }, + "sourceAttributes": { + "type": "array", + "title": "Source Attributes", + "description": "References using bom-link or bom-ref to the attributes on this data object that participate in the relationship, such as the foreign key columns.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, + "targetAttributes": { + "type": "array", + "title": "Target Attributes", + "description": "References using bom-link or bom-ref to the attributes on the target data object that the relationship refers to, such as the primary key columns.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + } + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } From 43e84554775f7d7df581287ba313bcef3fec0700 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jun 2026 21:06:04 -0500 Subject: [PATCH 36/44] Added session management and a few other minor changes Signed-off-by: Steve Springett --- .../model/cyclonedx-blueprint-2.0.schema.json | 71 ++++++++++++++++++- 1 file changed, 68 insertions(+), 3 deletions(-) diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index 3b9def2b4..0f84730be 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -1176,6 +1176,9 @@ "crossingRequirements": { "$ref": "#/$defs/crossingRequirements" }, + "sessionManagement": { + "$ref": "#/$defs/sessionManagement" + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } @@ -1184,7 +1187,7 @@ "crossingRequirements": { "type": "object", "title": "Crossing Requirements", - "description": "Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.", + "description": "The security controls, policies, and constraints applied when data or actors cross a boundary between zones, such as the authentication and authorization enforced, the protocols permitted, and the validation, logging, and monitoring performed at the crossing.", "additionalProperties": false, "properties": { "authentication": { @@ -1241,6 +1244,63 @@ } } }, + "sessionManagement": { + "type": "object", + "title": "Session Management", + "description": "The lifecycle of the authenticated session established at this boundary, covering session timeouts, access and refresh token validity, and logout behaviour. These properties characterize the session that results from authenticating, independently of the authentication method used.", + "additionalProperties": false, + "properties": { + "accessTokenExpires": { + "type": "boolean", + "title": "Access Token Expires", + "description": "Whether access tokens issued for this boundary expire." + }, + "accessTokenTtl": { + "type": "integer", + "title": "Access Token Time To Live", + "minimum": 0, + "description": "Validity period of an access token, in seconds." + }, + "refreshToken": { + "type": "boolean", + "title": "Refresh Token", + "description": "Whether refresh tokens are issued for this boundary." + }, + "refreshTokenExpires": { + "type": "boolean", + "title": "Refresh Token Expires", + "description": "Whether refresh tokens expire." + }, + "refreshTokenTtl": { + "type": "integer", + "title": "Refresh Token Time To Live", + "minimum": 0, + "description": "Validity period of a refresh token, in seconds." + }, + "idleTimeout": { + "type": "integer", + "title": "Idle Timeout", + "minimum": 0, + "description": "Period of inactivity after which the session ends, in seconds." + }, + "absoluteTimeout": { + "type": "integer", + "title": "Absolute Timeout", + "minimum": 0, + "description": "Period after session creation after which the session ends regardless of activity, in seconds." + }, + "userLogout": { + "type": "boolean", + "title": "User Logout", + "description": "Whether a user can explicitly end the session." + }, + "systemLogout": { + "type": "boolean", + "title": "System Logout", + "description": "Whether the system can end the session without user action." + } + } + }, "relationship": { "type": "object", "title": "Relationship", @@ -1486,6 +1546,11 @@ "title": "Synchronous", "description": "Whether the flow is synchronous or asynchronous." }, + "encrypted": { + "type": "boolean", + "title": "Encrypted", + "description": "Whether the data carried by this flow is encrypted in transit." + }, "volume": { "type": "string", "title": "Volume", @@ -1952,7 +2017,7 @@ "radius", "saml", "scram", - "session", + "session-cookie", "ssh", "totp" ], @@ -1983,7 +2048,7 @@ "radius": "RADIUS authentication.", "saml": "SAML authentication.", "scram": "Salted Challenge Response Authentication Mechanism.", - "session": "Session authentication, typically using a server-side session and cookie.", + "session-cookie": "Session authentication using a server-side session identified by a cookie.", "ssh": "SSH key authentication.", "totp": "Time-based one-time password authentication." } From 67358768b82b65a16cd8b938cf810af905c61ffd Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jun 2026 21:06:26 -0500 Subject: [PATCH 37/44] Added qualitative-matrix Signed-off-by: Steve Springett --- schema/2.0/model/cyclonedx-risk-2.0.schema.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index f3d47965b..f57b26a8d 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -891,7 +891,8 @@ "fmea", "nist-sp-800-30", "octave", - "owasp-risk-rating" + "owasp-risk-rating", + "qualitative-matrix" ], "meta:enum": { "dread": "[DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) risk rating model, the average of five ratings (damage, reproducibility, exploitability, affected users, discoverability) each scored 1 to 10.", @@ -899,7 +900,8 @@ "fmea": "[Failure Mode and Effects Analysis (FMEA)](https://asq.org/quality-resources/fmea), using a risk priority number of severity multiplied by occurrence multiplied by detection.", "nist-sp-800-30": "[NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final) guide for conducting risk assessments, using its exemplary likelihood and impact scales.", "octave": "[OCTAVE Allegro](https://www.sei.cmu.edu/documents/786/2007_005_001_14885.pdf), using its relative risk score.", - "owasp-risk-rating": "[OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), averaging likelihood and impact factors each scored 0 to 9." + "owasp-risk-rating": "[OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), averaging likelihood and impact factors each scored 0 to 9.", + "qualitative-matrix": "A qualitative risk matrix that derives a risk level by plotting a likelihood band against an impact band, such as a five by five matrix producing a score from 1 to 25." } }, { From f0114234258c3ee0f82a7f6a170653084b22bd08 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jun 2026 21:06:55 -0500 Subject: [PATCH 38/44] Added threat origin Signed-off-by: Steve Springett --- .../model/cyclonedx-threat-2.0.schema.json | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index 694e8c402..eac2b252a 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -162,6 +162,49 @@ "title": "Source", "description": "The source of the threat, such as a threat intelligence feed, a threat catalogue, or an analysis activity." }, + "origin": { + "title": "Origin", + "description": "The nature of the threat source that gives rise to this threat, following the threat source types of [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final). Use the custom option for an origin not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Origin", + "enum": [ + "adversarial", + "accidental", + "structural", + "environmental" + ], + "meta:enum": { + "adversarial": "An adversary acting with intent, such as an individual, group, organization, or nation state.", + "accidental": "An erroneous action taken without malicious intent, such as a mistake by a privileged user or administrator.", + "structural": "A failure of equipment, software, or environmental controls, such as resource exhaustion or expiry of a component.", + "environmental": "A natural or human-made event outside the control of the organization, such as a fire, flood, or wide-area infrastructure outage." + } + }, + { + "type": "object", + "title": "Custom Origin", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom origin." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom origin." + } + } + } + ] + }, "categories": { "type": "array", "title": "Categories", From 6ec41a6fb75176d7442c6f024b285122cc9a8bcd Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 11 Jun 2026 12:27:32 -0500 Subject: [PATCH 39/44] Added control as first-class citizen and expanded use of controls to related areas in the spec. Signed-off-by: Steve Springett --- schema/2.0/cyclonedx-2.0.schema.json | 3 + .../model/cyclonedx-control-2.0.schema.json | 229 ++++++++++++++++++ .../cyclonedx-declaration-2.0.schema.json | 6 +- .../2.0/model/cyclonedx-risk-2.0.schema.json | 96 +------- .../model/cyclonedx-threat-2.0.schema.json | 4 +- .../cyclonedx-vulnerability-2.0.schema.json | 12 +- 6 files changed, 252 insertions(+), 98 deletions(-) create mode 100644 schema/2.0/model/cyclonedx-control-2.0.schema.json diff --git a/schema/2.0/cyclonedx-2.0.schema.json b/schema/2.0/cyclonedx-2.0.schema.json index 806d82581..b3c1fbb18 100644 --- a/schema/2.0/cyclonedx-2.0.schema.json +++ b/schema/2.0/cyclonedx-2.0.schema.json @@ -70,6 +70,9 @@ "risks": { "$ref": "model/cyclonedx-risk-2.0.schema.json#/$defs/risks" }, + "controls": { + "$ref": "model/cyclonedx-control-2.0.schema.json#/$defs/controls" + }, "annotations": { "$ref": "model/cyclonedx-annotation-2.0.schema.json#/$defs/annotations" }, diff --git a/schema/2.0/model/cyclonedx-control-2.0.schema.json b/schema/2.0/model/cyclonedx-control-2.0.schema.json new file mode 100644 index 000000000..0411f39b4 --- /dev/null +++ b/schema/2.0/model/cyclonedx-control-2.0.schema.json @@ -0,0 +1,229 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-control-2.0.schema.json", + "type": "null", + "title": "CycloneDX Control Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "controls": { + "type": "array", + "title": "Controls", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/control" + }, + "description": "The safeguards and countermeasures that are recommended or in place. Controls may be declared on their own for governance, risk, and compliance use cases, or referenced from threats, trust boundaries, and risk responses." + }, + "control": { + "type": "object", + "title": "Control", + "description": "A safeguard or countermeasure that protects systems, data, or operations. A control binds the elements that implement it to the requirements it satisfies, and records its implementation status and assessed effectiveness.", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference the control elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the control." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the control." + }, + "category": { + "title": "Category", + "description": "The category of the control. Use the custom option for a category specific to an organization's taxonomy.", + "oneOf": [ + { + "title": "Predefined Control Category", + "type": "string", + "enum": [ + "preventive", + "detective", + "corrective", + "compensating", + "deterrent", + "recovery" + ], + "meta:enum": { + "preventive": "Prevents an unwanted event from occurring.", + "detective": "Identifies and records that an unwanted event has occurred or is occurring.", + "corrective": "Remedies the condition that allowed an unwanted event.", + "compensating": "Provides an alternative safeguard where a primary control is not feasible.", + "deterrent": "Discourages an actor from attempting an unwanted action.", + "recovery": "Restores operations after an unwanted event." + } + }, + { + "title": "Custom Control Category", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom category." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom category." + } + } + } + ] + }, + "status": { + "title": "Status", + "description": "The implementation status of the control.", + "$ref": "#/$defs/implementationStatus" + }, + "appliesTo": { + "type": "array", + "title": "Applies To", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the elements the control protects, such as components, services, zones, or boundaries. A control without this property applies to the organization or system as a whole." + }, + "implementedBy": { + "type": "array", + "title": "Implemented By", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the components, services, formulation workflows, or parties that implement the control." + }, + "satisfies": { + "type": "array", + "title": "Satisfies", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements the control satisfies, including requirements defined within standards." + }, + "effectiveness": { + "title": "Effectiveness", + "description": "The assessed effectiveness of the control.", + "$ref": "#/$defs/effectiveness" + }, + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for the control. May be an inline party object or a reference to a previously declared party." + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "implementationStatus": { + "title": "Implementation Status", + "description": "The implementation status of a control or response. Use the custom option for a status specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Implementation Status", + "type": "string", + "enum": [ + "recommended", + "proposed", + "approved", + "rejected", + "planned", + "in-progress", + "implemented", + "verified", + "decommissioned" + ], + "meta:enum": { + "recommended": "Suggested by a producer, standard, or assessor. Not yet entered into the adopting organization's decision process.", + "proposed": "Entered into the adopting organization's decision process but not yet approved.", + "approved": "Approved for implementation.", + "rejected": "Considered and declined, with no intent to implement.", + "planned": "Implementation is planned.", + "in-progress": "Implementation is in progress.", + "implemented": "Implemented and in effect.", + "verified": "Implemented and verified as effective.", + "decommissioned": "Removed from service." + } + }, + { + "title": "Custom Implementation Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] + }, + "effectiveness": { + "type": "object", + "title": "Effectiveness", + "description": "The measured or assessed effectiveness of a control or response.", + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Percentage", + "description": "Effectiveness as a decimal from 0 to 1." + }, + "rating": { + "type": "string", + "title": "Rating", + "enum": [ + "ineffective", + "marginal", + "adequate", + "good", + "excellent" + ], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk.", + "marginal": "Slightly reduces risk.", + "adequate": "Adequately reduces risk.", + "good": "Significantly reduces risk.", + "excellent": "Nearly eliminates risk." + }, + "description": "Effectiveness as a qualitative rating." + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-declaration-2.0.schema.json b/schema/2.0/model/cyclonedx-declaration-2.0.schema.json index 5920ec6fb..c3c3c6b1e 100644 --- a/schema/2.0/model/cyclonedx-declaration-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-declaration-2.0.schema.json @@ -105,7 +105,7 @@ "mitigationStrategies": { "type": "array", "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "description": "References using bom-link or bom-ref to the controls that mitigate identified gaps in conformance with the requirement. Each mitigation strategy should be substantiated by evidence.", "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" } } } @@ -158,7 +158,7 @@ "target": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", "title": "Target", - "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + "description": "Reference using bom-link or bom-ref to the target of the claim, such as a control, system, application, module, team, person, process, or business unit." }, "predicate": { "type": "string", @@ -168,7 +168,7 @@ "mitigationStrategies": { "type": "array", "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "description": "References using bom-link or bom-ref to the controls that mitigate identified weaknesses in the evidence supporting the claim. Each mitigation strategy should be substantiated by evidence.", "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" } }, "reasoning": { diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index f57b26a8d..6d3ff67bb 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -975,74 +975,15 @@ "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References using bom-link or bom-ref to the controls, requirements, or components that implement this response." - }, - "function": { - "type": "string", - "title": "Function", - "description": "The control function this response performs, following a prevent, detect, respond, and recover model.", - "enum": [ - "prevent", - "detect", - "respond", - "recover" - ], - "meta:enum": { - "prevent": "Prevents the risk from occurring.", - "detect": "Detects when the risk occurs.", - "respond": "Responds to the risk when detected.", - "recover": "Recovers from the impact." - } + "description": "References using bom-link or bom-ref to the controls that implement this response." }, "status": { "title": "Status", - "description": "The implementation status of the response. Use the custom option for a status specific to an organization's process.", - "oneOf": [ - { - "title": "Predefined Response Status", - "type": "string", - "enum": [ - "proposed", - "approved", - "planned", - "in-progress", - "implemented", - "verified" - ], - "meta:enum": { - "proposed": "The response has been proposed.", - "approved": "The response has been approved.", - "planned": "Implementation is planned.", - "in-progress": "Implementation is in progress.", - "implemented": "The response has been implemented.", - "verified": "Effectiveness has been verified." - } - }, - { - "title": "Custom Response Status", - "type": "object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "minLength": 1, - "title": "Name", - "description": "The name of the custom status." - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the custom status." - } - } - } - ] + "description": "The implementation status of the response.", + "$ref": "cyclonedx-control-2.0.schema.json#/$defs/implementationStatus" }, "effectiveness": { - "$ref": "#/$defs/effectiveness" + "$ref": "cyclonedx-control-2.0.schema.json#/$defs/effectiveness" }, "cost": { "type": "string", @@ -1094,35 +1035,6 @@ } } }, - "effectiveness": { - "type": "object", - "additionalProperties": false, - "properties": { - "percentage": { - "type": "number", - "minimum": 0, - "maximum": 1, - "description": "Effectiveness as a decimal from 0 to 1." - }, - "rating": { - "type": "string", - "enum": [ - "ineffective", - "marginal", - "adequate", - "good", - "excellent" - ], - "meta:enum": { - "ineffective": "Does not meaningfully reduce risk.", - "marginal": "Slightly reduces risk.", - "adequate": "Adequately reduces risk.", - "good": "Significantly reduces risk.", - "excellent": "Nearly eliminates risk." - } - } - } - }, "assessment": { "type": "object", "required": [ diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index eac2b252a..612c6f106 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -8,7 +8,7 @@ "threats": { "type": "object", "title": "Threats", - "description": "Threat-modelling content, including the documented threats, the scenarios that realize them, the attack patterns and attack trees that describe how they are carried out, the trust boundaries they cross, and the security policies that govern the system.", + "description": "Threat-modelling content, including the documented threats, the scenarios that realize them, the attack patterns and attack trees that describe how they are carried out, and the trust boundaries they cross.", "additionalProperties": false, "properties": { "threats": { @@ -1293,7 +1293,7 @@ "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, - "description": "References using bom-link or bom-ref to the controls implemented at this boundary." + "description": "References using bom-link or bom-ref to the controls in place at this boundary. Intended primarily for referencing externally defined controls. Where the control and boundary are declared together, prefer the control's appliesTo property." }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" diff --git a/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json index fc72dad9a..cd6ec75cc 100644 --- a/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json @@ -211,6 +211,16 @@ "justification": { "$ref": "#/$defs/impactAnalysisJustification" }, + "mitigatingControls": { + "type": "array", + "title": "Mitigating Controls", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that prevent or reduce the exploitability or impact of the vulnerability. Substantiates justifications such as protected_by_mitigating_control, protected_at_perimeter, and protected_at_runtime." + }, "response": { "type": "array", "title": "Response", @@ -432,7 +442,7 @@ "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", "protected_at_runtime": "Exploits are prevented at runtime.", "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", - "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." + "protected_by_mitigating_control": "Preventive measures have been implemented that reduce the likelihood or impact of the vulnerability, or both. The controls may be referenced using the mitigatingControls property." } }, "rating": { From 72407e788b0091b2ec470b0b3aae520945ced4f2 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 16 Jun 2026 18:03:32 -0500 Subject: [PATCH 40/44] Added test cases, comment to schema, and corrected space issue with behavior schema. Signed-off-by: Steve Springett --- schema/2.0/cyclonedx-2.0.schema.json | 3 + .../model/cyclonedx-behavior-2.0.schema.json | 2 +- .../invalid-behavior-flowstep-multi-2.0.json | 30 ++ .../invalid-blueprint-authentication-2.0.json | 26 ++ .../invalid-blueprint-authorization-2.0.json | 25 ++ ...valid-blueprint-relationship-type-2.0.json | 35 +++ ...id-blueprint-visualization-format-2.0.json | 26 ++ ...alid-blueprint-visualization-type-2.0.json | 24 ++ .../2.0/invalid-control-missing-name-2.0.json | 12 + .../invalid-control-status-unknown-2.0.json | 14 + .../2.0/invalid-data-cardinality-2.0.json | 34 +++ ...alid-risk-likelihood-legacy-level-2.0.json | 18 ++ ...id-risk-response-missing-strategy-2.0.json | 18 ++ ...tmodel-category-taxonomy-mismatch-2.0.json | 18 ++ ...nvalid-threatmodel-missing-bomref-2.0.json | 14 + ...lnerability-weakness-cwe-and-name-2.0.json | 17 ++ .../2.0/valid-behavior-process-2.0.json | 56 ++++ .../2.0/valid-behavior-statemachine-2.0.json | 88 ++++++ .../2.0/valid-blueprint-architecture-2.0.json | 270 ++++++++++++++++++ .../valid-blueprint-authentication-2.0.json | 56 ++++ .../2.0/valid-blueprint-behavioral-2.0.json | 137 +++++++++ .../2.0/valid-blueprint-conceptual-2.0.json | 150 ++++++++++ .../2.0/valid-blueprint-data-flow-2.0.json | 211 ++++++++++++++ .../2.0/valid-blueprint-deployment-2.0.json | 134 +++++++++ .../2.0/valid-blueprint-logical-2.0.json | 177 ++++++++++++ .../2.0/valid-blueprint-network-2.0.json | 154 ++++++++++ .../2.0/valid-blueprint-operational-2.0.json | 157 ++++++++++ .../2.0/valid-blueprint-physical-2.0.json | 140 +++++++++ .../2.0/valid-blueprint-process-2.0.json | 147 ++++++++++ .../valid-blueprint-visualization-2.0.json | 62 ++++ .../2.0/valid-control-cdxa-claim-2.0.json | 34 +++ .../resources/2.0/valid-control-full-2.0.json | 107 +++++++ .../2.0/valid-control-grc-standalone-2.0.json | 53 ++++ .../2.0/valid-control-minimal-2.0.json | 13 + .../2.0/valid-data-erd-relationships-2.0.json | 103 +++++++ .../resources/2.0/valid-risk-ai-bias-2.0.json | 100 +++++++ .../2.0/valid-threatmodel-simple-2.0.json | 221 ++++++++++++-- .../2.0/valid-vex-mitigating-control-2.0.json | 45 +++ 38 files changed, 2910 insertions(+), 21 deletions(-) create mode 100644 tools/src/test/resources/2.0/invalid-behavior-flowstep-multi-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-blueprint-authentication-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-blueprint-authorization-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-blueprint-relationship-type-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-blueprint-visualization-format-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-blueprint-visualization-type-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-control-missing-name-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-control-status-unknown-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-data-cardinality-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-risk-likelihood-legacy-level-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-risk-response-missing-strategy-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-threatmodel-category-taxonomy-mismatch-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-threatmodel-missing-bomref-2.0.json create mode 100644 tools/src/test/resources/2.0/invalid-vulnerability-weakness-cwe-and-name-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-behavior-process-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-behavior-statemachine-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-architecture-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-authentication-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-behavioral-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-conceptual-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-data-flow-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-deployment-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-logical-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-network-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-operational-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-physical-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-process-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-blueprint-visualization-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-control-cdxa-claim-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-control-full-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-control-grc-standalone-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-control-minimal-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-data-erd-relationships-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json create mode 100644 tools/src/test/resources/2.0/valid-vex-mitigating-control-2.0.json diff --git a/schema/2.0/cyclonedx-2.0.schema.json b/schema/2.0/cyclonedx-2.0.schema.json index b3c1fbb18..3fa36c668 100644 --- a/schema/2.0/cyclonedx-2.0.schema.json +++ b/schema/2.0/cyclonedx-2.0.schema.json @@ -13,6 +13,9 @@ "$schema": { "type": "string" }, + "$comment": { + "type": "string" + }, "specFormat": { "type": "string", "title": "Specification Format", diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json index 74caf6df1..efd084bfb 100644 --- a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -3,7 +3,7 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-behavior-2.0.schema.json", "type": "null", "title": "CycloneDX Behavior Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "behaviors": { "type": "object", diff --git a/tools/src/test/resources/2.0/invalid-behavior-flowstep-multi-2.0.json b/tools/src/test/resources/2.0/invalid-behavior-flowstep-multi-2.0.json new file mode 100644 index 000000000..d43fc4107 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-behavior-flowstep-multi-2.0.json @@ -0,0 +1,30 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0004-4abc-8def-1122334455dd", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-bad-node", + "name": "Activity node with two mutually exclusive sources", + "modelTypes": [ + "process" + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "g-bad", + "nodes": [ + { + "bom-ref": "n-bad", + "kind": "activity", + "behavior": "data:ingestion:receivesRequest", + "graph": "g-other" + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-authentication-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-authentication-2.0.json new file mode 100644 index 000000000..1bb797091 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-authentication-2.0.json @@ -0,0 +1,26 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:1a2b3c4d-5e6f-4079-8190-2b3c4d5e6f70", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-legacy-auth", + "name": "Legacy authentication values", + "modelTypes": [ + "data-flow" + ], + "assets": [ + { + "bom-ref": "asset-legacy", + "type": "service", + "name": "Legacy service", + "authentication": [ + "mfa", + "mTLS" + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-authorization-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-authorization-2.0.json new file mode 100644 index 000000000..eb8e00d51 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-authorization-2.0.json @@ -0,0 +1,25 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:5e4d3c2b-1a09-4f8e-9d7c-6b5a4c3d2e1f", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-legacy-authz", + "name": "Removed authorization model", + "modelTypes": [ + "data-flow" + ], + "assets": [ + { + "bom-ref": "asset-legacy-authz", + "type": "service", + "name": "Legacy service", + "authorization": [ + "cbac" + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-relationship-type-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-relationship-type-2.0.json new file mode 100644 index 000000000..05a01a8b9 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-relationship-type-2.0.json @@ -0,0 +1,35 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0006-4abc-8def-1122334455ff", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-bad-relationship", + "name": "Relationship with unknown type", + "modelTypes": [ + "architecture" + ], + "assets": [ + { + "bom-ref": "asset-a", + "type": "service", + "name": "Service A" + }, + { + "bom-ref": "asset-b", + "type": "service", + "name": "Service B" + } + ], + "relationships": [ + { + "ref": "asset-a", + "uses": [ + "asset-b" + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-visualization-format-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-visualization-format-2.0.json new file mode 100644 index 000000000..e2e6d0420 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-visualization-format-2.0.json @@ -0,0 +1,26 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:9f8e7d6c-5b4a-4039-8271-1a2b3c4d5e6f", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-legacy", + "name": "Legacy visualization shape", + "modelTypes": [ + "data-flow" + ], + "visualizations": [ + { + "bom-ref": "viz-legacy", + "name": "Old shape using removed properties", + "type": { + "type": "data-flow" + }, + "format": "mermaid", + "content": "flowchart LR; a-->b" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-blueprint-visualization-type-2.0.json b/tools/src/test/resources/2.0/invalid-blueprint-visualization-type-2.0.json new file mode 100644 index 000000000..eb6eff09e --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-blueprint-visualization-type-2.0.json @@ -0,0 +1,24 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:4d3c2b1a-6e5f-4a09-9b8c-7d6e5f4a3b2c", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-renamed", + "name": "Renamed visualization type", + "modelTypes": [ + "behavioral" + ], + "visualizations": [ + { + "bom-ref": "viz-collaboration", + "name": "Uses the renamed-away collaboration type", + "type": { + "type": "collaboration" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-control-missing-name-2.0.json b/tools/src/test/resources/2.0/invalid-control-missing-name-2.0.json new file mode 100644 index 000000000..87a7a8055 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-control-missing-name-2.0.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:5e2c8a4d-1b9f-4c3e-a7d0-6f4b2e9c8a15", + "version": 1, + "controls": [ + { + "bom-ref": "control-unnamed" + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-control-status-unknown-2.0.json b/tools/src/test/resources/2.0/invalid-control-status-unknown-2.0.json new file mode 100644 index 000000000..4c21016d4 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-control-status-unknown-2.0.json @@ -0,0 +1,14 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:3a7f1c5e-8d4b-4e2a-9b0c-7e5d3f1a6c92", + "version": 1, + "controls": [ + { + "bom-ref": "control-bad-status", + "name": "Control with an unknown status", + "status": "active" + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-data-cardinality-2.0.json b/tools/src/test/resources/2.0/invalid-data-cardinality-2.0.json new file mode 100644 index 000000000..43b33b783 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-data-cardinality-2.0.json @@ -0,0 +1,34 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0005-4abc-8def-1122334455ee", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-bad-cardinality", + "name": "Data relationship with invalid cardinality", + "modelTypes": [ + "logical" + ], + "dataSets": [ + { + "bom-ref": "ds-bad", + "name": "Bad data set", + "description": "Exercises an invalid cardinality value.", + "dataObjects": [ + { + "bom-ref": "do-a", + "name": "A", + "relationships": [ + { + "target": "do-b", + "cardinality": "1:N" + } + ] + } + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-risk-likelihood-legacy-level-2.0.json b/tools/src/test/resources/2.0/invalid-risk-likelihood-legacy-level-2.0.json new file mode 100644 index 000000000..49b0da198 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-risk-likelihood-legacy-level-2.0.json @@ -0,0 +1,18 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:5f9b1d2c-6a3e-44b7-9c2a-0d8e7f6a1b23", + "version": 1, + "risks": { + "risks": [ + { + "bom-ref": "risk-y", + "name": "Legacy likelihood level", + "statement": "Uses a retired camelCase likelihood level value that should no longer validate.", + "inherentRisk": { + "likelihood": { "level": "veryHigh" } + } + } + ] + } +} diff --git a/tools/src/test/resources/2.0/invalid-risk-response-missing-strategy-2.0.json b/tools/src/test/resources/2.0/invalid-risk-response-missing-strategy-2.0.json new file mode 100644 index 000000000..ce9bad4cf --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-risk-response-missing-strategy-2.0.json @@ -0,0 +1,18 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:1b4e28ba-2fa1-11d2-883f-0016d3cca427", + "version": 1, + "risks": { + "risks": [ + { + "bom-ref": "risk-x", + "name": "Response missing strategy", + "statement": "A risk whose response omits the required strategy.", + "responses": [ + { "bom-ref": "resp-x", "function": "prevent" } + ] + } + ] + } +} diff --git a/tools/src/test/resources/2.0/invalid-threatmodel-category-taxonomy-mismatch-2.0.json b/tools/src/test/resources/2.0/invalid-threatmodel-category-taxonomy-mismatch-2.0.json new file mode 100644 index 000000000..a8d19ff51 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-threatmodel-category-taxonomy-mismatch-2.0.json @@ -0,0 +1,18 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "threats": { + "threats": [ + { + "bom-ref": "threat-bad-category", + "name": "STRIDE methodology paired with a LINDDUN category value", + "categories": [ + { + "taxonomy": "STRIDE", + "category": "linkability" + } + ] + } + ] + } +} diff --git a/tools/src/test/resources/2.0/invalid-threatmodel-missing-bomref-2.0.json b/tools/src/test/resources/2.0/invalid-threatmodel-missing-bomref-2.0.json new file mode 100644 index 000000000..49e07bb83 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-threatmodel-missing-bomref-2.0.json @@ -0,0 +1,14 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "threats": { + "scenarios": [ + { + "name": "Scenario missing its required bom-ref", + "threats": [ + "threat-1" + ] + } + ] + } +} diff --git a/tools/src/test/resources/2.0/invalid-vulnerability-weakness-cwe-and-name-2.0.json b/tools/src/test/resources/2.0/invalid-vulnerability-weakness-cwe-and-name-2.0.json new file mode 100644 index 000000000..b003de717 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-vulnerability-weakness-cwe-and-name-2.0.json @@ -0,0 +1,17 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "vulnerabilities": [ + { + "bom-ref": "vuln-1", + "id": "CVE-2000-0000", + "weaknesses": [ + { + "bom-ref": "wk-bad", + "cweId": 502, + "name": "Deserialization of Untrusted Data" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-behavior-process-2.0.json b/tools/src/test/resources/2.0/valid-behavior-process-2.0.json new file mode 100644 index 000000000..e652fd6ff --- /dev/null +++ b/tools/src/test/resources/2.0/valid-behavior-process-2.0.json @@ -0,0 +1,56 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0002-4abc-8def-1122334455bb", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-request-pipeline", + "name": "API request handling pipeline", + "modelTypes": [ + "process" + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "pg-request", + "name": "Request handling pipeline", + "kind": "activity", + "ordering": "sequential", + "trigger": "api-call", + "nodes": [ + { + "bom-ref": "n-receive", + "kind": "activity", + "ordinal": 1, + "behavior": "data:ingestion:receivesRequest", + "name": "Receive request" + }, + { + "bom-ref": "n-authenticate", + "kind": "activity", + "ordinal": 2, + "behavior": "security:authentication:authenticatesUser", + "name": "Authenticate caller" + }, + { + "bom-ref": "n-backend", + "kind": "activity", + "ordinal": 3, + "behavior": "network:connection:establishesConnection", + "name": "Call backend service" + }, + { + "bom-ref": "n-log", + "kind": "activity", + "ordinal": 4, + "behavior": "security:auditing:logsEvent", + "name": "Log the transaction" + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-behavior-statemachine-2.0.json b/tools/src/test/resources/2.0/valid-behavior-statemachine-2.0.json new file mode 100644 index 000000000..3d70f1b7e --- /dev/null +++ b/tools/src/test/resources/2.0/valid-behavior-statemachine-2.0.json @@ -0,0 +1,88 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0001-4abc-8def-1122334455aa", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-connection-behavioral", + "name": "Client connection lifecycle", + "modelTypes": [ + "behavioral" + ], + "assets": [ + { + "bom-ref": "asset-client", + "type": "service", + "name": "Client application" + } + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "sm-connection", + "name": "Connection lifecycle", + "kind": "state-machine", + "subject": "asset-client", + "nodes": [ + { + "bom-ref": "s-idle", + "kind": "initial" + }, + { + "bom-ref": "s-connecting", + "kind": "state", + "name": "Connecting" + }, + { + "bom-ref": "s-connected", + "kind": "state", + "name": "Connected" + }, + { + "bom-ref": "s-closed", + "kind": "final", + "name": "Closed" + } + ], + "transitions": [ + { + "bom-ref": "t-open", + "source": "s-idle", + "target": "s-connecting", + "trigger": "user-initiated" + }, + { + "bom-ref": "t-established", + "source": "s-connecting", + "target": "s-connected", + "trigger": "event-driven", + "guard": "handshake.complete == true" + }, + { + "bom-ref": "t-failed", + "source": "s-connecting", + "target": "s-idle", + "trigger": "event-driven", + "guard": "handshake.complete == false" + }, + { + "bom-ref": "t-reconnect", + "source": "s-connected", + "target": "s-connecting", + "trigger": "signal", + "guard": "heartbeat.lost == true" + }, + { + "bom-ref": "t-close", + "source": "s-connected", + "target": "s-closed", + "trigger": "user-initiated" + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-architecture-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-architecture-2.0.json new file mode 100644 index 000000000..30bc6ae71 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-architecture-2.0.json @@ -0,0 +1,270 @@ +{ + "$comment": "Model type: architecture. This example models the architecture of a fictional online retail platform. It is represented as a blueprint whose assets are the major services (storefront, gateway, catalogue, order, payment) and data stores, grouped into logical zones for the presentation, application, and data tiers. Static structure is expressed with typed relationships (serves, depends-on), runtime exchanges with flows that carry protocols and authentication, and each service exposes typed interfaces. Ownership, scope, a requirement reference, and a compliance assumption complete the view.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a1", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-architecture", + "name": "Acme online retail platform architecture", + "description": "Architecture view of the Acme storefront, showing the major services, their interfaces, and the relationships and exchanges between them across the presentation, application, and data tiers.", + "modelTypes": [ + "architecture" + ], + "metadata": { + "timestamp": "2026-06-05T12:00:00Z", + "authors": [ + { + "roles": [ + { + "role": "author" + } + ], + "person": { + "name": "Dana Lee", + "jobTitle": "Principal Architect" + } + } + ] + }, + "scope": { + "name": "Storefront and checkout", + "description": "Customer-facing browsing and checkout, excluding back-office fulfilment.", + "includedComponents": [ + "asset-storefront", + "asset-order" + ] + }, + "zones": [ + { + "bom-ref": "zone-presentation", + "name": "Presentation tier", + "type": "logical", + "characteristics": [ + "public-facing" + ] + }, + { + "bom-ref": "zone-application", + "name": "Application tier", + "type": "logical" + }, + { + "bom-ref": "zone-data", + "name": "Data tier", + "type": "data", + "constraints": [ + "No direct ingress from the presentation tier" + ] + } + ], + "assets": [ + { + "bom-ref": "asset-storefront", + "type": "service", + "name": "Storefront web application", + "description": "Renders the catalogue and shopping cart for customers.", + "zone": "zone-presentation", + "classification": { + "criticality": "high" + }, + "tags": [ + "customer-facing" + ], + "responsibilities": [ + "Render product pages", + "Manage the shopping cart" + ], + "interfaces": [ + { + "name": "Storefront API", + "type": "rest", + "operations": [ + "browseCatalogue", + "addToCart" + ] + } + ], + "ownership": [ + { + "roles": [ + { + "role": "owner" + } + ], + "organization": { + "name": "Acme Storefront Team" + } + } + ] + }, + { + "bom-ref": "asset-gateway", + "type": "gateway", + "name": "API gateway", + "zone": "zone-application", + "interfaces": [ + { + "name": "Edge API", + "type": "rest" + } + ] + }, + { + "bom-ref": "asset-catalog", + "type": "service", + "name": "Catalogue service", + "zone": "zone-application", + "interfaces": [ + { + "name": "Catalogue gRPC", + "type": "grpc", + "operations": [ + "GetProduct", + "ListProducts" + ] + } + ] + }, + { + "bom-ref": "asset-order", + "type": "service", + "name": "Order service", + "zone": "zone-application", + "classification": { + "criticality": "critical" + } + }, + { + "bom-ref": "asset-payment", + "type": "service", + "name": "Payment service", + "zone": "zone-application", + "classification": { + "criticality": "critical" + }, + "interfaces": [ + { + "name": "Payment API", + "type": "rest", + "authentication": [ + "mtls" + ] + } + ] + }, + { + "bom-ref": "asset-catalog-db", + "type": "data-store", + "name": "Catalogue database", + "zone": "zone-data" + }, + { + "bom-ref": "asset-order-db", + "type": "data-store", + "name": "Order database", + "zone": "zone-data", + "classification": { + "criticality": "critical" + } + } + ], + "relationships": [ + { + "ref": "asset-gateway", + "serves": [ + "asset-catalog", + "asset-order" + ] + }, + { + "ref": "asset-order", + "dependsOn": [ + "asset-payment", + "asset-order-db" + ] + }, + { + "ref": "asset-storefront", + "dependsOn": [ + "asset-gateway" + ] + }, + { + "ref": "asset-catalog", + "dependsOn": [ + "asset-catalog-db" + ] + } + ], + "flows": [ + { + "bom-ref": "flow-browse", + "name": "Browse catalogue", + "type": "data", + "source": "asset-storefront", + "destination": "asset-gateway", + "synchronous": true, + "protocols": [ + "https" + ] + }, + { + "bom-ref": "flow-order", + "name": "Place order", + "type": "data", + "source": "asset-gateway", + "destination": "asset-order", + "synchronous": true, + "protocols": [ + "https" + ] + }, + { + "bom-ref": "flow-pay", + "name": "Authorize payment", + "type": "data", + "source": "asset-order", + "destination": "asset-payment", + "synchronous": true, + "protocols": [ + "https" + ], + "authentication": [ + "mtls" + ] + } + ], + "useCases": [ + { + "assets": [ + "asset-order", + "asset-payment" + ], + "requirements": [ + "req-checkout" + ] + } + ], + "assumptions": [ + { + "bom-ref": "asm-pci", + "description": "The payment service is operated within a PCI DSS compliant environment.", + "topic": "compliance", + "validity": "verified" + } + ] + } + ], + "definitions": { + "requirements": [ + { + "bom-ref": "req-checkout", + "id": "REQ-CHK-001", + "name": "Checkout completes within three seconds", + "priority": "high" + } + ] + } +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-authentication-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-authentication-2.0.json new file mode 100644 index 000000000..62a2c2fda --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-authentication-2.0.json @@ -0,0 +1,56 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:7c6b5a4d-3e2f-4109-8a7b-6c5d4e3f2a1b", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-auth", + "name": "Authentication coverage model", + "modelTypes": [ + "data-flow" + ], + "assets": [ + { + "bom-ref": "asset-gateway", + "type": "gateway", + "name": "API gateway", + "authentication": [ + "mtls", + "oauth2", + "session-cookie", + "totp", + "radius", + "scram", + "eap", + "psk", + "hmac", + "magic-link", + "biometric", + "form", + "pin", + "push", + { + "name": "proprietary-handshake", + "description": "Vendor-specific challenge response used by the legacy partner integration." + } + ] + }, + { + "bom-ref": "asset-webapp", + "type": "service", + "name": "Customer web application", + "authentication": [ + "form", + "session-cookie" + ], + "authorization": [ + "rbac", + "radac", + "capability" + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-behavioral-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-behavioral-2.0.json new file mode 100644 index 000000000..8839431f6 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-behavioral-2.0.json @@ -0,0 +1,137 @@ +{ + "$comment": "Model type: behavioral. This example models the payment lifecycle of a fictional point-of-sale terminal as a behavior graph of kind state-machine. The nodes are states, the transitions fire on triggers under guard conditions, and several states have more than one exit (authorizing leads to authorized or declined, authorized leads to captured or voided), which is the multi-exit shape a linear flow cannot express. Entry and transition effects reference behavior instances drawn from the taxonomy.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a9", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-behavioral", + "name": "Point-of-sale payment lifecycle", + "description": "How a terminal moves a payment from idle through authorization to capture, void, or decline.", + "modelTypes": [ + "behavioral" + ], + "assets": [ + { + "bom-ref": "asset-pos", + "type": "device", + "name": "Point-of-sale terminal" + }, + { + "bom-ref": "asset-acquirer", + "type": "service", + "name": "Acquirer gateway" + } + ], + "behaviors": { + "instances": [ + { + "bom-ref": "bi-auth", + "behavior": "security:authentication:authenticatesUser", + "trigger": "user-initiated", + "acknowledgment": [ + "declared" + ], + "actors": [ + "asset-pos" + ] + }, + { + "bom-ref": "bi-contact", + "behavior": "network:connection:establishesConnection", + "actors": [ + "asset-pos" + ], + "targets": [ + "asset-acquirer" + ] + }, + { + "bom-ref": "bi-log", + "behavior": "security:auditing:logsEvent", + "actors": [ + "asset-pos" + ] + } + ], + "graphs": [ + { + "bom-ref": "sm-payment", + "name": "Payment lifecycle", + "kind": "state-machine", + "subject": "asset-pos", + "nodes": [ + { + "bom-ref": "ps-idle", + "kind": "initial" + }, + { + "bom-ref": "ps-authorizing", + "kind": "state", + "name": "Authorizing", + "onEntry": "bi-contact" + }, + { + "bom-ref": "ps-authorized", + "kind": "state", + "name": "Authorized" + }, + { + "bom-ref": "ps-captured", + "kind": "final", + "name": "Captured" + }, + { + "bom-ref": "ps-voided", + "kind": "final", + "name": "Voided" + }, + { + "bom-ref": "ps-declined", + "kind": "final", + "name": "Declined" + } + ], + "transitions": [ + { + "bom-ref": "pt-start", + "source": "ps-idle", + "target": "ps-authorizing", + "trigger": "user-initiated", + "effect": "bi-auth" + }, + { + "bom-ref": "pt-approve", + "source": "ps-authorizing", + "target": "ps-authorized", + "trigger": "event-driven", + "guard": "acquirer.approved == true" + }, + { + "bom-ref": "pt-decline", + "source": "ps-authorizing", + "target": "ps-declined", + "trigger": "event-driven", + "guard": "acquirer.approved == false" + }, + { + "bom-ref": "pt-capture", + "source": "ps-authorized", + "target": "ps-captured", + "trigger": "event-driven", + "effect": "bi-log" + }, + { + "bom-ref": "pt-void", + "source": "ps-authorized", + "target": "ps-voided", + "trigger": "user-initiated" + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-conceptual-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-conceptual-2.0.json new file mode 100644 index 000000000..8b105148a --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-conceptual-2.0.json @@ -0,0 +1,150 @@ +{ + "$comment": "Model type: conceptual. This example is a technology-neutral conceptual model of a community library. It is represented as a blueprint with no implementation detail: the key business capabilities (Membership, Catalogue, Lending) are assets linked by typed relationships, and the core domain concepts (Member, Item, Branch, Loan) are data objects whose associations are expressed as data relationships with cardinality. There are deliberately no protocols, deployments, keys, or flows, which is what distinguishes a conceptual model from a logical or data-flow one.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a2", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-conceptual", + "name": "Community library conceptual model", + "description": "A technology-neutral conceptual model of a community library, capturing the key business concepts and how they relate, without any implementation detail such as databases, services, or protocols.", + "modelTypes": [ + "conceptual" + ], + "metadata": { + "timestamp": "2026-06-05T12:05:00Z", + "authors": [ + { + "roles": [ + { + "role": "author" + } + ], + "person": { + "name": "Sam Rivera" + } + } + ] + }, + "scope": { + "name": "Lending domain", + "description": "Concepts involved in lending physical items to members." + }, + "assets": [ + { + "bom-ref": "cap-membership", + "type": "subsystem", + "name": "Membership", + "description": "The capability concerned with enrolling and identifying members." + }, + { + "bom-ref": "cap-catalogue", + "type": "subsystem", + "name": "Catalogue", + "description": "The capability concerned with describing and locating items." + }, + { + "bom-ref": "cap-lending", + "type": "subsystem", + "name": "Lending", + "description": "The capability concerned with loans, due dates, and returns." + } + ], + "relationships": [ + { + "ref": "cap-lending", + "dependsOn": [ + "cap-catalogue", + "cap-membership" + ] + } + ], + "dataSets": [ + { + "bom-ref": "ds-library-domain", + "name": "Library domain entities", + "description": "The conceptual entities of the lending domain and their associations.", + "dataObjects": [ + { + "bom-ref": "do-member", + "name": "Member", + "description": "A person enrolled to borrow items.", + "attributes": [ + { + "name": "memberName" + }, + { + "name": "membershipStatus" + } + ] + }, + { + "bom-ref": "do-item", + "name": "Item", + "description": "A borrowable item such as a book or recording.", + "attributes": [ + { + "name": "title" + }, + { + "name": "format" + } + ], + "relationships": [ + { + "name": "held at", + "target": "do-branch", + "cardinality": "many-to-many" + } + ] + }, + { + "bom-ref": "do-branch", + "name": "Branch", + "description": "A physical library location.", + "attributes": [ + { + "name": "branchName" + } + ] + }, + { + "bom-ref": "do-loan", + "name": "Loan", + "description": "The act of a member borrowing an item for a period.", + "attributes": [ + { + "name": "loanDate" + }, + { + "name": "dueDate" + } + ], + "relationships": [ + { + "name": "borrowed by", + "target": "do-member", + "cardinality": "many-to-one" + }, + { + "name": "for item", + "target": "do-item", + "cardinality": "many-to-one" + } + ] + } + ] + } + ], + "assumptions": [ + { + "bom-ref": "asm-one-branch", + "description": "An item belongs to exactly one branch at a time, though it may move between branches.", + "topic": "business", + "validity": "unverified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-data-flow-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-data-flow-2.0.json new file mode 100644 index 000000000..3c82aae85 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-data-flow-2.0.json @@ -0,0 +1,211 @@ +{ + "$comment": "Model type: data-flow. This example models an online banking funds transfer as a data flow diagram, the substrate most commonly used for STRIDE per-element threat analysis. It is represented as a blueprint with an external customer actor, processing services, and data stores arranged across three trust zones (internet, DMZ, core) that are separated by trust boundaries. Flows carry named data objects, authentication, and protocols as they move between zones, so each flow that crosses a boundary is visible. Zones plus boundaries plus typed data flows are the core constructs of this model type. The internet-facing boundary separates its crossingRequirements, the controls applied at each crossing such as authentication and logging, from sessionManagement, the lifecycle of the authenticated session it establishes, which is scoped to the session rather than to any single crossing.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a4", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-data-flow", + "name": "Online banking funds transfer data flow", + "description": "How a customer's login and transfer request moves through the portal, authentication, and transfer services to the account store and audit log, across trust boundaries.", + "modelTypes": [ + "data-flow" + ], + "zones": [ + { + "bom-ref": "zone-internet", + "name": "Internet", + "type": "trust", + "characteristics": [ + "untrusted" + ] + }, + { + "bom-ref": "zone-dmz", + "name": "DMZ", + "type": "trust" + }, + { + "bom-ref": "zone-core", + "name": "Core banking", + "type": "trust", + "characteristics": [ + "highly trusted" + ] + } + ], + "boundaries": [ + { + "bom-ref": "bnd-internet-dmz", + "name": "Internet to DMZ", + "type": "trust", + "zones": [ + "zone-internet", + "zone-dmz" + ], + "crossingRequirements": { + "authentication": [ + "form", + "session-cookie" + ], + "authorization": [ + "rbac" + ], + "protocols": [ + "https" + ], + "logging": true, + "monitoring": true + }, + "sessionManagement": { + "accessTokenExpires": true, + "accessTokenTtl": 900, + "refreshToken": true, + "refreshTokenTtl": 86400, + "idleTimeout": 900, + "absoluteTimeout": 28800, + "userLogout": true, + "systemLogout": true + } + }, + { + "bom-ref": "bnd-dmz-core", + "name": "DMZ to core", + "type": "trust", + "zones": [ + "zone-dmz", + "zone-core" + ] + } + ], + "actors": [ + { + "bom-ref": "act-customer", + "party": { + "roles": [ + { + "role": "end-user" + } + ], + "persona": { + "archetype": "customer" + } + }, + "description": "A retail banking customer initiating a transfer.", + "zone": "zone-internet", + "permissions": [ + "initiate-transfer" + ] + } + ], + "assets": [ + { + "bom-ref": "asset-portal", + "type": "service", + "name": "Web portal", + "zone": "zone-dmz" + }, + { + "bom-ref": "asset-auth", + "type": "service", + "name": "Authentication service", + "zone": "zone-core" + }, + { + "bom-ref": "asset-transfer", + "type": "service", + "name": "Transfer service", + "zone": "zone-core", + "classification": { + "criticality": "critical" + } + }, + { + "bom-ref": "asset-accounts", + "type": "data-store", + "name": "Account store", + "zone": "zone-core", + "classification": { + "criticality": "critical" + } + }, + { + "bom-ref": "asset-audit", + "type": "data-store", + "name": "Audit log", + "zone": "zone-core" + } + ], + "flows": [ + { + "bom-ref": "df-login", + "name": "Login and transfer request", + "type": "data", + "source": "act-customer", + "destination": "asset-portal", + "synchronous": true, + "protocols": [ + "https" + ], + "authentication": [ + "form", + "totp" + ], + "dataObjects": [ + { + "name": "credentials" + }, + { + "name": "transfer-instruction" + } + ] + }, + { + "bom-ref": "df-authenticate", + "name": "Authenticate session", + "type": "data", + "source": "asset-portal", + "destination": "asset-auth", + "synchronous": true, + "protocols": [ + "https" + ] + }, + { + "bom-ref": "df-debit-credit", + "name": "Debit and credit accounts", + "type": "data", + "source": "asset-transfer", + "destination": "asset-accounts", + "synchronous": true, + "authorization": [ + "rbac" + ], + "dataObjects": [ + { + "name": "ledger-entry" + } + ] + }, + { + "bom-ref": "df-audit", + "name": "Write audit record", + "type": "data", + "source": "asset-transfer", + "destination": "asset-audit", + "synchronous": false, + "timing": "asynchronous" + } + ], + "assumptions": [ + { + "bom-ref": "asm-tls", + "description": "All flows that cross a trust boundary are protected with mutually authenticated TLS.", + "topic": "security", + "validity": "verified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-deployment-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-deployment-2.0.json new file mode 100644 index 000000000..a0c9424d1 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-deployment-2.0.json @@ -0,0 +1,134 @@ +{ + "$comment": "Model type: deployment. This example shows how a fictional SaaS checkout application is allocated to runtime and infrastructure. It is represented as a blueprint whose assets are deployment units (load balancer, container workloads, and a worker node) placed into a production deployment zone and an east geographic region. Artifact-on-node allocation and dependencies are expressed with typed relationships (contains, depends-on), the managed database and object store are data stores carrying an environment, and flows complete the topology.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a5", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-deployment", + "name": "Acme checkout deployment topology", + "description": "Production deployment of the checkout workloads onto a cluster node, fronted by a load balancer, with a managed database and object storage.", + "modelTypes": [ + "deployment" + ], + "zones": [ + { + "bom-ref": "zone-prod", + "name": "Production", + "type": "deployment" + }, + { + "bom-ref": "zone-region-east", + "name": "East region", + "type": "geographic" + } + ], + "assets": [ + { + "bom-ref": "asset-lb", + "type": "gateway", + "name": "Load balancer", + "zone": "zone-prod" + }, + { + "bom-ref": "asset-node", + "type": "infrastructure", + "name": "Cluster worker node", + "zone": "zone-prod", + "tags": [ + "kubernetes-node" + ] + }, + { + "bom-ref": "asset-checkout-pod", + "type": "container", + "name": "Checkout workload", + "zone": "zone-prod" + }, + { + "bom-ref": "asset-worker-pod", + "type": "container", + "name": "Async worker workload", + "zone": "zone-prod" + } + ], + "relationships": [ + { + "ref": "asset-node", + "contains": [ + "asset-checkout-pod", + "asset-worker-pod" + ] + }, + { + "ref": "asset-lb", + "serves": [ + "asset-checkout-pod" + ] + }, + { + "ref": "asset-checkout-pod", + "dependsOn": [ + "ds-postgres" + ] + }, + { + "ref": "asset-worker-pod", + "dependsOn": [ + "ds-object" + ] + } + ], + "dataStores": [ + { + "bom-ref": "ds-postgres", + "name": "Managed PostgreSQL", + "type": "relational", + "environment": "production", + "zone": "zone-prod", + "location": "east region" + }, + { + "bom-ref": "ds-object", + "name": "Object storage bucket", + "type": "object", + "environment": "production", + "zone": "zone-prod" + } + ], + "flows": [ + { + "bom-ref": "dflow-ingress", + "name": "Inbound HTTPS", + "type": "data", + "source": "asset-lb", + "destination": "asset-checkout-pod", + "protocols": [ + "https" + ], + "synchronous": true + }, + { + "bom-ref": "dflow-db", + "name": "Database queries", + "type": "data", + "source": "asset-checkout-pod", + "destination": "ds-postgres", + "protocols": [ + "tcp" + ], + "synchronous": true + } + ], + "assumptions": [ + { + "bom-ref": "asm-autoscale", + "description": "The node pool autoscales horizontally under load.", + "topic": "performance", + "validity": "unverified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-logical-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-logical-2.0.json new file mode 100644 index 000000000..ae7f1a919 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-logical-2.0.json @@ -0,0 +1,177 @@ +{ + "$comment": "Model type: logical. This example is a logical data model of a fictional retail bank, independent of any specific database technology. It is represented as a blueprint whose data set holds the entities (Customer, Account, Transaction, Card) as data objects with attribute-level key roles (primary, foreign, unique) and foreign-key references, and whose inter-entity associations are data relationships with cardinality. Logical application components and their typed relationships show how the structure is realised. A logical zone groups the entities.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a3", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-logical", + "name": "Retail bank logical model", + "description": "Logical structure of customers, accounts, transactions, and cards, with the keys and relationships that define the data model independent of implementation.", + "modelTypes": [ + "logical" + ], + "metadata": { + "timestamp": "2026-06-05T12:10:00Z", + "authors": [ + { + "roles": [ + { + "role": "author" + } + ], + "person": { + "name": "Priya Nair" + } + } + ] + }, + "zones": [ + { + "bom-ref": "zone-logical-core", + "name": "Core banking", + "type": "logical" + } + ], + "assets": [ + { + "bom-ref": "comp-accounts", + "type": "component", + "name": "Account management component", + "zone": "zone-logical-core", + "responsibilities": [ + "Open and close accounts", + "Maintain balances" + ] + }, + { + "bom-ref": "comp-payments", + "type": "component", + "name": "Payments component", + "zone": "zone-logical-core" + } + ], + "relationships": [ + { + "ref": "comp-payments", + "dependsOn": [ + "comp-accounts" + ] + } + ], + "dataSets": [ + { + "bom-ref": "ds-bank", + "name": "Core banking entities", + "description": "The logical entities of the core banking domain with keys and relationships.", + "dataObjects": [ + { + "bom-ref": "do-customer", + "name": "Customer", + "attributes": [ + { + "bom-ref": "a-customer-id", + "name": "customer_id", + "key": "primary" + }, + { + "name": "email", + "key": "unique" + }, + { + "name": "full_name" + } + ] + }, + { + "bom-ref": "do-account", + "name": "Account", + "attributes": [ + { + "bom-ref": "a-account-id", + "name": "account_id", + "key": "primary" + }, + { + "bom-ref": "a-account-customer", + "name": "customer_id", + "key": "foreign", + "references": "do-customer" + }, + { + "name": "balance" + } + ], + "relationships": [ + { + "bom-ref": "lrel-account-customer", + "name": "owned by", + "target": "do-customer", + "cardinality": "many-to-one", + "sourceAttributes": [ + "a-account-customer" + ], + "targetAttributes": [ + "a-customer-id" + ] + } + ] + }, + { + "bom-ref": "do-transaction", + "name": "Transaction", + "attributes": [ + { + "bom-ref": "a-txn-id", + "name": "transaction_id", + "key": "primary" + }, + { + "bom-ref": "a-txn-account", + "name": "account_id", + "key": "foreign", + "references": "do-account" + }, + { + "name": "amount" + } + ], + "relationships": [ + { + "name": "posted to", + "target": "do-account", + "cardinality": "many-to-one" + } + ] + }, + { + "bom-ref": "do-card", + "name": "Card", + "attributes": [ + { + "bom-ref": "a-card-id", + "name": "card_id", + "key": "primary" + }, + { + "bom-ref": "a-card-account", + "name": "account_id", + "key": "foreign", + "references": "do-account" + } + ], + "relationships": [ + { + "name": "issued for", + "target": "do-account", + "cardinality": "many-to-one" + } + ] + } + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-network-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-network-2.0.json new file mode 100644 index 000000000..56993f0b6 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-network-2.0.json @@ -0,0 +1,154 @@ +{ + "$comment": "Model type: network. This example models the segmented enterprise network of a fictional company. It is represented as a blueprint whose network zones are the segments (internet, DMZ, internal, management), whose boundaries are the firewalls that connect adjacent segments, and whose assets are the network nodes (edge firewall, core switch, web server, application server, VPN gateway, admin workstation). Flows carry the protocols permitted between segments. Network zones plus boundaries plus protocol-bearing flows are the defining constructs.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a6", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-network", + "name": "Globex enterprise network topology", + "description": "Segmented network with internet, DMZ, internal, and management zones connected through firewalls.", + "modelTypes": [ + "network" + ], + "zones": [ + { + "bom-ref": "net-internet", + "name": "Internet", + "type": "network" + }, + { + "bom-ref": "net-dmz", + "name": "DMZ segment", + "type": "network" + }, + { + "bom-ref": "net-internal", + "name": "Internal segment", + "type": "network" + }, + { + "bom-ref": "net-management", + "name": "Management segment", + "type": "network", + "characteristics": [ + "out-of-band" + ] + } + ], + "boundaries": [ + { + "bom-ref": "fw-edge", + "name": "Edge firewall", + "type": "network", + "zones": [ + "net-internet", + "net-dmz" + ] + }, + { + "bom-ref": "fw-internal", + "name": "Internal firewall", + "type": "network", + "zones": [ + "net-dmz", + "net-internal" + ] + }, + { + "bom-ref": "fw-management", + "name": "Management firewall", + "type": "network", + "zones": [ + "net-internal", + "net-management" + ] + } + ], + "assets": [ + { + "bom-ref": "net-asset-web", + "type": "endpoint", + "name": "Web server", + "zone": "net-dmz" + }, + { + "bom-ref": "net-asset-app", + "type": "endpoint", + "name": "Application server", + "zone": "net-internal" + }, + { + "bom-ref": "net-asset-switch", + "type": "network", + "name": "Core switch", + "zone": "net-internal" + }, + { + "bom-ref": "net-asset-vpn", + "type": "gateway", + "name": "VPN gateway", + "zone": "net-management" + }, + { + "bom-ref": "net-asset-admin", + "type": "device", + "name": "Administrator workstation", + "zone": "net-management" + } + ], + "relationships": [ + { + "ref": "net-asset-web", + "dependsOn": [ + "net-asset-app" + ] + } + ], + "flows": [ + { + "bom-ref": "nflow-https", + "name": "Public HTTPS", + "type": "data", + "source": "net-internet", + "destination": "net-asset-web", + "protocols": [ + "https" + ] + }, + { + "bom-ref": "nflow-app", + "name": "Web to application", + "type": "data", + "source": "net-asset-web", + "destination": "net-asset-app", + "protocols": [ + "tcp" + ] + }, + { + "bom-ref": "nflow-admin", + "name": "Administrative SSH", + "type": "data", + "source": "net-asset-admin", + "destination": "net-asset-app", + "protocols": [ + "ssh" + ], + "authentication": [ + "ssh" + ] + } + ], + "assumptions": [ + { + "bom-ref": "asm-default-deny", + "description": "Each firewall enforces default-deny with explicit allow rules.", + "topic": "security", + "validity": "verified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-operational-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-operational-2.0.json new file mode 100644 index 000000000..b7028a664 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-operational-2.0.json @@ -0,0 +1,157 @@ +{ + "$comment": "Model type: operational. This example models how a fictional service team runs and supports a system in production. The operational procedure is a behavior graph: a start node, a logging activity, an exclusive gateway that escalates on severity, and a final node. Blueprint actors bind the on-call engineer and incident commander with their in-system permissions, and external references point to the human-readable runbooks.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000aa", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-operational", + "name": "Service operations and incident response", + "description": "On-call handling of a database alert, from acknowledgement through severity-based escalation to resolution.", + "modelTypes": [ + "operational" + ], + "externalReferences": [ + { + "url": "https://example.com/runbooks/database-failover", + "type": "documentation", + "comment": "Database failover runbook." + } + ], + "actors": [ + { + "bom-ref": "op-oncall", + "party": { + "roles": [ + { + "role": "operator" + } + ], + "person": { + "name": "On-call engineer" + } + }, + "permissions": [ + "acknowledge-alert", + "execute-runbook" + ] + }, + { + "bom-ref": "op-commander", + "party": { + "roles": [ + { + "role": "principal" + } + ], + "person": { + "name": "Incident commander" + } + } + } + ], + "assets": [ + { + "bom-ref": "op-monitor", + "type": "service", + "name": "Monitoring platform" + }, + { + "bom-ref": "op-pager", + "type": "tool", + "name": "Paging system" + } + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "rb-failover", + "name": "Database failover runbook", + "kind": "activity", + "trigger": "event-driven", + "nodes": [ + { + "bom-ref": "n-alert", + "kind": "initial" + }, + { + "bom-ref": "n-ack", + "kind": "activity", + "behavior": "security:auditing:logsEvent", + "name": "Acknowledge alert", + "actors": [ + "op-oncall" + ], + "targets": [ + "op-monitor" + ] + }, + { + "bom-ref": "n-severity", + "kind": "gateway", + "gatewayKind": "exclusive", + "name": "Severity?" + }, + { + "bom-ref": "n-escalate", + "kind": "event", + "eventType": "on-demand", + "name": "Page incident commander", + "actors": [ + "op-commander" + ] + }, + { + "bom-ref": "n-monitor", + "kind": "event", + "name": "Watch dashboards" + }, + { + "bom-ref": "n-resolved", + "kind": "final", + "name": "Incident resolved" + } + ], + "transitions": [ + { + "source": "n-alert", + "target": "n-ack" + }, + { + "source": "n-ack", + "target": "n-severity" + }, + { + "source": "n-severity", + "target": "n-escalate", + "guard": "severity == 'sev1'" + }, + { + "source": "n-severity", + "target": "n-monitor", + "default": true + }, + { + "source": "n-escalate", + "target": "n-resolved" + }, + { + "source": "n-monitor", + "target": "n-resolved" + } + ] + } + ] + }, + "assumptions": [ + { + "bom-ref": "asm-oncall", + "description": "An on-call engineer is available at all times under the follow-the-sun rota.", + "topic": "operational", + "validity": "verified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-physical-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-physical-2.0.json new file mode 100644 index 000000000..88f88d781 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-physical-2.0.json @@ -0,0 +1,140 @@ +{ + "$comment": "Model type: physical. This example models the physical realisation of a fictional building automation system. It is represented as a blueprint whose assets are tangible devices (PLC, temperature sensor, HVAC actuator, edge gateway, SCADA server) placed in physical and geographic zones. The exchanges between them use the full breadth of flow types: signal (sensor readings), control (commands), energy (power), physical (conditioned air), and data (telemetry). A behavior instance drawn from the hardware taxonomy shows an actuator controlling temperature. Device assets, physical zones, and the energy, signal, and physical flow types are the defining constructs.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a7", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-physical", + "name": "Building automation physical model", + "description": "Physical devices, their power and signal connections, and the conditioned air they move on a plant floor.", + "modelTypes": [ + "physical" + ], + "zones": [ + { + "bom-ref": "phys-plant", + "name": "Plant floor", + "type": "physical" + }, + { + "bom-ref": "phys-control-room", + "name": "Control room", + "type": "physical" + }, + { + "bom-ref": "geo-site", + "name": "Riverside site", + "type": "geographic" + } + ], + "assets": [ + { + "bom-ref": "dev-plc", + "type": "device", + "name": "Programmable logic controller", + "zone": "phys-plant" + }, + { + "bom-ref": "dev-sensor", + "type": "device", + "name": "Temperature sensor", + "zone": "phys-plant" + }, + { + "bom-ref": "dev-hvac", + "type": "device", + "name": "HVAC actuator", + "zone": "phys-plant" + }, + { + "bom-ref": "dev-gateway", + "type": "gateway", + "name": "Edge gateway", + "zone": "phys-control-room" + }, + { + "bom-ref": "dev-scada", + "type": "system", + "name": "SCADA server", + "zone": "phys-control-room" + } + ], + "relationships": [ + { + "ref": "dev-plc", + "dependsOn": [ + "dev-hvac" + ] + } + ], + "flows": [ + { + "bom-ref": "pflow-reading", + "name": "Temperature reading", + "type": "signal", + "source": "dev-sensor", + "destination": "dev-plc" + }, + { + "bom-ref": "pflow-command", + "name": "Actuation command", + "type": "control", + "source": "dev-plc", + "destination": "dev-hvac" + }, + { + "bom-ref": "pflow-power", + "name": "Mains power", + "type": "energy", + "source": "dev-gateway", + "destination": "dev-plc" + }, + { + "bom-ref": "pflow-air", + "name": "Conditioned air", + "type": "physical", + "source": "dev-hvac", + "destination": "phys-plant" + }, + { + "bom-ref": "pflow-telemetry", + "name": "Telemetry upload", + "type": "data", + "source": "dev-gateway", + "destination": "dev-scada", + "protocols": [ + "mqtt" + ] + } + ], + "behaviors": { + "instances": [ + { + "bom-ref": "bi-control-temp", + "behavior": "hardware:actuator:controlsTemperature", + "trigger": "condition-based", + "acknowledgment": [ + "declared" + ], + "actors": [ + "dev-hvac" + ], + "targets": [ + "phys-plant" + ] + } + ] + }, + "assumptions": [ + { + "bom-ref": "asm-power", + "description": "Controllers are backed by an uninterruptible power supply.", + "topic": "availability", + "validity": "unverified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-process-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-process-2.0.json new file mode 100644 index 000000000..4b6fd6760 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-process-2.0.json @@ -0,0 +1,147 @@ +{ + "$comment": "Model type: process. This example models a fictional loan origination process as a behavior graph. The nodes are activities drawn from the behavior taxonomy plus an exclusive gateway that branches on the credit decision; transitions carry the order and the branch guards; and blueprint actors bind the loan officer and underwriter to the steps that perform them. A branching activity graph, with actors, is the defining construct.", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:b1000000-0000-4000-8000-0000000000a8", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-process", + "name": "Loan origination process", + "description": "From application intake through the credit decision to a recorded outcome.", + "modelTypes": [ + "process" + ], + "actors": [ + { + "bom-ref": "act-officer", + "party": { + "roles": [ + { + "role": "operator" + } + ], + "person": { + "name": "Loan officer", + "jobTitle": "Loan Officer" + } + }, + "permissions": [ + "intake-application" + ] + }, + { + "bom-ref": "act-underwriter", + "party": { + "roles": [ + { + "role": "verifier" + } + ], + "person": { + "name": "Underwriter" + } + } + } + ], + "behaviors": { + "graphs": [ + { + "bom-ref": "pg-loan", + "name": "Loan origination", + "kind": "activity", + "trigger": "user-initiated", + "nodes": [ + { + "bom-ref": "n-start", + "kind": "initial" + }, + { + "bom-ref": "n-receive", + "kind": "activity", + "behavior": "data:ingestion:receivesRequest", + "name": "Receive application", + "actors": [ + "act-officer" + ] + }, + { + "bom-ref": "n-verify", + "kind": "activity", + "behavior": "security:authentication:authenticatesUser", + "name": "Verify applicant identity", + "actors": [ + "act-officer" + ] + }, + { + "bom-ref": "n-decision", + "kind": "gateway", + "gatewayKind": "exclusive", + "name": "Credit decision" + }, + { + "bom-ref": "n-approve", + "kind": "activity", + "behavior": "security:auditing:logsEvent", + "name": "Approve and record", + "actors": [ + "act-underwriter" + ] + }, + { + "bom-ref": "n-decline", + "kind": "event", + "name": "Decline letter sent" + }, + { + "bom-ref": "n-end", + "kind": "final" + } + ], + "transitions": [ + { + "source": "n-start", + "target": "n-receive" + }, + { + "source": "n-receive", + "target": "n-verify" + }, + { + "source": "n-verify", + "target": "n-decision" + }, + { + "source": "n-decision", + "target": "n-approve", + "guard": "creditScore >= 680" + }, + { + "source": "n-decision", + "target": "n-decline", + "default": true + }, + { + "source": "n-approve", + "target": "n-end" + }, + { + "source": "n-decline", + "target": "n-end" + } + ] + } + ] + }, + "assumptions": [ + { + "bom-ref": "asm-credit-bureau", + "description": "A credit score is available from an external bureau at intake.", + "topic": "business", + "validity": "verified" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-blueprint-visualization-2.0.json b/tools/src/test/resources/2.0/valid-blueprint-visualization-2.0.json new file mode 100644 index 000000000..b444461ed --- /dev/null +++ b/tools/src/test/resources/2.0/valid-blueprint-visualization-2.0.json @@ -0,0 +1,62 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:2b1c0d9e-7a3f-4c21-9f0a-6d5e4c3b2a10", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-payments", + "name": "Payment service model", + "modelTypes": [ + "data-flow" + ], + "visualizations": [ + { + "bom-ref": "viz-inline-source", + "name": "Payment data flow", + "description": "Inline diagram source carried as an attachment and rendered by the consumer.", + "type": { + "type": "data-flow" + }, + "attachment": { + "mediaType": "text/vnd.mermaid", + "content": "flowchart LR; user-->gateway-->ledger" + }, + "level": "high" + }, + { + "bom-ref": "viz-base64-image", + "name": "Architecture overview", + "type": { + "type": "architecture" + }, + "attachment": { + "mediaType": "image/png", + "encoding": "base64", + "content": "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8z8BQDwAEhQGAhKmMIQAAAABJRU5ErkJggg==" + } + }, + { + "bom-ref": "viz-external-url", + "name": "Deployment topology", + "type": { + "name": "deployment topology" + }, + "url": "https://example.com/diagrams/deployment.svg" + }, + { + "bom-ref": "viz-attack-tree", + "name": "Credential theft attack tree", + "description": "Rendered attack tree exercising a newly added visualization type.", + "type": { + "type": "attack-tree" + }, + "attachment": { + "mediaType": "text/vnd.mermaid", + "content": "flowchart TD; goal-->phish; goal-->stuffing" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-control-cdxa-claim-2.0.json b/tools/src/test/resources/2.0/valid-control-cdxa-claim-2.0.json new file mode 100644 index 000000000..3ca54e84b --- /dev/null +++ b/tools/src/test/resources/2.0/valid-control-cdxa-claim-2.0.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:4b9e7d2f-3a1c-4e6b-8c5d-9f2a6e1b7c34", + "version": 1, + "controls": [ + { + "bom-ref": "control-encryption-at-rest", + "name": "Encryption at rest", + "category": "preventive", + "status": "verified" + }, + { + "bom-ref": "control-key-rotation", + "name": "Automated key rotation", + "category": "preventive", + "status": "planned" + } + ], + "declarations": { + "claims": [ + { + "bom-ref": "claim-encryption-at-rest", + "target": "control-encryption-at-rest", + "predicate": "All customer data volumes are encrypted at rest.", + "mitigationStrategies": [ + "control-key-rotation" + ], + "reasoning": "Storage configuration exports show encryption enabled for all volumes. Key rotation is planned to address key-age findings in the evidence." + } + ] + } +} diff --git a/tools/src/test/resources/2.0/valid-control-full-2.0.json b/tools/src/test/resources/2.0/valid-control-full-2.0.json new file mode 100644 index 000000000..cfce551c0 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-control-full-2.0.json @@ -0,0 +1,107 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:1f8a6b2c-4e7d-4f0a-9c3b-8d5e2a7f6b41", + "version": 1, + "components": [ + { + "type": "library", + "bom-ref": "component-authz-lib", + "name": "acme-authz", + "version": "3.2.1" + } + ], + "services": [ + { + "bom-ref": "service-payment-api", + "name": "Acme Payment API" + } + ], + "definitions": { + "requirements": [ + { + "bom-ref": "requirement-access-enforcement", + "id": "AC-3", + "name": "Access enforcement" + } + ] + }, + "controls": [ + { + "bom-ref": "control-rbac", + "name": "Role-based access control", + "description": "Enforces least-privilege access to the payment API.", + "category": "preventive", + "status": "verified", + "appliesTo": [ + "service-payment-api" + ], + "implementedBy": [ + "component-authz-lib" + ], + "satisfies": [ + "requirement-access-enforcement" + ], + "effectiveness": { + "percentage": 0.95, + "rating": "excellent" + }, + "owner": { + "roles": [ + { + "role": "owner" + } + ], + "organization": { + "name": "Acme Security Office" + } + }, + "externalReferences": [ + { + "type": "documentation", + "url": "https://docs.acme.example.com/controls/rbac" + } + ], + "properties": [ + { + "name": "internal:control-id", + "value": "CTRL-0042" + } + ] + } + ], + "threats": { + "threats": [ + { + "bom-ref": "threat-privilege-escalation", + "name": "Privilege escalation via the payment API", + "mitigations": [ + "control-rbac" + ] + } + ] + }, + "risks": { + "risks": [ + { + "bom-ref": "risk-unauthorized-payment", + "name": "Unauthorized payment initiation", + "statement": "An unauthorized actor initiates payments, resulting in financial loss.", + "responses": [ + { + "bom-ref": "response-enforce-rbac", + "strategy": "reduce", + "controls": [ + "control-rbac" + ], + "status": "implemented", + "effectiveness": { + "rating": "good" + } + } + ] + } + ] + } +} diff --git a/tools/src/test/resources/2.0/valid-control-grc-standalone-2.0.json b/tools/src/test/resources/2.0/valid-control-grc-standalone-2.0.json new file mode 100644 index 000000000..2294973e8 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-control-grc-standalone-2.0.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:9b3d5e1f-7a2c-4d8b-b0e6-4f1a8c6d2e73", + "version": 1, + "definitions": { + "requirements": [ + { + "bom-ref": "requirement-audit-logging", + "id": "AU-2", + "name": "Event logging" + } + ] + }, + "controls": [ + { + "bom-ref": "control-central-logging", + "name": "Centralized audit logging", + "category": "detective", + "status": "recommended", + "satisfies": [ + "requirement-audit-logging" + ] + }, + { + "bom-ref": "control-security-awareness", + "name": "Security awareness training", + "description": "Annual training for all personnel. Applies to the organization as a whole.", + "category": "deterrent", + "status": "implemented" + }, + { + "bom-ref": "control-network-airgap", + "name": "Air-gapped deployment", + "category": "preventive", + "status": "rejected", + "description": "Declined. Operational cost outweighs the benefit; compensating controls cover the risk." + }, + { + "bom-ref": "control-vendor-review", + "name": "Vendor security review", + "category": { + "name": "administrative", + "description": "Procedural controls executed by people rather than systems." + }, + "status": { + "name": "piloting", + "description": "Operating for a subset of vendors before full rollout." + } + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-control-minimal-2.0.json b/tools/src/test/resources/2.0/valid-control-minimal-2.0.json new file mode 100644 index 000000000..a27773cb9 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-control-minimal-2.0.json @@ -0,0 +1,13 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:7c0e4f3a-9d2b-4a1e-8f6c-2b5d9e7a4c10", + "version": 1, + "controls": [ + { + "bom-ref": "control-mfa", + "name": "Multi-factor authentication" + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-data-erd-relationships-2.0.json b/tools/src/test/resources/2.0/valid-data-erd-relationships-2.0.json new file mode 100644 index 000000000..a3facebbc --- /dev/null +++ b/tools/src/test/resources/2.0/valid-data-erd-relationships-2.0.json @@ -0,0 +1,103 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:a1b2c3d4-0003-4abc-8def-1122334455cc", + "version": 1, + "blueprints": [ + { + "bom-ref": "bp-core-logical", + "name": "Core logical and architecture model", + "modelTypes": [ + "logical", + "architecture" + ], + "assets": [ + { + "bom-ref": "asset-customer-service", + "type": "service", + "name": "Customer service" + }, + { + "bom-ref": "asset-order-service", + "type": "service", + "name": "Order service" + } + ], + "relationships": [ + { + "ref": "asset-order-service", + "dependsOn": [ + "asset-customer-service" + ] + }, + { + "ref": "asset-order-service", + "custom": [ + { + "type": "invokes", + "targets": [ + "asset-customer-service" + ], + "description": "A custom relationship kind for synchronous invocation." + } + ] + } + ], + "dataSets": [ + { + "bom-ref": "ds-core", + "name": "Core entities", + "description": "Logical data model for customers and orders.", + "dataObjects": [ + { + "bom-ref": "do-customer", + "name": "Customer", + "attributes": [ + { + "bom-ref": "attr-customer-id", + "name": "id", + "key": "primary" + }, + { + "name": "email", + "key": "unique" + } + ] + }, + { + "bom-ref": "do-order", + "name": "Order", + "attributes": [ + { + "bom-ref": "attr-order-id", + "name": "id", + "key": "primary" + }, + { + "bom-ref": "attr-order-customerid", + "name": "customer_id", + "key": "foreign", + "references": "do-customer" + } + ], + "relationships": [ + { + "bom-ref": "rel-order-customer", + "name": "placed by", + "target": "do-customer", + "cardinality": "many-to-one", + "sourceAttributes": [ + "attr-order-customerid" + ], + "targetAttributes": [ + "attr-customer-id" + ] + } + ] + } + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json b/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json new file mode 100644 index 000000000..9720dab0f --- /dev/null +++ b/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json @@ -0,0 +1,100 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:7c9e6679-7425-40de-944b-e07fc1f90ae7", + "version": 1, + "risks": { + "risks": [ + { + "bom-ref": "risk-model-bias", + "name": "Disparate loan approval rates", + "statement": "The credit model may approve loans at materially different rates across demographic groups, leading to discriminatory outcomes.", + "description": "Identified during fairness evaluation of the underwriting model.", + "domains": [ + { "type": "ethical" }, + { "type": { "name": "model-governance", "description": "Risks specific to the organization's model governance program." } } + ], + "affects": [ "component-credit-model", "data-training-set", "party-loan-applicants" ], + "relatedThreats": [ "threat-data-poisoning" ], + "relatedWeaknesses": [ "weakness-training-imbalance" ], + "relatedRequirements": [ "requirement-fairness-conformance" ], + "relatedStandards": [ "standard-ai-governance" ], + "relatedClaims": [ "claim-fairness-partial" ], + "inherentRisk": { + "likelihood": { + "level": "high", + "probability": 0.7, + "timeframe": "P1Y", + "factors": [ + { "name": "Training data imbalance", "type": "vulnerability", "level": "high" }, + { "name": "Detection coverage", "type": "detectability", "level": "low" }, + { "name": "Bespoke audit pressure", "type": { "name": "regulatory-scrutiny", "description": "Degree of active regulatory attention." }, "level": "medium" } + ], + "rationale": "Historical data is skewed and monitoring is limited." + }, + "impact": { + "level": "major", + "polarity": "harm", + "categories": [ "bias", "discrimination", "human-rights", { "name": "brand-trust" } ], + "factors": [ + { "name": "Discrimination harm", "category": "discrimination", "score": 8, "weight": 0.6 }, + { "name": "Reputation damage", "category": "reputation", "score": 6, "weight": 0.4 } + ], + "range": { "minimum": 6, "mostLikely": 8, "maximum": 9 }, + "quantification": { + "affectedGroups": 3, + "financialLossRange": { "minimum": 100000, "mostLikely": 500000, "maximum": 2000000 }, + "currency": "USD" + }, + "description": "Potential regulatory action and harm to affected applicants." + }, + "score": { "level": "high", "score": 8, "methodology": "owasp-risk-rating" }, + "detectability": { "score": 6, "description": "Bias surfaces only in aggregate metrics, so individual decisions are hard to flag." }, + "confidence": 0.6, + "rationale": "Based on offline fairness metrics." + }, + "residualRisk": { + "impact": { "level": "moderate", "polarity": "harm", "categories": [ "bias" ] }, + "score": { "level": "medium" }, + "confidence": 0.5 + }, + "responses": [ + { + "bom-ref": "response-reweighting", + "strategy": "reduce", + "description": "Apply reweighting and fairness constraints, with ongoing monitoring.", + "controls": [ "requirement-fairness-threshold", "component-bias-monitor" ], + "status": { "name": "in-review", "description": "Pending sign-off from the model risk committee." }, + "effectiveness": { "rating": "good", "percentage": 0.7 }, + "cost": "medium", + "priority": "high", + "owner": "party-ml-team", + "targetDate": "2026-09-30T00:00:00Z" + } + ], + "status": "assessed", + "owner": "party-risk-office" + } + ], + "assessments": [ + { + "bom-ref": "assessment-q2-2026", + "name": "Q2 2026 model risk review", + "type": "periodic", + "timestamp": "2026-04-15T00:00:00Z", + "scope": "The credit underwriting model and its training pipeline.", + "status": "completed", + "assessors": [ "party-risk-office", "system-ccm-platform" ], + "summary": "Quarterly fairness and model risk review.", + "risks": [ "risk-model-bias" ], + "overallRisk": { + "method": "average", + "score": { "level": "high", "score": 8, "methodology": "owasp-risk-rating" } + }, + "assumptions": [ "Training data distribution is representative of the applicant population." ], + "recommendations": [ "Expand monitoring to per-segment fairness metrics." ], + "nextReview": "2026-07-15T00:00:00Z" + } + ] + } +} diff --git a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json index 88724de3f..dc668de5b 100644 --- a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json +++ b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json @@ -1,25 +1,206 @@ { "specFormat": "CycloneDX", "specVersion": "2.0", - "metadata": { - + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "profiles": { + "threatProfiles": [ + { + "bom-ref": "tp-apt", + "name": "Advanced persistent threat", + "sophistication": "advanced", + "resources": "substantial", + "skillSet": [ + "malware-development", + "spear-phishing" + ] + } + ] }, - "threatModel": { - // References the threat model schema - "modelTypes": [{"type": "threat"}], - "methodologies": [{"type": "STRIDE"}], - "domains": [{"type": "security"}], - - // Blueprint elements - "assets": [...], - "zones": [...], - "boundaries": [...], - "flows": [...], - - // Threat-specific elements - "scenarios": [...], - "threatActors": [...], - "mitigations": [...], - "assessments": [...] + "threats": { + "methodologies": [ "STRIDE", "attack-tree" ], + "threats": [ + { + "bom-ref": "threat-credential-theft", + "name": "Credential theft", + "description": "An adversary steals operator credentials to reach protected data.", + "source": "Internal threat-modelling workshop", + "categories": [ + { + "taxonomy": "STRIDE", + "category": "spoofing" + }, + { + "taxonomy": "MITRE-ATTACK", + "category": "credential-access" + } + ], + "weaknesses": [ + { + "bom-ref": "wk-auth", + "name": "Single-factor operator authentication", + "description": "Operators authenticate to the console with a single factor." + } + ], + "attackPatterns": [ + "ap-phishing" + ], + "attackTrees": [ + "at-exfil" + ], + "abuseCases": [ + "abuse-enumeration" + ], + "killChainPhase": "delivery", + "affectedAssets": [ + "asset-datastore" + ], + "mitigations": [ + "req-mfa" + ] + } + ], + "scenarios": [ + { + "bom-ref": "ts-credential-theft", + "name": "APT credential theft via spear phishing", + "description": "An advanced persistent threat phishes an operator to steal credentials and reach the data store.", + "threats": [ + "threat-credential-theft" + ], + "actor": "party-attacker", + "threatProfile": "tp-apt", + "motivation": [ + "financial", + "espionage" + ], + "intent": "targeted", + "accessLevel": "external", + "attackVector": { + "type": "network", + "complexity": "low", + "privileges": "none", + "userInteraction": "required" + }, + "riskAttributes": [ + "confidentiality", + "authentication" + ], + "affectedAssets": [ + "asset-datastore" + ], + "relatedRisks": [ + "risk-account-takeover" + ] + } + ], + "attackPatterns": [ + { + "bom-ref": "ap-phishing", + "capecId": 98, + "name": "Phishing", + "description": "An adversary tricks a victim into performing an action or revealing information.", + "techniques": [ + { + "id": "T1566", + "name": "Phishing", + "tactic": "initial-access" + } + ] + } + ], + "attackTrees": [ + { + "bom-ref": "at-exfil", + "name": "Exfiltrate customer data", + "root": "atn-root", + "nodes": [ + { + "bom-ref": "atn-root", + "name": "Exfiltrate customer PII", + "operator": "or", + "children": [ + "atn-creds", + "atn-injection" + ] + }, + { + "bom-ref": "atn-creds", + "name": "Steal operator credentials", + "operator": "or", + "skill": "intermediate", + "children": [ + "atn-phishing", + "atn-stuffing" + ] + }, + { + "bom-ref": "atn-phishing", + "name": "Spear phishing", + "attackPattern": "ap-phishing", + "cost": "low", + "detectability": "moderate" + }, + { + "bom-ref": "atn-stuffing", + "name": "Credential stuffing", + "cost": "low", + "detectability": "high" + }, + { + "bom-ref": "atn-injection", + "name": "Exploit injection", + "operator": "and", + "children": [ + "atn-reach", + "atn-waf" + ] + }, + { + "bom-ref": "atn-reach", + "name": "Reach the endpoint" + }, + { + "bom-ref": "atn-waf", + "name": "Bypass the web application firewall" + } + ] + } + ], + "abuseCases": [ + { + "bom-ref": "abuse-enumeration", + "name": "Bulk account enumeration", + "description": "The adversary enumerates valid accounts through repeated login attempts.", + "abuser": "party-attacker", + "realizes": [ + "threat-credential-theft" + ], + "mainFlow": [ + { + "number": 1, + "description": "The attacker submits many login attempts with candidate usernames." + } + ] + } + ], + "trustBoundaries": [ + { + "bom-ref": "tb-internet-dmz", + "name": "Internet to DMZ", + "boundary": "boundary-internet-dmz", + "trustLevel": "untrusted" + } + ] + }, + "definitions": { + "requirements": [ + { + "bom-ref": "req-mfa", + "id": "REQ-MFA-001", + "name": "Require multi-factor authentication for operators", + "priority": "high" + } + ] } -} \ No newline at end of file +} diff --git a/tools/src/test/resources/2.0/valid-vex-mitigating-control-2.0.json b/tools/src/test/resources/2.0/valid-vex-mitigating-control-2.0.json new file mode 100644 index 000000000..0a61131a9 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-vex-mitigating-control-2.0.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:8d4f2a1b-6c3e-4b9d-a5f0-1e7c8b2d4a96", + "version": 1, + "components": [ + { + "type": "library", + "bom-ref": "component-xml-parser", + "name": "acme-xml-parser", + "version": "2.4.0" + } + ], + "controls": [ + { + "bom-ref": "control-waf", + "name": "Web application firewall", + "category": "preventive", + "status": "verified", + "appliesTo": [ + "component-xml-parser" + ] + } + ], + "vulnerabilities": [ + { + "bom-ref": "vuln-xxe", + "id": "CVE-2026-99999", + "analysis": { + "state": "not_affected", + "justification": "protected_by_mitigating_control", + "mitigatingControls": [ + "control-waf" + ], + "detail": "External entity payloads are blocked at the perimeter before reaching the parser." + }, + "affects": [ + { + "ref": "component-xml-parser" + } + ] + } + ] +} From 10d7dd2831881c6c2af4a8fbaf207f01b2868917 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 17 Jun 2026 20:28:09 -0500 Subject: [PATCH 41/44] Changed risk type to align with the kind of risk assessment performed - and updated it to be an array. Added cadence (previously was risk assessment type) to be a noun representing temporal data. Updated test case. Signed-off-by: Steve Springett --- .../2.0/model/cyclonedx-risk-2.0.schema.json | 87 +++++++++++++++++-- .../resources/2.0/valid-risk-ai-bias-2.0.json | 3 +- 2 files changed, 83 insertions(+), 7 deletions(-) diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index 6d3ff67bb..f028c879e 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -1040,6 +1040,7 @@ "required": [ "bom-ref", "type", + "cadence", "timestamp" ], "additionalProperties": false, @@ -1053,11 +1054,85 @@ "description": "A human-readable name for the assessment." }, "type": { + "type": "array", "title": "Type", - "description": "The kind of risk assessment. Use the custom option for kinds specific to an organization's process.", + "minItems": 1, + "uniqueItems": true, + "description": "The kinds of assessment performed, given as one or more named exercises or instruments. The type classifies the assessment exercise; the domains of risk evaluated are carried by the referenced risks rather than restated here. Use the custom option for kinds specific to an organization's process.", + "items": { + "oneOf": [ + { + "title": "Predefined Assessment Type", + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "safety", + "financial", + "environmental", + "supply-chain", + "compliance", + "data-protection-impact", + "fundamental-rights-impact", + "ai-impact", + "business-impact", + "third-party", + "threat", + "vulnerability", + "model-risk", + "fraud" + ], + "meta:enum": { + "security": "Security risk assessment, evaluating threats to the confidentiality, integrity, and availability of a subject.", + "privacy": "Privacy risk assessment, evaluating risks to individuals arising from the processing of personal data.", + "operational": "Operational risk assessment, evaluating risks to ongoing operations and continuity.", + "safety": "Safety risk assessment, evaluating risks of harm to people or property.", + "financial": "Financial risk assessment, evaluating exposure to financial loss, such as credit, market, or liquidity risk.", + "environmental": "Environmental risk assessment, evaluating the effect of an activity on the natural environment, including energy use and emissions.", + "supply-chain": "Supply chain risk assessment, evaluating risks across the chain that delivers a product or service, including software and hardware provenance, for example following [NIST SP 800-161](https://csrc.nist.gov/pubs/sp/800/161/r1/final).", + "compliance": "Compliance assessment, evaluating conformance with applicable laws, regulations, policies, or standards.", + "data-protection-impact": "Data protection impact assessment (DPIA), assessing high-risk processing of personal data, for example as described under Article 35 of the [GDPR](https://gdpr-info.eu/art-35-gdpr/).", + "fundamental-rights-impact": "Fundamental rights impact assessment (FRIA), evaluating the effect of a system on fundamental rights, for example as introduced for certain high-risk AI systems by the [EU AI Act](https://artificialintelligenceact.eu/).", + "ai-impact": "Artificial intelligence impact assessment, evaluating the risks and impacts of an AI system, for example following the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework).", + "business-impact": "Business impact analysis (BIA), evaluating the operational and financial consequences of disruption to a business function.", + "third-party": "Third-party risk assessment, evaluating the risk arising from a specific external party relationship, such as a vendor, supplier, or service provider, as distinct from the broader supply chain.", + "threat": "Threat assessment, evaluating the threats and threat actors relevant to a subject.", + "vulnerability": "Vulnerability assessment, evaluating weaknesses that could be exploited.", + "model-risk": "Model risk assessment, evaluating the risk that a decision or quantitative model is incorrect or misused, including model validation.", + "fraud": "Fraud risk assessment, evaluating exposure to fraudulent activity and the controls that detect or prevent it." + } + }, + { + "title": "Custom Assessment Type", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assessment type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assessment type." + } + } + } + ] + } + }, + "cadence": { + "title": "Cadence", + "description": "The temporal cadence or occasion on which the assessment is performed. Use the custom option for patterns specific to an organization's process.", "oneOf": [ { - "title": "Predefined Assessment Type", + "title": "Predefined Assessment Cadence", "type": "string", "enum": [ "initial", @@ -1067,7 +1142,7 @@ "ad-hoc" ], "meta:enum": { - "initial": "Initial, baseline risk assessment.", + "initial": "Initial, baseline assessment performed once at the outset.", "periodic": "Scheduled, recurring assessment.", "continuous": "Continuous, automated monitoring, as in a GRC engineering or continuous controls monitoring practice.", "triggered": "Assessment triggered by a specific event, such as a change or an incident.", @@ -1075,7 +1150,7 @@ } }, { - "title": "Custom Assessment Type", + "title": "Custom Assessment Cadence", "type": "object", "required": [ "name" @@ -1086,12 +1161,12 @@ "type": "string", "minLength": 1, "title": "Name", - "description": "The name of the custom assessment type." + "description": "The name of the custom assessment cadence." }, "description": { "type": "string", "title": "Description", - "description": "A description of the custom assessment type." + "description": "A description of the custom assessment cadence." } } } diff --git a/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json b/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json index 9720dab0f..01bb1fb28 100644 --- a/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json +++ b/tools/src/test/resources/2.0/valid-risk-ai-bias-2.0.json @@ -80,7 +80,8 @@ { "bom-ref": "assessment-q2-2026", "name": "Q2 2026 model risk review", - "type": "periodic", + "type": [ "ai-impact", "model-risk" ], + "cadence": "periodic", "timestamp": "2026-04-15T00:00:00Z", "scope": "The credit underwriting model and its training pipeline.", "status": "completed", From 84e4513c86ee0526b5a87d65eab3823698d09c2f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 19 Jun 2026 11:09:36 -0500 Subject: [PATCH 42/44] Closed some gaps for PASTA, STRIDE-LM by introducing business objectives, kill chains, and attack paths for lateral movement. Signed-off-by: Steve Springett --- ...clonedx-business-objective-2.0.schema.json | 61 +++++ .../cyclonedx-definition-2.0.schema.json | 5 +- .../2.0/model/cyclonedx-risk-2.0.schema.json | 129 ++++++++++- .../model/cyclonedx-threat-2.0.schema.json | 214 ++++++++++++++++-- .../model/cyclonedx-usecase-2.0.schema.json | 9 + .../2.0/valid-threatmodel-simple-2.0.json | 13 ++ 6 files changed, 404 insertions(+), 27 deletions(-) create mode 100644 schema/2.0/model/cyclonedx-business-objective-2.0.schema.json diff --git a/schema/2.0/model/cyclonedx-business-objective-2.0.schema.json b/schema/2.0/model/cyclonedx-business-objective-2.0.schema.json new file mode 100644 index 000000000..ae47bd22b --- /dev/null +++ b/schema/2.0/model/cyclonedx-business-objective-2.0.schema.json @@ -0,0 +1,61 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-business-objective-2.0.schema.json", + "type": "null", + "title": "CycloneDX Business Objective Model", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "businessObjectives": { + "type": "array", + "title": "Business Objectives", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/businessObjective" + }, + "description": "A collection of reusable business objectives that other elements may reference." + }, + "businessObjective": { + "type": "object", + "title": "Business Objective", + "description": "A business goal that a subject supports and that threats, risks, use cases, and requirements can be traced back to. Business objectives anchor risk-centric analysis, such as the first stage of PASTA, where threats and risks are evaluated against what the organization is trying to achieve.", + "required": [ + "bom-ref", + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the business objective." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the business objective." + }, + "criticality": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality", + "description": "The business criticality of the objective." + }, + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for this objective. May be an inline party object or a reference to a previously declared party." + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-definition-2.0.schema.json b/schema/2.0/model/cyclonedx-definition-2.0.schema.json index 3b4e595f3..ec57179bb 100644 --- a/schema/2.0/model/cyclonedx-definition-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-definition-2.0.schema.json @@ -3,7 +3,7 @@ "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-definition-2.0.schema.json", "type": "null", "title": "CycloneDX Definition Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { "definitions": { "type": "object", @@ -22,6 +22,9 @@ }, "requirements": { "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirements" + }, + "businessObjectives": { + "$ref": "cyclonedx-business-objective-2.0.schema.json#/$defs/businessObjectives" } } } diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index f028c879e..40e903597 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -29,6 +29,15 @@ }, "description": "Point-in-time risk assessment events, each evaluating one or more of the documented risks." }, + "riskAppetites": { + "type": "array", + "title": "Risk Appetites", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/riskAppetite" + }, + "description": "The risk appetites that apply to this collection. Multiple entries support a document covering more than one party." + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } @@ -138,7 +147,7 @@ "control", "data-subject-rights", "integrity", - "minimisation", + "minimization", "non-repudiation", "possession", "privacy", @@ -153,12 +162,12 @@ "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified.", "availability": "Ensuring systems, data, and services are accessible and operational when needed.", "compliance": "Adherence to applicable laws, regulations, policies, and standards.", - "confidentiality": "Preventing unauthorised access to or disclosure of information.", + "confidentiality": "Preventing unauthorized access to or disclosure of information.", "connectivity": "Maintaining secure and reliable communication between systems or components.", "control": "Enabling individuals to manage how their personal data is used and shared.", "data-subject-rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.", - "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors.", - "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorized actors.", + "minimization": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications.", "possession": "Ensuring control or custody over data or assets, regardless of ownership.", "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards.", @@ -277,6 +286,14 @@ }, "description": "References using bom-link or bom-ref to the conformance claims that give rise to this risk, such as a [CycloneDX Attestations](https://cyclonedx.org/capabilities/attestations/) claim recording that a requirement is unmet or only partially met. The degree of conformance is carried by the claim, not by the risk." }, + "relatedBusinessObjectives": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this risk threatens." + }, "inherentRisk": { "$ref": "#/$defs/rating", "description": "The assessed risk before any responses are applied." @@ -287,7 +304,7 @@ }, "targetRisk": { "$ref": "#/$defs/rating", - "description": "The risk level the organization aims to reach, reflecting its risk appetite." + "description": "The risk level the organization aims to reach for this risk. The overall risk appetite is recorded separately on the risks collection or assessment." }, "responses": { "type": "array", @@ -1327,6 +1344,14 @@ "format": "date-time", "description": "When the next review should occur." }, + "riskAppetites": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risk appetites, declared under the risks collection, that applied for this assessment." + }, "externalReferences": { "type": "array", "items": { @@ -1373,6 +1398,100 @@ "high": "High impact affecting critical operations.", "critical": "Critical impact with severe business consequences." } + }, + "appetiteLevel": { + "type": "string", + "description": "A qualitative risk appetite level, ranging from risk-averse to risk-seeking.", + "enum": [ + "averse", + "minimal", + "cautious", + "open", + "hungry" + ], + "meta:enum": { + "averse": "Avoidance of risk is the priority, and only the lowest-risk options are acceptable.", + "minimal": "A preference for very low risk, accepting risk only where it is unavoidable.", + "cautious": "A preference for safe options, accepting limited and well-understood risk for reward.", + "open": "A willingness to accept higher risk where the potential reward justifies it.", + "hungry": "An active willingness to seek risk in pursuit of greater reward, within defined control limits." + } + }, + "riskAppetite": { + "type": "object", + "title": "Risk Appetite", + "description": "The amount and type of risk a party is willing to pursue or retain, stated explicitly so that it is not left implicit in individual target ratings. An appetite may be attributed to a specific party through `party`, so a single document can record the appetites of more than one party, and it may be stated overall and refined per risk domain. Quantitative tolerances for a specific risk are expressed through that risk's target rating, and measurement of actual risk against the appetite is recorded through assessments.", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An identifier which can be used to reference this risk appetite elsewhere, such as from an assessment." + }, + "party": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party whose risk appetite this is. Set this when a single document captures the appetites of more than one party. May be an inline party object or a reference to a previously declared party." + }, + "level": { + "$ref": "#/$defs/appetiteLevel", + "description": "The overall risk appetite level." + }, + "statement": { + "type": "string", + "title": "Statement", + "description": "A narrative statement of the overall risk appetite, including any qualifications or context." + }, + "rationale": { + "type": "string", + "description": "The justification for this appetite, such as the strategic objective or regulatory obligation that informs it." + }, + "owner": { + "$ref": "cyclonedx-party-2.0.schema.json#/$defs/partyChoice", + "description": "The party accountable for setting and approving this appetite, such as a board or risk committee. May be an inline party object or a reference to a previously declared party." + }, + "horizon": { + "type": "string", + "description": "The time horizon over which this appetite applies, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year." + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When this appetite is next due for review, since appetite changes with strategy, market conditions, and the threat landscape." + }, + "categories": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "domain", + "level" + ], + "additionalProperties": false, + "properties": { + "domain": { + "$ref": "#/$defs/riskDomain", + "description": "The risk domain this appetite entry applies to." + }, + "level": { + "$ref": "#/$defs/appetiteLevel", + "description": "The appetite level for this risk domain." + }, + "statement": { + "type": "string", + "description": "A narrative statement of the appetite for this risk domain." + }, + "rationale": { + "type": "string", + "description": "The justification for the appetite for this risk domain." + } + } + }, + "description": "Per-domain appetite, refining the overall appetite for specific risk domains such as security, privacy, or financial." + } + } } } } diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index 612c6f106..edc8748c3 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -47,6 +47,15 @@ }, "description": "Attack trees that decompose attacker goals into sub-goals and techniques." }, + "attackPaths": { + "type": "array", + "title": "Attack Paths", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/attackPath" + }, + "description": "Attack paths that describe the ordered progression of an attack across elements and trust boundaries, including lateral movement." + }, "abuseCases": { "type": "array", "title": "Abuse Cases", @@ -322,6 +331,14 @@ "$ref": "cyclonedx-weakness-2.0.schema.json#/$defs/weaknesses", "description": "The weaknesses, such as CWE classifications, that this threat exploits." }, + "relatedVulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities that this threat exploits or that inform it." + }, "attackPatterns": { "type": "array", "title": "Attack Patterns", @@ -350,27 +367,8 @@ "description": "References using bom-link or bom-ref to the abuse cases that illustrate how this threat can be exercised." }, "killChainPhase": { - "type": "string", - "title": "Kill Chain Phase", - "description": "The phase of the cyber kill chain at which this threat operates.", - "enum": [ - "reconnaissance", - "weaponization", - "delivery", - "exploitation", - "installation", - "command-and-control", - "actions-on-objectives" - ], - "meta:enum": { - "reconnaissance": "Gathering information about the target.", - "weaponization": "Creating a malicious payload.", - "delivery": "Transmitting the payload to the target.", - "exploitation": "Exploiting a vulnerability or weakness.", - "installation": "Installing malicious software or establishing a foothold.", - "command-and-control": "Establishing a command and control channel.", - "actions-on-objectives": "Achieving the goals of the attack." - } + "$ref": "#/$defs/killChainPhase", + "description": "The phase of the cyber kill chain at which this threat operates." }, "behaviors": { "type": "array", @@ -393,6 +391,14 @@ }, "description": "References using bom-link or bom-ref to the kinds of assets this threat affects." }, + "relatedBusinessObjectives": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this threat endangers." + }, "mitigations": { "type": "array", "title": "Mitigations", @@ -569,6 +575,14 @@ }, "description": "References using bom-link or bom-ref to the risks that this scenario contributes to." }, + "relatedVulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities exploited in this scenario." + }, "externalReferences": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" }, @@ -1299,6 +1313,164 @@ "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } } + }, + "killChainPhase": { + "type": "string", + "title": "Kill Chain Phase", + "description": "A phase of the cyber kill chain.", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target.", + "weaponization": "Creating a malicious payload.", + "delivery": "Transmitting the payload to the target.", + "exploitation": "Exploiting a vulnerability or weakness.", + "installation": "Installing malicious software or establishing a foothold.", + "command-and-control": "Establishing a command and control channel.", + "actions-on-objectives": "Achieving the goals of the attack." + } + }, + "attackPathStep": { + "type": "object", + "title": "Attack Path Step", + "description": "A single step in an attack path, describing one action in the progression of an attack.", + "required": [ + "description" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "A short name for the step." + }, + "description": { + "type": "string", + "minLength": 1, + "title": "Description", + "description": "The action the adversary performs in this step." + }, + "technique": { + "$ref": "#/$defs/technique", + "description": "The technique used in this step, typically aligned with MITRE ATT&CK." + }, + "attackPattern": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the attack pattern applied in this step." + }, + "killChainPhase": { + "$ref": "#/$defs/killChainPhase", + "description": "The phase of the cyber kill chain at which this step operates." + }, + "source": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the element or zone from which this step originates." + }, + "destination": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the element or zone this step reaches." + }, + "boundaryCrossed": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the trust boundary this step crosses." + }, + "exploits": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the weaknesses or vulnerabilities this step exploits." + }, + "mitigations": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that detect or prevent this step." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "attackPath": { + "type": "object", + "title": "Attack Path", + "description": "An ordered sequence of steps that an adversary follows to progress from initial access toward an objective, crossing elements and trust boundaries. An attack path complements an attack tree: the tree decomposes a goal into alternatives, whereas the path expresses the temporal progression of a single attack, including lateral movement.", + "required": [ + "bom-ref", + "name", + "steps" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "A human-readable name for the attack path." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the attack path." + }, + "objective": { + "type": "string", + "title": "Objective", + "description": "The attacker objective that the path works toward, such as exfiltrating data or achieving code execution." + }, + "actor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the adversary that follows this path." + }, + "steps": { + "type": "array", + "title": "Steps", + "minItems": 1, + "items": { + "$ref": "#/$defs/attackPathStep" + }, + "description": "The ordered steps of the path, from the initial action to the objective. The order of the array is significant." + }, + "realizes": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this path realizes." + }, + "relatedRisks": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risks that this path contributes to." + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } } } } diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json index a04c62e02..5d04372ff 100644 --- a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -110,6 +110,15 @@ }, "description": "References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case." }, + "businessObjectives": { + "type": "array", + "title": "Business Objectives", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this use case supports." + }, "notes": { "type": "array", "title": "Notes", diff --git a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json index dc668de5b..a97e3531c 100644 --- a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json +++ b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json @@ -52,9 +52,15 @@ "abuse-enumeration" ], "killChainPhase": "delivery", + "relatedVulnerabilities": [ + "vuln-weak-auth" + ], "affectedAssets": [ "asset-datastore" ], + "businessObjectives": [ + "obj-protect-data" + ], "mitigations": [ "req-mfa" ] @@ -194,6 +200,13 @@ ] }, "definitions": { + "businessObjectives": [ + { + "bom-ref": "obj-protect-data", + "name": "Protect customer data", + "criticality": "high" + } + ], "requirements": [ { "bom-ref": "req-mfa", From 6f90077640a77c8adbc19f58319a92232333b08c Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 19 Jun 2026 17:29:16 -0500 Subject: [PATCH 43/44] Updated test case Signed-off-by: Steve Springett --- tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json index a97e3531c..d8d14f032 100644 --- a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json +++ b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json @@ -58,7 +58,7 @@ "affectedAssets": [ "asset-datastore" ], - "businessObjectives": [ + "relatedBusinessObjectives": [ "obj-protect-data" ], "mitigations": [ From 03a8eaa7814788807b2ebd47a9f64a0c3a5c78df Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 28 Jun 2026 23:39:00 +0000 Subject: [PATCH 44/44] chore: update bundled schemas [skip ci] --- .../2.0/cyclonedx-2.0-bundled.min.schema.json | 2 +- schema/2.0/cyclonedx-2.0-bundled.schema.json | 6953 +++++++++++------ 2 files changed, 4614 insertions(+), 2341 deletions(-) diff --git a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json index d097e3c26..f2c4baf37 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json @@ -1 +1 @@ -{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value shall be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"perspectives":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectives"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm","title":"Hash Algorithm","description":"The standard, well-known algorithm used to compute the hash."},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue","title":"Hash Value","description":"The value of the hash computed using the standard, well-known algorithm."}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","perspective","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","swid-tag","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","perspective":"A CycloneDX perspective defines a domain-specific view, enabling different audiences to interpret and navigate the data through their own conceptual lens.","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","swid-tag":"A Software Identification (SWID) tag document conforming to ISO/IEC 19770-2. The reference resolves to the XML SoftwareIdentity document itself, including all of its metadata (entities, evidence, payload, links, and meta elements). This is distinct from the `swid` identifier scheme, which carries only the tagId of a SWID tag.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signatures":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatures","title":"Signatures","description":"Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"parties":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/parties"},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"componentOrChoice":{"title":"Component or Component Choice","description":"An entry in a components array. May be a concrete component, or a component-choice wrapper that expresses a conditional or alternate relationship between two or more components. The discriminator is the `type` property: when `type` is `component-choice`, the entry shall conform to the `componentChoice` schema; otherwise it shall conform to the `component` schema.","oneOf":[{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentChoice"}]},"componentChoice":{"type":"object","title":"Component Choice","description":"A wrapper that expresses a conditional or alternate relationship between two or more components. Use to model approved alternates, multi-sourced parts, build variants, and required component groups in physical device bills of materials.","required":["type","operator","components"],"additionalProperties":false,"properties":{"type":{"type":"string","const":"component-choice","title":"Type","description":"Discriminator for a component-choice entry. The value shall be the literal string `component-choice`."},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component-choice elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"A display name for the choice. Typically corresponds to a reference designator, a design intent name, or a description of the role the chosen component fulfils.","examples":["2N2222 or PN2222A Transistor","U1 5V LDO Regulator"]},"description":{"type":"string","title":"Description","description":"A description of the choice and the rationale behind the alternates."},"operator":{"type":"string","enum":["OR","XOR","AND"],"meta:enum":{"OR":"Any non-empty subset of the contained components may be installed. Use for approved alternates where more than one may legitimately appear in a given instance.","XOR":"Exactly one of the contained components is installed in any single instance. Use for approved alternates that are mutually exclusive per instance, while the population of units may include multiple alternates across sourcing.","AND":"All of the contained components are installed together as a group. Use for tightly coupled component sets such as a transceiver and its required matching balun."},"title":"Operator","description":"The logical relationship between the contained components."},"components":{"type":"array","minItems":2,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"title":"Components","description":"Two or more alternate or grouped entries. Each entry may itself be a component-choice to express nested alternates, such as a choice between kits."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."},"accountInfo":{"type":"string","title":"Account Information","description":"The account or user information associated with the occurrence."},"systemOwner":{"type":"string","title":"System Owner","description":"The owner of the system where the component was found."},"startTime":{"type":"string","format":"date-time","title":"Start Time","description":"The date and time when the process detecting the occurrence started."},"endTime":{"type":"string","format":"date-time","title":"End Time","description":"The date and time when the process detecting the occurrence ended."},"usageCount":{"type":"integer","minimum":0,"title":"Usage Count","description":"The number of times the component occurred in the detecting process."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["scheme"],"additionalProperties":false,"properties":{"scheme":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityScheme"},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the scheme that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}},"identifiers":{"type":"array","title":"Identifiers","description":"Identifiers asserted by one or more parties to identify this component. Each entry groups one or more identity claims by the party asserting them. Identifiers carry positive claims of identity. For unverified or inferred identity data, use evidence.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identifier"},"uniqueItems":true},"identifier":{"type":"object","title":"Identifier","description":"A set of identifiers attributed to a single asserting party.","required":["party","identities"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"party":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Asserting Party","description":"Reference using bom-link or bom-ref to the party making the identity assertion."},"identities":{"type":"array","title":"Identities","description":"The discrete identity claims asserted by the party.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identity"},"minItems":1,"uniqueItems":true}}},"identity":{"type":"object","title":"Identity","description":"A single identity claim, pairing a typed identifier scheme with the value asserted under that scheme.","required":["scheme","value"],"additionalProperties":false,"properties":{"scheme":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityScheme"},"value":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityValue"}}},"identityScheme":{"title":"Identifier Scheme","description":"The scheme under which an identifier is asserted. Either a predefined value or a custom scheme described by name and description.","oneOf":[{"type":"string","enum":["purl","cpe","swid","swhid","omniborid","epc-rfid","giai","gln","gmn","gtin-8","gtin-12","gtin-13","gtin-14","mpn","part-number","model-number","sku","serial-number","asset-tag","udi-di","udi-pi","fcc-id","imei","mac-address","tei"],"meta:enum":{"purl":"Package-URL identifier, conforming to the Package-URL specification.","cpe":"Common Platform Enumeration name, conforming to NIST Interagency Report 7695.","swid":"Software Identification tag identifier, conforming to ISO/IEC 19770-2.","swhid":"Software Heritage persistent identifier.","omniborid":"OmniBOR Artifact Identifier, also known as a gitoid.","epc-rfid":"Electronic Product Code - RFID (EPC Tag Data Standard)","giai":"Global Individual Asset Identifier (GIAI)","gln":"Global Location Number (GLN)","gmn":"Global Model Number (GMN)","gtin-8":"Global Trade Identification Number (GTIN-8 / EAN/UCC-8)","gtin-12":"Global Trade Identification Number (GTIN-12 / UPC-A)","gtin-13":"Global Trade Identification Number (GTIN-13 / EAN/UCC-13)","gtin-14":"Global Trade Identification Number (GTIN / EAN/UCC-14 or ITF-14)","mpn":"Manufacturer Part Number, assigned by the original manufacturer.","part-number":"Part number assigned by a distributor, integrator, or operator.","model-number":"Product model number assigned by the manufacturer.","sku":"Stock Keeping Unit, assigned by a seller or distributor.","serial-number":"Unique identifier for an individual instance of a product.","asset-tag":"Asset tag assigned by the owning or operating organization.","udi-di":"Unique Device Identifier, Device Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.","udi-pi":"Unique Device Identifier, Production Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.","fcc-id":"United States Federal Communications Commission equipment identifier.","imei":"International Mobile Equipment Identity, conforming to 3GPP TS 23.003.","mac-address":"IEEE 802 Media Access Control address.","tei":"Transparency Exchange Identifier conforming to the Transparency Exchange API specification."}},{"type":"object","title":"Custom Identifier Scheme","description":"A custom identifier scheme not represented in the predefined taxonomy.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom identifier scheme."},"description":{"type":"string","title":"Description","description":"A description of the custom identifier scheme."}}}]},"identityValue":{"type":"string","minLength":1,"title":"Identifier Value","description":"The value of an identifier."}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"array","title":"Implementation platforms","description":"The target platforms for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","items":{"type":"string","title":"Platform","description":"The target platform for the implementation.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","riscv32","riscv64","other","unknown"],"meta:enum":{"generic":"Platform-independent implementation.","x86_32":"Intel/AMD 32-bit x86 architecture.","x86_64":"Intel/AMD 64-bit x86-64 architecture.","armv7-a":"ARM 32-bit application profile (Cortex-A).","armv7-m":"ARM 32-bit microcontroller profile (Cortex-M).","armv8-a":"ARM 64-bit application profile (AArch64).","armv8-m":"ARM 32-bit microcontroller with TrustZone.","armv9-a":"ARM 64-bit with enhanced security features.","armv9-m":"ARM microcontroller with advanced security.","s390x":"IBM Z series mainframe 64-bit.","ppc64":"IBM PowerPC 64-bit big-endian.","ppc64le":"IBM PowerPC 64-bit little-endian.","riscv32":"RISC-V 32-bit open standard architecture.","riscv64":"RISC-V 64-bit open standard architecture.","other":"Another platform.","unknown":"The platform is not known."}}},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","cavp","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","cavp":"Cryptographic Algorithm Validation Program","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","siv","gcm-siv","ocb","eax","kw","kwp","cts","xts","gmac","cmac","xpn","ff1","ff3-1","other","unknown"],"meta:enum":{"cbc":"Cipher Block Chaining mode.","ecb":"Electronic Codebook mode.","ccm":"Counter with CBC-MAC (AEAD).","gcm":"Galois/Counter Mode (AEAD).","cfb":"Cipher Feedback mode.","ofb":"Output Feedback mode.","ctr":"Counter mode.","siv":"Synthetic Initialization Vector mode.","gcm-siv":"GCM with Synthetic IV (nonce-misuse resistant).","ocb":"Offset Codebook Mode (AEAD).","eax":"Encrypt-then-Authenticate-then-Translate mode.","kw":"AES Key Wrap (RFC 3394).","kwp":"AES Key Wrap with Padding (RFC 5649).","cts":"Ciphertext Stealing mode.","xts":"XEX Tweaked-codebook with Stealing (disk encryption).","gmac":"Galois Message Authentication Code","cmac":"Cipher-based Message Authentication Code","xpn":"Extended Packet Numbering mode.","ff1":"Format-preserving encryption mode 1.","ff3-1":"Format-preserving encryption mode 3, update 1.","other":"Another mode of operation.","unknown":"The mode is not known."}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","pss","x931","other","unknown"],"meta:enum":{"pkcs5":"PKCS#5 padding for password-based cryptography.","pkcs7":"PKCS#7 padding with length-indicating bytes.","pkcs1v15":"PKCS#1 v1.5 padding for RSA.","oaep":"Optimal Asymmetric Encryption Padding for RSA.","raw":"No padding applied.","pss":"Probabilistic Signature Scheme for RSA signatures.","x931":"ANSI X9.31 padding for RSA.","other":"Another padding scheme.","unknown":"The padding scheme is not known."}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction"}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6},"secProperties":{"type":"array","title":"Security Properties","description":"Formal guarantees about an algorithm's resistance to specific adversarial capabilities under a defined threat model. Example: Key Encapsulation Mechanisms (KEMs) may target IND-CPA or IND-CCA security; choosing IND-CCA impacts safe use in settings with active/chosen-ciphertext attacks.","items":{"type":"string","title":"Security Property","examples":["IND-CPA","IND-CCA","IND-CCA2","SUF-CMA","EUF-CMA","collision-resistant","preimage-resistant","second-preimage-resistant"]}}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint"},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"},"keyUsage":{"type":"array","title":"Key Usage","description":"Defines the permitted cryptographic usage for the asset.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction","title":"Usage","description":"A permitted cryptographic usage."}}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"cryptographicFunction":{"type":"string","title":"Cryptographic Function","description":"A cryptographic function or usage.","enum":["generate","paramgen","paramver","keygen","keyver","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","keyagree","wrap","unwrap","other","unknown"],"meta:enum":{"generate":"Generates random data, IVs, or nonces.","paramgen":"Generates cryptographic domain parameters.","paramver":"Verifies cryptographic domain parameters.","keygen":"Generates cryptographic keys.","keyver":"Verifies cryptographic keys.","encrypt":"Transforms plaintext into ciphertext.","decrypt":"Transforms ciphertext into plaintext.","digest":"Computes a hash value from input data.","tag":"Generates an authentication tag for data integrity.","keyderive":"Derives keys from another key or shared secret.","sign":"Creates a digital signature using a private key.","verify":"Verifies a digital signature using a public key.","encapsulate":"Encapsulates a secret using a public key (KEM).","decapsulate":"Decapsulates a secret using a private key (KEM).","keyagree":"Derives a shared secret between parties.","wrap":"Encrypts a key for secure storage or transport.","unwrap":"Decrypts a wrapped key to recover the original key.","other":"Another cryptographic function.","unknown":"The cryptographic function is not known."}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"fingerprint":{"type":"object","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset.","oneOf":[{"title":"Standard Hash","description":"A fingerprint computed using a standard, well-known hash algorithm.","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},{"title":"Custom Fingerprint","description":"A fingerprint computed with a custom or non-standard algorithm not covered by the standard hash algorithms.","required":["customAlg","customContent"],"additionalProperties":false,"properties":{"customAlg":{"type":"string","title":"Custom Fingerprint Algorithm","description":"The name of the custom algorithm used to compute the fingerprint."},"customContent":{"type":"string","title":"Custom Fingerprint Content","description":"The value of the fingerprint computed using the custom algorithm."}}}]},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"type":"array","title":"References","description":"The bom-refs to the assets securing this asset (e.g., algorithms, hardware, keys).","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","enum":["inbound","outbound","bi-directional","unknown"],"meta:enum":{"inbound":"Data that enters a service.","outbound":"Data that exits a service.","bi-directional":"Data flows in and out of the service.","unknown":"The directional flow of data is not known."},"title":"Data flow direction","description":"Specifies the flow direction of the data. Direction is relative to the service."}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-jss_X590_2023_10-2.0":{"type":"null","title":"CycloneDX Model for JSON Signature Scheme (JSS)","description":"JSON Schema implementing ITU-T X.590 (10/2023) – JSON Signature Scheme (JSS). Defines the structure for digitally signing JSON objects while keeping the payload in JSON format. Supports single signatures, multiple independent signatures, and chained counter-signatures. Intended for use as a $defs import in CycloneDX 2.0.","$defs":{"timestamp":{"title":"Timestamp","description":"An RFC 3339 timestamp in the UTC+0 time zone. Must use the 'Z' suffix. Sub-second precision, when present, MUST be exactly three digits (millisecond precision). If no sub-second digits are included, the decimal point MUST NOT be present. Matches the pattern: yyyy-mm-ddThh:mm:ss[.sss]Z","type":"string","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](?:\\.[0-9]+)?Z$","examples":["2023-10-29T13:56:08Z","2023-10-29T13:56:08.000Z","2023-11-15T08:30:00.123Z"]},"identifier":{"title":"Identifier","description":"A Universally Unique Identifier (UUID) conformant with RFC 4122. Used to uniquely identify a signature object. Signatures sharing the same 'id' are treated as versions of the same logical signature, differentiated by their 'modified' timestamp.","type":"string","format":"uuid","pattern":"^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$","examples":["f47ac10b-58cc-4372-a567-0e02b2c3d479"]},"hashAlgorithm":{"title":"Hash Algorithm","description":"This property identifies the hashing algorithm, as defined by the Internet Assigned Numbers Authority (IANA)…, that was used to hash the JCS version of the full JSON object (JSON Object + JSS Signature) and is a case-sensitive ASCII string. Implementations MAY use any current and widely accepted hashing algorithm (e.g., sha-256, sha-512) that is defined in the IANA registry. The actual signing process, defined in the algorithm property, sometimes uses an internal hashing algorithm inside the signing process itself, this property MAY identify the same hashing algorithm as the signing process or MAY identify a different hashing algorithm.","type":"string","pattern":"^[a-z0-9-]+$","examples":["sha-256","sha-384","sha-512","sha3-256","sha3-512"]},"algorithmVocabulary":{"title":"Signature Algorithm Type Vocabulary (signature-algorithm-type-ov)","description":"NOTE – At the time of this writing quantum safe algorithms could come from those defined in XMSS [IETF RFC 8391] section 5.3 or LMS [IETF RFC 8554] section 5.1 and other algorithms could come from those defined in JWA [IETF RFC 7518] section 3.1 or [IETF RFC 8037] section 3.1 (see the table below for a list of values from those RFCs). While JWA [IETF RFC 7518] section 3.1 defines the following symmetric algorithms: HS256, HS384, and HS512, these algorithms SHOULD NOT be used. If one of these three symmetric algorithms is used, the sharing and transmission of those keys is out of scope for this Recommendation.","type":"string","enum":["XMSS-SHA2_10_256","XMSS-SHA2_16_256","XMSS-SHA2_20_256","LMS_SHA256_M32_H5","LMS_SHA256_M32_H10","LMS_SHA256_M32_H15","LMS_SHA256_M32_H20","LMS_SHA256_M32_H25","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512","Ed25519","Ed448"]},"algorithm":{"title":"Signing Algorithm","description":"This property identifies the algorithm that was used to sign the JSON data and is a case-sensitive ASCII string. The value for this property SHOULD come from the signature-algorithm-type-ov vocabulary (see clause 6.2.2) and SHOULD be a current and widely accepted quantum safe algorithm, but MAY use any currently accepted safe algorithm.","type":"string","anyOf":[{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithmVocabulary"},{"type":"string","title":"Other algorithm identifier","description":"Any other current, widely accepted, safe algorithm identifier not present in the signature-algorithm-type-ov vocabulary (X.590 clause 6.2.2 makes that vocabulary a SHOULD, not a MUST)."}],"examples":["Ed25519","ES256","XMSS-SHA2_10_256","LMS_SHA256_M32_H5","PS512"]},"publicKey":{"title":"Public Key (PEM, header-stripped)","description":"This property contains a privacy enhanced mail (PEM) encoded public key without the header and footer for the algorithm selected in the algorithm property.","type":"string","pattern":"^[A-Za-z0-9+/]+={0,2}$","examples":["MCowBQYDK2VwAyEAubMonBfU9pvIbj5RCiWQLD45Jvu6mKr+kQXjvjW8ZkU="]},"publicCertChain":{"title":"Public Certificate Chain","description":"This property contains a public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.7 of [IETF RFC 7517] as quoted here. This property \"contains a chain (X.509 certificate chain) of one or more PKIX certificates [IETF RFC 5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (section 4 of [IETF RFC 4648] – not base64URL.encoded) DER [b-ITU-T X.690] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key.\" This property is called \"x5c\" in section 4.7 of [IETF RFC 7517].","type":"array","items":{"type":"string","description":"Base64-encoded (standard, not base64URL) DER-encoded PKIX certificate value (RFC 5280)."},"minItems":1},"certUrl":{"title":"Certificate URL","description":"This property contains a uniform resource identifier (URI) [IETF RFC 3986] that refers to a resource for an X.509 public key certificate or certificate chain [IETF RFC 5280] for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.6 of [IETF RFC 7517] as quoted here. \"The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [IETF RFC 5280] in PEM-encoded form, with each certificate delimited as specified in section 6.1 of RFC 4945 [IETF RFC 4945]. The key in the first certificate MUST match the public key. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [IETF RFC 2818] [IETF RFC 5246]; the identity of the server MUST be validated, as per section 6 of RFC 6125 [IETF RFC 6125].\" This property is called \"x5u\" in section 4.6 of [IETF RFC 7517].","type":"string","format":"uri","pattern":"^https://","examples":["https://pki.example.com/certs/signing-cert.pem"]},"thumbprint":{"title":"Certificate Thumbprint","description":"This property contains a fingerprint of a public key or public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.9 of [IETF RFC 7517] as quoted here. This property \"is a base64URL.encoded SHA-256 thumbprint (a.k.a. digest, X.509 certificate SHA-256 thumbprint) of the DER encoding of an X.509 certificate [IETF RFC 5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key.\" This property is called \"x5t#S256\" in section 4.9 of [IETF RFC 7517].","type":"string","pattern":"^[A-Za-z0-9_-]{43}$","examples":["NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"]},"signatureObject":{"title":"Signature Object","description":"A JSS signature object as defined in ITU-T X.590 clause 6.2. Captures the hashing algorithm, signing algorithm, public key material (in one of four forms), the base64URL-encoded digital signature value, and optional metadata. May nest a child 'signature' property to form a counter-signature chain.","type":"object","properties":{"hash_algorithm":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/hashAlgorithm"},"algorithm":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithm"},"public_key":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicKey"},"public_cert_chain":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicCertChain"},"cert_url":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/certUrl"},"thumbprint":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/thumbprint"},"value":{"title":"Signature Value","description":"A base64URL.encoded signature that was created using the signature algorithm defined in the algorithm property and a key. In pseudo code it is defined as: base64URL.encode(sign(algorithm, key, hash(jcs()))).","type":"string","pattern":"^[A-Za-z0-9_-]+={0,2}$"},"signature":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject","title":"Counter-Signature","description":"This property enables a signature to be countersigned, meaning a signature can be signed by another signature."},"type":{"title":"Type Indicator","description":"The value of this property MUST be jss.","type":"string","const":"jss"},"id":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/identifier","title":"Signature Identifier","description":"A value that uniquely identifies the signature. All signatures with the same ID are considered different versions of the same signature and the version of the signature is identified by its modified property."},"related_to":{"title":"Related Object Reference","description":"A value that can identify the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.","type":"string"},"related_version":{"title":"Related Object Version","description":"A value that can identify the version of the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.","type":"string"},"created":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Created Timestamp","description":"The time at which this signature was originally created. The creator can use any time it deems most appropriate as the time the signature was created, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The created property MUST NOT be changed when creating a new version of the signature.","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$"},"modified":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Modified Timestamp","description":"The time that this particular version of the signature was last modified. The creator can use any time it deems most appropriate as the time that this version of the signature was modified, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The modified property MUST be later than or equal to the value of the created property. If the created and modified properties are the same, then this is the first version of the signature.","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$"},"revoked":{"title":"Revoked Flag","description":"A boolean that identifies if the signature creator deems that this signature is no longer valid. The default value is false.","type":"boolean","default":false},"signee":{"title":"Signee","description":"An unstructured string value for the name of the entity or organization that produced this signature.","type":"string"},"valid_from":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Valid From","description":"The time from which this signature is considered valid. If omitted, the signature is valid at all times or until the timestamp defined by valid_until. If the revoked property is true then this property MUST be ignored."},"valid_until":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Valid Until","description":"The time at which this signature is no longer considered valid. If the valid_until property is omitted, then there is no constraint on the latest time for which the signature is valid. This property MUST be greater than the timestamp in the valid_from property if the valid_from property is defined. If the revoked property is true then this property MUST be ignored."}},"required":["hash_algorithm","algorithm","value"],"anyOf":[{"required":["public_key"],"description":"Public key material provided as PEM-encoded public key (header/footer stripped)."},{"required":["public_cert_chain"],"description":"Public key material provided as a base64-encoded DER X.509 certificate chain."},{"required":["cert_url"],"description":"Public key material provided by reference to a TLS-accessible certificate URI."},{"required":["thumbprint"],"description":"Public key material referenced by a base64URL-encoded SHA-256 certificate thumbprint."}],"unevaluatedProperties":true},"signatures":{"title":"Signatures Array","description":"A JSON array of one or more signature objects. MUST be located at the top-level of the signed JSON object. The property name used to hold this array SHOULD be 'signatures', but implementations MAY use a different name provided it does not conflict with any other top-level property name in the host JSON object. All signature objects in this array are independent parallel signatures over the same JSON object; for chained counter-signatures, use the nested 'signature' property within an individual signature object.","type":"array","items":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject"},"minItems":1}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-party-2.0":{"type":"null","title":"CycloneDX Party Model","$defs":{"party":{"type":"object","title":"Party","description":"Identifies an organization, individual, system, or abstract archetype that participates in supplying, producing, attesting, operating, owning, regulating, or otherwise relating to the subject. Each party plays one or more named roles. Roles may carry preference order (`role.order`) to express primary, alternate, and secondary rankings among parties sharing the same role.\n\nExactly one identity sub-shape (`organization`, `person`, `system`, or `persona`) shall be present. Optional sub-objects layer inter-party relationships and standard extension data.","required":["roles"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"roles":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/role"},"title":"Roles","description":"One or more roles the party fulfils. Each role may carry an `order` indicating preference among parties sharing the same role (for example, primary versus alternate supplier)."},"organization":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/organization","description":"Identity attributes valid when the party is an organization, company, government body, or other collective."},"person":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/person","description":"Identity attributes valid when the party is an individual person."},"system":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/system","title":"System","description":"Identity attributes valid when the party is a software system, hardware system, service account, automation, or autonomous agent."},"persona":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/persona","title":"Persona","description":"Identity attributes valid when the party is an abstract archetype rather than a specific named instance."},"relations":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyRelations","title":"Relations","description":"Links from this party to other parties."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"required":["organization"]},{"required":["person"]},{"required":["system"]},{"required":["persona"]}]},"parties":{"type":"array","title":"Parties","description":"Parties associated with the subject. Each item identifies an organization, individual, system, or abstract archetype playing one or more named roles such as manufacturer, supplier, author, integrator, quality-control, or any custom role. The same party can hold multiple roles, each independently ranked via `role.order` to express preference (for example, primary supplier with order 1 and alternate supplier with order 2). Items may be inline party objects or references to parties declared elsewhere.","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"}},"partyChoice":{"title":"Party Choice","description":"A party represented either as a complete object or as a reference to a previously declared party.","oneOf":[{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/party"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A refLinkType pointing to a previously declared party."}]},"role":{"title":"Role","description":"A role that a party fulfils. May be a predefined role from the CycloneDX role taxonomy or a custom role definition. The optional `order` property ranks parties that share the same role, supporting use cases such as primary versus alternate suppliers in hardware manufacturing supply chains.","oneOf":[{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/preDefinedRole"},{"title":"Custom Role","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom role.","examples":["Chief Executive Officer","Data Protection Officer","Release Manager"]},"description":{"type":"string","title":"Description","description":"A description of the custom role, including its responsibilities and scope."},"order":{"type":"integer","minimum":1,"title":"Order","description":"Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked."}}}]},"preDefinedRole":{"title":"Pre-Defined Role","type":"object","required":["role"],"additionalProperties":false,"properties":{"role":{"type":"string","title":"Role","description":"A predefined role from the CycloneDX role taxonomy.","enum":["agent","assembler","asserter","attacker","auditor","author","broker","carrier","certificate-authority","committer","competitor","consignee","consignor","contributor","customer","custodian","customs-broker","data-controller","data-processor","data-recipient","data-subject","delegate","developer","distributor","end-user","engineer","exporter","freight-forwarder","holder","importer","insider-threat","inspector","insurer","integrator","issuer","key-escrow-agent","legal-contact","licensee","licensor","maintainer","manufacturer","operator","owner","packager","partner","principal","publisher","purchaser","quality-control","regulator","relying-party","repackager","researcher","reviewer","security-contact","signatory","steward","subject","supplier","support-contact","third-party-logistics","timestamp-authority","validation-authority","verifier","warehouse-operator"],"meta:enum":{"agent":"Software or AI agent acting autonomously or semi-autonomously, typically on behalf of a principal.","assembler":"The party that assembles or integrates constituent parts into the subject. Common in hardware manufacturing and software build pipelines.","asserter":"The party making assertions about the subject, such as patent ownership or compliance claims.","attacker":"A hostile party targeting the subject.","auditor":"The party that conducted an audit or assessment of the subject.","author":"The party that created the subject. Common when the subject is created through manual processes.","broker":"The party that acts as an intermediary in commercial transactions.","carrier":"The party that physically transports goods, such as shipping lines, airlines, or trucking companies.","certificate-authority":"The party that issues, signs, and manages digital certificates within a public key infrastructure.","committer":"The party who committed or pushed changes to a version control system.","competitor":"A competing party in the same market or domain as the subject's organization.","consignee":"The party designated to receive a shipment of goods.","consignor":"The party that sends or ships goods to a consignee.","contributor":"A party that contributed to the development of the subject without being the primary author.","customer":"Customer of the organization that owns the subject.","custodian":"The party responsible for the safe custody, transport, and storage of the subject.","customs-broker":"The party that facilitates the clearance of goods through customs barriers.","data-controller":"The party that determines the purposes and means of processing personal data.","data-processor":"The party that processes personal data on behalf of a data controller.","data-recipient":"The party to which personal data is disclosed.","data-subject":"The natural person whose personal data is processed.","delegate":"A party exercising authority on behalf of another party identified via relations.delegatedBy.","developer":"Software developer or platform engineer.","distributor":"The party that distributes the subject to downstream consumers or customers.","end-user":"The end user of a system, service, or product.","engineer":"Engineer responsible for designing, implementing, or operating a system.","exporter":"The party that sends goods to another country for trade or sale.","freight-forwarder":"The party that arranges the shipment and logistics of goods on behalf of shippers.","holder":"The party that holds a verifiable credential, claim, or asset.","importer":"The party that brings goods into a country from abroad for trade or sale.","insider-threat":"A hostile or negligent party with legitimate access.","inspector":"The party that inspects goods for quality, safety, or regulatory compliance.","insurer":"The party that provides insurance coverage.","integrator":"The party that integrates the subject into a larger system or product.","issuer":"The party that issues a credential, claim, identifier, or asset.","key-escrow-agent":"The party that holds copies of cryptographic keys in escrow.","legal-contact":"The designated party to contact for legal matters.","licensee":"The party to which a license for the subject has been granted.","licensor":"The party that grants a license for the subject.","maintainer":"The party responsible for ongoing maintenance, including updates, patches, and security fixes.","manufacturer":"The party that manufactured or produced the subject. Common when the subject is produced through automated processes.","operator":"The party responsible for operating or running the subject in a production environment.","owner":"The party that holds ownership rights over the subject.","packager":"The party that packages goods for storage, shipment, or retail sale.","partner":"Business partner with a defined relationship.","principal":"The party on whose behalf another party acts, paired with delegate.","publisher":"The party that published the subject, making it available for consumption.","purchaser":"The party that purchased the subject or a license for its use.","quality-control":"The party responsible for quality control activities, including inspection, testing, and verification.","regulator":"Government or industry regulator with administrative authority over the subject.","relying-party":"The party that relies on credentials, claims, or attestations issued by another party.","repackager":"The party that repackages the subject, potentially combining it with other components.","researcher":"Security researcher, bug bounty hunter, or academic conducting authorized study.","reviewer":"The party that reviewed the subject or its associated evidence.","security-contact":"The designated party to contact in the event of a security incident.","signatory":"The party authorized to sign on behalf of an organization, affirming the validity or accuracy of statements or attestations.","steward":"The party responsible for the content, context, and associated business rules of the subject.","subject":"The party to whom an issued credential, claim, or identifier is bound.","supplier":"The party that supplied the subject. The supplier may often be the manufacturer, but may also be a distributor or repackager.","support-contact":"The designated party to contact for technical support.","third-party-logistics":"The party that provides outsourced logistics services.","timestamp-authority":"The party that issues trusted timestamps.","validation-authority":"The party that provides certificate validation services.","verifier":"The party that verifies credentials, claims, or attestations.","warehouse-operator":"The party responsible for storing, handling, and managing inventory within a warehouse or distribution centre."}},"order":{"type":"integer","minimum":1,"title":"Order","description":"Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked. For example, a primary supplier may have `order: 1` while an alternate supplier has `order: 2`.","examples":[1,2,3]}}},"organization":{"type":"object","title":"Organization Identity","description":"Identity attributes for a party that is an organization, company, government body, or other collective.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The common display or trading name of the organization. Use when the registered legal name is unknown or when the everyday name differs from the legal one.","examples":["Acme","Globex"]},"legalName":{"type":"string","title":"Legal Name","description":"The registered legal name of the organization, including any suffix such as Inc., S.r.l., GmbH, or LLC.","examples":["Acme Microcontrollers S.r.l.","Acme Holdings, Inc."]},"description":{"type":"string","title":"Description","description":"A description of the organization itself, distinct from any role-specific or contextual description applied at the party wrapper level."},"logo":{"type":"string","format":"iri-reference","title":"Logo","description":"URL to an image representing the organization. Useful for catalog, datasheet, and user interface views."},"foundingDate":{"type":"string","format":"date","title":"Founding Date","description":"The date the organization was founded. Supports supplier due diligence and age-of-organization signals."},"dissolutionDate":{"type":"string","format":"date","title":"Dissolution Date","description":"The date the organization was dissolved or wound down. When present, the organization is no longer active."},"jurisdiction":{"type":"string","title":"Jurisdiction","description":"Country of registration as an ISO 3166-1 alpha-2 or alpha-3 code, optionally followed by an ISO 3166-2 subdivision separated by a hyphen.","examples":["US-DE","IT-BO","CHE"]},"identifiers":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/identifier"},"title":"Identifiers","description":"Identifiers issued to or associated with the organization. May include legal and registration identifiers (LEI, DUNS, CAGE, NCAGE, EORI, VAT, tax identifiers) and non-legal identifiers such as workload or machine identities."},"formerNames":{"type":"array","items":{"type":"string"},"title":"Former Names","description":"Prior names of the organization. Use when the entity has been renamed, merged, or acquired. Distinct from `aliases`, which captures concurrent alternate designations.","examples":[["Atmel Corporation"]]},"aliases":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Aliases","description":"Concurrent alternate designations for the organization. Distinct from `formerNames`, which captures historical names. Common when modeling tracked threat-actor groups that are known by different designations across threat-intelligence vendors.","examples":[["Fancy Bear","STRONTIUM","Sofacy","Sednit","Pawn Storm"]]},"url":{"type":"array","title":"URLs","description":"URLs associated with the organization. Each entry carries a `name` label and a `url` value so producers can describe homepage, support portal, press, status, code repository, and similar without ambiguity.","items":{"type":"object","required":["url"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the URL, such as `homepage`, `support`, `press`, `status`, or `repository`.","examples":["homepage","support","press","status","repository"]},"url":{"type":"string","format":"iri-reference","title":"URL"}}}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/postalAddress"},"title":"Addresses","description":"Physical addresses associated with the organization."}}},"person":{"type":"object","title":"Person Identity","description":"Identity attributes for a party that is an individual person. The name model is intentionally unstructured: a single freeform `name` captures the full name as the person wishes to be known, accommodating the wide variation of naming conventions across cultures. See https://www.w3.org/International/questions/qa-personal-names for background.","additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The person's full name as they wish to be known. A single freeform string. No assumption is made about given-versus-family ordering, mononym versus multi-component names, patronymics, or honorific embedding. Producers should use the form the person uses themselves.","examples":["Ada Lovelace","Suharto","Maria del Carmen García López","Nguyá»…n Văn An"]},"sortName":{"type":"string","title":"Sort Name","description":"Optional sortable form of the name for catalog and index views. Use when the natural form of `name` does not sort intuitively, for example a comma-separated last-name-first form.","examples":["Lovelace, Ada","García López, Maria del Carmen"]},"honorificPrefix":{"type":"string","title":"Honorific Prefix","description":"Honorific or title preceding the name, used in forms of address. Distinct from the name itself.","examples":["Dr.","Prof."]},"honorificSuffix":{"type":"string","title":"Honorific Suffix","description":"Honorific or post-nominal letters following the name, used in forms of address. Distinct from the name itself.","examples":["PhD","Esq."]},"jobTitle":{"type":"string","title":"Job Title","description":"The person's job title. Useful for credit lines and attribution.","examples":["Chief Information Security Officer","Data Protection Officer","Senior Software Engineer"]},"description":{"type":"string","title":"Description","description":"A description of the person, distinct from any role-specific or contextual description applied at the party wrapper level."},"email":{"type":"array","title":"Email","description":"Email addresses associated with the person. Each entry carries a `name` label and an `address` value so producers can describe work, personal, support, and similar contexts without ambiguity.","items":{"type":"object","required":["address"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the email, such as `work`, `personal`, `support`, or `security`.","examples":["work","personal","support","security"]},"address":{"type":"string","format":"idn-email","title":"Address"}}}},"phone":{"type":"array","title":"Phone","description":"Phone numbers associated with the person. Each entry carries a `name` label and a `number` value. Numbers should be expressed in E.164 form where possible.","items":{"type":"object","required":["number"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the phone, such as `office`, `mobile`, `fax`, or `pager`.","examples":["office","mobile","fax","pager"]},"number":{"type":"string","title":"Number","examples":["+1-555-0100","+44 20 7946 0958"]}}}},"url":{"type":"array","title":"URLs","description":"URLs associated with the person. Each entry carries a `name` label and a `url` value so producers can describe homepage, social profiles, code repositories, and similar without ambiguity.","items":{"type":"object","required":["url"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the URL, such as `homepage`, `github`, `linkedin`, `mastodon`, or `orcid`.","examples":["homepage","github","linkedin","orcid"]},"url":{"type":"string","format":"iri-reference","title":"URL"}}}},"address":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/postalAddress","title":"Address"},"affiliation":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Affiliation","description":"Reference using bom-link or bom-ref to an organization party with which the person is affiliated."}}},"system":{"type":"object","title":"System Identity","description":"Identity attributes for a party that is a software system, hardware system, service account, automation, or autonomous agent.","additionalProperties":false,"properties":{"kind":{"title":"Kind","description":"The kind of system the party represents. May be a predefined kind from the CycloneDX system-kind taxonomy expressed as a plain string, or a custom kind expressed as an object with `name` and optional `description`.","oneOf":[{"title":"Pre-Defined Kind","type":"string","enum":["software-system","hardware-system","service-account","machine-identity","automation","agent","bot","oracle","smart-contract","device","robot"],"meta:enum":{"software-system":"Application, service, or platform that performs actions as itself.","hardware-system":"Physical device or appliance that performs actions. Includes vehicles, drones, satellites, medical devices, network equipment, and industrial controllers unless a more specific kind applies.","service-account":"Non-human identity used by automation to authenticate.","machine-identity":"Cryptographic identity such as a certificate principal or workload identity.","automation":"Pipeline, job, or scheduled task that performs actions deterministically.","agent":"Autonomous or semi-autonomous agent that can plan and execute. Includes AI agents.","bot":"Scripted automation that interacts with an interface. Includes chatbots, robotic process automation bots, and scraping bots.","oracle":"External data feed or oracle, including blockchain oracles that bridge off-chain data into on-chain systems.","smart-contract":"On-chain program that executes deterministically.","device":"Physical end user device such as a phone or IoT device acting as a party in its own right.","robot":"Physical robot or autonomous mechanical system. For software-only counterparts, see `bot`, `agent`, or `automation`."}},{"title":"Custom Kind","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom kind."},"description":{"type":"string","title":"Description","description":"A description of the custom kind."}}}]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference to any bom-ref'd object that represents this system. The referenced object provides the underlying identity (component, service, blueprint asset, or other object type). Use to associate the party with its concrete representation declared elsewhere."},"identifiers":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/identifier"},"title":"Identifiers","description":"Machine identifiers for the system, such as service principal, workload identity, certificate subject, or device serial."},"permissions":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Permissions","description":"Capabilities or duties the system possesses."}}},"persona":{"type":"object","title":"Persona Identity","description":"Identity attributes for a party that is an abstract archetype rather than a specific named instance. Use for generic users, generic suppliers, or hypothesized attackers when a specific party is intentionally not named. When the specific instance is known (for example a tracked APT group), use `organization` instead.","additionalProperties":false,"properties":{"description":{"type":"string","title":"Description","description":"Free-text description of the persona instance. Use to refine the archetype with details relevant to the threat model, such as the persona's assumed context, history, or behavioral pattern.","examples":["Disgruntled administrator with elevated access to the payment gateway and motive driven by recent performance review."]},"archetype":{"title":"Archetype","description":"The persona archetype. May be a predefined archetype from the CycloneDX persona-archetype taxonomy expressed as a plain string, or a custom archetype expressed as an object with `name` and optional `description`.","oneOf":[{"title":"Pre-Defined Archetype","type":"string","enum":["end-user","power-user","administrator","developer","operator","internal","external","anonymous","guest","customer","partner","supplier","vendor","contractor","third-party","auditor","researcher","regulator","law-enforcement","attacker","insider-threat","hacktivist","nation-state","organized-crime","competitor","public"],"meta:enum":{"end-user":"Typical end user of the system.","power-user":"Advanced user with higher than average privileges.","administrator":"Administrative or privileged user.","developer":"Application developer or platform engineer.","operator":"Operational staff running the system.","internal":"Generic internal party.","external":"Generic external party without an account or operational relationship.","anonymous":"Unauthenticated visitor interacting with the system.","guest":"Semi-authenticated user with restricted privileges.","customer":"Customer of the organization that owns the subject.","partner":"Business partner with a defined relationship.","supplier":"Generic supplier providing goods or services on a transactional basis.","vendor":"Vendor delivering and operating goods or services with operational access to the subject.","contractor":"Third party with operational access under contract.","third-party":"Generic third party that does not fit partner, supplier, vendor, or contractor.","auditor":"External auditor or assessor.","researcher":"Security researcher, bug bounty hunter, or academic. Authorized probing party.","regulator":"Government or industry regulator with administrative authority over the subject.","law-enforcement":"Law enforcement entity with investigative authority.","attacker":"Generic hostile external party.","insider-threat":"Hostile or negligent party with legitimate access.","hacktivist":"Hostile party motivated by ideology or activism.","nation-state":"Hostile party sponsored or directed by a national government.","organized-crime":"Hostile party operating as part of an organized criminal enterprise.","competitor":"Generic competitor.","public":"General public not in direct interaction with the subject."}},{"title":"Custom Archetype","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name"},"description":{"type":"string","title":"Description"}}}]},"scope":{"type":"string","title":"Scope","enum":["internal","external","mixed"],"meta:enum":{"internal":"Persona is internal to the organization that owns the subject.","external":"Persona is external to the organization that owns the subject.","mixed":"Persona may appear in either internal or external contexts."}},"permissions":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Permissions","description":"Capabilities the persona is assumed to hold."},"assumedPosture":{"type":"string","title":"Assumed Security Posture","description":"Assumed security posture of the persona in this context.","examples":["authenticated","unauthenticated","authorized","privileged"]}}},"partyRelations":{"type":"object","title":"Party Relations","description":"Links from this party to other parties. Captures hierarchical, organizational, and delegation relationships. Order ranking is on the role itself (`role.order`), not here.","additionalProperties":false,"properties":{"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent","description":"Reference to a parent party. Models organizational hierarchy, group membership, and corporate parent or subsidiary relationships."},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Delegated By","description":"Reference to another party that delegated authority to this one. Models situations such as an autonomous agent acting on behalf of a human user, a contractor acting on behalf of a principal, or a service account assuming a role."}}},"identifier":{"type":"object","title":"Identifier","description":"An identifier issued by a recognized authority. Includes legal and registration identifiers as well as machine and workload identities.","required":["scheme","value"],"additionalProperties":false,"properties":{"scheme":{"title":"Scheme","description":"The identifier scheme. May be a predefined scheme from the CycloneDX identifier-scheme taxonomy expressed as a plain string, or a custom scheme expressed as an object with `name` and optional `description` and `url`.","oneOf":[{"title":"Pre-Defined Scheme","type":"string","enum":["lei","duns","ncage","cage","eori","vat","gst","ein","tin","ruc","bvd","swift-bic","sec-cik","isin","figi","opencorporates","gln","gtin","iso6523","ofac-sdn","un-lm","oidc-sub","spiffe","did","vc-id"],"meta:enum":{"lei":"Legal Entity Identifier per ISO 17442.","duns":"Dun and Bradstreet D-U-N-S Number.","ncage":"NATO Commercial and Government Entity code.","cage":"United States Commercial and Government Entity code.","eori":"Economic Operator Registration and Identification number used in European Union customs.","vat":"Value Added Tax registration number.","gst":"Goods and Services Tax registration number.","ein":"United States Employer Identification Number.","tin":"Generic Taxpayer Identification Number.","ruc":"Registro Unico de Contribuyentes used in several Latin American countries.","bvd":"Bureau van Dijk identifier.","swift-bic":"Business Identifier Code per ISO 9362.","sec-cik":"United States Securities and Exchange Commission Central Index Key.","isin":"International Securities Identification Number per ISO 6166.","figi":"Financial Instrument Global Identifier.","opencorporates":"OpenCorporates company identifier.","gln":"GS1 Global Location Number.","gtin":"GS1 Global Trade Item Number when the party is also a registered trade entity.","iso6523":"ISO 6523 organization identifier. The value should encode the four-digit International Code Designator (ICD) followed by the organization identifier per the registry referenced by the ICD.","ofac-sdn":"United States Office of Foreign Assets Control Specially Designated Nationals list identifier.","un-lm":"United Nations Locode for a specific facility or jurisdiction.","oidc-sub":"OpenID Connect subject identifier for a machine or service identity.","spiffe":"SPIFFE ID for a workload identity.","did":"W3C Decentralized Identifier (DID) per https://www.w3.org/TR/did-core/. Common for autonomous agents, federated services, and verifiable-credential subjects.","vc-id":"W3C Verifiable Credential identifier per https://www.w3.org/TR/vc-data-model/."}},{"title":"Custom Scheme","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name"},"description":{"type":"string","title":"Description"},"url":{"type":"string","format":"iri-reference","title":"URL","description":"URL of the scheme registry or specification."}}}]},"schemeVersion":{"type":"string","title":"Scheme Version","description":"The version of the scheme that issued this identifier, if applicable."},"value":{"type":"string","title":"Value","description":"The value of the identifier."},"issuedDate":{"type":"string","format":"date","title":"Issued Date"},"expirationDate":{"type":"string","format":"date","title":"Expiration Date"},"issuer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Issuer","description":"Reference using bom-link or bom-ref to the party that issued the identifier."}}},"postalAddress":{"type":"object","title":"Postal Address","description":"An address used to identify a contactable or operational location.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference Identifier","description":"An optional identifier that can be used to reference the address from elsewhere. Every bom-ref shall be unique within the containing instance. The value should not start with the prefix 'urn:cdx:' to avoid conflicts with BOM-Link identifiers."},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code. When the isoCode property is present, the value of isoCode is authoritative."},"region":{"type":"string","title":"Region","description":"The region or state in the country. When the isoCode property carries an ISO 3166-2 subdivision, the value of isoCode is authoritative.","examples":["Texas"]},"isoCode":{"type":"string","pattern":"^[A-Z]{2}(-[A-Z0-9]{1,3})?$","title":"ISO Code","description":"An ISO 3166-1 alpha-2 country code, optionally followed by an ISO 3166-2 subdivision code separated by a hyphen. When present, this property is authoritative over the free-text country and region properties.","examples":["IT-BO","US-CA","DE-BY"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address. Multi-line addresses are expressed as a single string with line breaks (`\\n`) between lines. Implementations and serialization formats are not required to preserve the order of elements in an array, so a multi-line address shall not be modeled as an array.","examples":["100 Main Street","Acme Tower\nSuite 1200\n100 Main Street"]},"coordinates":{"type":"object","title":"Geographic Coordinates","description":"Geographic coordinates of the address.","additionalProperties":false,"required":["latitude","longitude"],"properties":{"latitude":{"type":"number","minimum":-90,"maximum":90,"title":"Latitude","description":"Latitude in decimal degrees. Four or more decimal places are recommended for facility-level precision."},"longitude":{"type":"number","minimum":-180,"maximum":180,"title":"Longitude","description":"Longitude in decimal degrees. Four or more decimal places are recommended for facility-level precision."},"altitude":{"type":"number","title":"Altitude","description":"Altitude in meters above the reference ellipsoid identified by the datum property."},"datum":{"type":"string","title":"Datum","description":"The geodetic datum used for the coordinates. WGS84 is assumed when omitted.","default":"WGS84","examples":["WGS84","NAD83","ETRS89"]}}}}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-perspective-2.0":{"type":"null","title":"CycloneDX Perspective Model","$defs":{"perspectives":{"type":"array","title":"Perspectives","description":"Defines domain-specific views into the document, enabling different audiences to interpret and navigate the data through their own conceptual lens. Each perspective identifies relevant data types and may provide domain-specific terminology mappings.","items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspective"}},"perspective":{"type":"object","title":"Perspective","description":"A domain-specific view that identifies the types of data relevant to a particular audience and provides optional terminology mappings to facilitate interpretation. Perspectives enable tooling to generate filtered views, translate terminology, and validate document completeness against audience-specific requirements.","additionalProperties":false,"required":["name","mappings"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Perspective Name","description":"The name of the perspective, typically indicating the target audience or domain.","examples":["AI/ML Transparency","Device Manufacturing Regulatory Compliance","Minimum Elements of an SBOM"]},"description":{"type":"string","title":"Description","description":"A description of the perspective, its intended audience, and the use cases it supports."},"domains":{"type":"array","title":"Domains","description":"The domains or disciplines to which this perspective applies. Allows selection of multiple pre-defined domains, custom domains, or a combination of both.","items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveDomainChoice"}},"mappings":{"type":"array","title":"Data Type Mappings","description":"An array of mappings that identify the types of data relevant to this perspective using JSON path expressions. Each mapping may include domain-specific terminology.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveMapping"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"perspectiveMapping":{"type":"object","title":"Perspective Mapping","description":"Maps a JSON path expression to domain-specific terminology, enabling audiences to interpret CycloneDX data using familiar nomenclature. Each mapping identifies a data type within the document structure and may provide alternative names and descriptions used by the target audience.","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"Path Expression","description":"A [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression that identifies the types of data relevant to this perspective.","examples":["$.components[*].pedigree","$.components[?(@.type=='machine-learning-model')].modelCard","$.components[?(@.type=='cryptographic-asset')]","$.vulnerabilities"]},"nativeName":{"type":"string","title":"Native Name","description":"The domain-specific term used by the target audience to describe the data identified by the expression.","examples":["Foundation Models","Training Corpus","Cryptographic Inventory","Component Provenance"]},"nativeDescription":{"type":"string","title":"Native Description","description":"A domain-specific description of the data type, explaining its significance within the context of the perspective."},"relevance":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveRelevance"},"weight":{"type":"number","title":"Weight","description":"Describes the importance of a field in relation to other fields. Values shall be between 0.0 and 1.0. This allows for relative ranking of mappings, where higher values indicate greater importance.","minimum":0,"maximum":1},"rationale":{"type":"string","title":"Rationale","description":"Explains why this data type is relevant to the perspective and how it should be interpreted or used."}}},"perspectiveRelevance":{"type":"string","title":"Perspective Relevance","description":"Indicates the importance of a data type to a perspective.","enum":["required","recommended","optional","informative"],"meta:enum":{"required":"This data type is essential for the perspective and should always be present.","recommended":"This data type is highly relevant and should be included when available.","optional":"This data type provides supplementary information that may be useful.","informative":"This data type provides background context but is not directly actionable."}},"perspectiveDomainChoice":{"title":"Perspective Domain Choice","description":"Allows selection of a pre-defined domain or specification of a custom domain.","oneOf":[{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/preDefinedPerspectiveDomain"},{"type":"object","title":"Custom Domain","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Domain Name","description":"The name of the custom domain."},"description":{"type":"string","title":"Domain Description","description":"A description of the custom domain, its scope, and the concerns it addresses."}}}]},"preDefinedPerspectiveDomain":{"type":"string","title":"Pre-Defined Perspective Domain","description":"A pre-defined domain or discipline to which a perspective applies. Domains span security disciplines, safety engineering, industry verticals, technology areas, compliance frameworks, and cross-cutting concerns.","enum":["application-security","cloud-security","container-security","cryptographic-security","cyber-security","data-security","endpoint-security","firmware-security","hardware-security","identity-access-management","network-security","operational-security","physical-security","supply-chain-security","web-security","automotive-safety","aviation-safety","environmental-safety","functional-safety","machinery-safety","maritime-safety","nuclear-safety","patient-safety","process-safety","railway-safety","aerospace-defense","automotive","building-automation","consumer-electronics","critical-infrastructure","education","energy-utilities","financial-services","government","healthcare","insurance","legal","manufacturing","media-entertainment","pharmaceuticals","retail","telecommunications","transportation","artificial-intelligence","edge-computing","embedded-systems","industrial-control-systems","industrial-iot","internet-of-things","machine-learning","medical-devices","mobile","operational-technology","robotics","scada","smart-grid","data-protection","export-control","intellectual-property","legal-compliance","licensing","privacy","regulatory-compliance","maintainability","performance","quality-assurance","reliability","testability","incident-response","penetration-testing","red-team","risk-management","threat-intelligence","threat-modeling","vulnerability-management","accessibility","ethics","human-factors","interoperability","resilience","sustainability","transparency"],"meta:enum":{"application-security":"Security concerns related to software applications, including vulnerabilities, secure coding practices, input validation, and dependency management.","cloud-security":"Security concerns specific to cloud computing environments, including configuration, identity management, data protection, and shared responsibility models.","container-security":"Security concerns related to containerised applications, including image provenance, runtime protection, orchestration security, and supply chain integrity.","cryptographic-security":"Concerns related to cryptographic implementations, algorithm selection, key management, certificate handling, and post-quantum cryptography readiness.","cyber-security":"Broad security concerns encompassing threat detection, incident response, security operations, and defence-in-depth strategies.","data-security":"Concerns related to protecting data at rest, in transit, and in use, including encryption, access controls, and data loss prevention.","endpoint-security":"Security concerns for end-user devices including workstations, mobile devices, and peripherals, encompassing malware protection and device management.","firmware-security":"Security concerns specific to firmware, including secure boot, firmware updates, integrity verification, and protection against persistent threats.","hardware-security":"Security concerns related to physical hardware, including trusted platform modules, hardware security modules, side-channel attacks, and tamper resistance.","identity-access-management":"Concerns related to authentication, authorisation, identity lifecycle management, privileged access, and zero-trust architectures.","network-security":"Security concerns related to network infrastructure, including firewalls, intrusion detection, segmentation, and secure communications.","operational-security":"Security concerns related to the deployment, configuration, and day-to-day operation of systems in production environments.","physical-security":"Security concerns related to physical access controls, environmental protections, surveillance, and tamper evidence.","supply-chain-security":"Concerns related to the security, integrity, and trustworthiness of components, vendors, and processes throughout the supply chain.","web-security":"Security concerns specific to web applications and services, including OWASP Top 10 vulnerabilities, API security, and client-side protections.","automotive-safety":"Safety concerns for automotive systems aligned with ISO 26262, including hazard analysis, functional safety requirements, and ASIL classifications.","aviation-safety":"Safety concerns for aviation systems aligned with DO-178C, DO-254, and DO-326A, including design assurance levels and airworthiness requirements.","environmental-safety":"Concerns related to environmental protection, hazardous materials handling, emissions, and ecological impact assessment.","functional-safety":"Safety concerns aligned with IEC 61508 and derivative standards, focusing on systematic failures, safety integrity levels, and risk reduction.","machinery-safety":"Safety concerns for industrial machinery aligned with ISO 12100 and IEC 62443, including safeguarding, emergency stops, and risk assessment.","maritime-safety":"Safety concerns for maritime and offshore systems, including vessel automation, navigation systems, and compliance with maritime regulations.","nuclear-safety":"Safety concerns for nuclear facilities and systems, including defence-in-depth, safety classification, and regulatory compliance with nuclear standards.","patient-safety":"Safety concerns for medical devices and healthcare systems focusing on preventing harm to patients, including adverse event prevention and clinical risk management.","process-safety":"Safety concerns for industrial processes involving hazardous materials, including process hazard analysis, safety instrumented systems, and layers of protection.","railway-safety":"Safety concerns for railway systems aligned with EN 50126, EN 50128, and EN 50129, including signalling, train control, and safety cases.","aerospace-defense":"Concerns specific to aerospace and defence industries, including mission-critical systems, military standards, and classified information handling.","automotive":"Industry-specific concerns for automotive manufacturers and suppliers, including ISO/SAE 21434 cyber security and vehicle type approval.","building-automation":"Concerns related to building management systems, HVAC controls, access systems, and smart building infrastructure.","consumer-electronics":"Concerns specific to consumer electronic devices, including product safety, electromagnetic compatibility, and consumer protection regulations.","critical-infrastructure":"Concerns related to systems designated as critical infrastructure, including sector-specific requirements and national security considerations.","education":"Concerns specific to educational institutions and EdTech, including student data protection, FERPA compliance, and academic integrity.","energy-utilities":"Concerns specific to energy and utility sectors, including NERC CIP compliance, grid security, and operational continuity.","financial-services":"Concerns specific to financial institutions, including PCI DSS, SOX compliance, fraud prevention, and transaction integrity.","government":"Concerns specific to government agencies and contractors, including FedRAMP, FISMA, and public sector procurement requirements.","healthcare":"Concerns specific to healthcare organisations, including HIPAA compliance, electronic health records, and healthcare interoperability.","insurance":"Concerns specific to insurance industry, including actuarial data integrity, claims processing security, and regulatory compliance.","legal":"Concerns specific to legal industry, including attorney-client privilege, e-discovery, and legal hold requirements.","manufacturing":"Concerns specific to manufacturing environments, including production systems, quality management, and shop floor security.","media-entertainment":"Concerns specific to media and entertainment, including digital rights management, content protection, and broadcast systems.","pharmaceuticals":"Concerns specific to pharmaceutical industry, including FDA 21 CFR Part 11, GxP compliance, and drug safety systems.","retail":"Concerns specific to retail industry, including point-of-sale security, e-commerce platforms, and customer data protection.","telecommunications":"Concerns specific to telecommunications providers, including network infrastructure, subscriber data, and regulatory compliance.","transportation":"Concerns related to transportation systems beyond automotive and rail, including logistics, fleet management, and traffic control systems.","artificial-intelligence":"Concerns related to AI systems, including model transparency, algorithmic bias, explainability, and ethical considerations.","edge-computing":"Concerns specific to edge computing deployments, including distributed processing, local data handling, and remote device management.","embedded-systems":"Concerns specific to embedded systems development, including real-time constraints, resource limitations, and hardware-software integration.","industrial-control-systems":"Concerns specific to ICS environments, including PLCs, DCS, and industrial automation security aligned with IEC 62443.","industrial-iot":"Concerns specific to Industrial Internet of Things deployments, combining IT security with OT requirements and industrial protocols.","internet-of-things":"Concerns related to IoT devices and ecosystems, including device security, communication protocols, and fleet management.","machine-learning":"Concerns specific to ML models, including training data provenance, model lineage, performance metrics, and reproducibility.","medical-devices":"Concerns specific to medical device development aligned with IEC 62304, FDA guidance, and MDR/IVDR requirements.","mobile":"Concerns specific to mobile applications and devices, including app store requirements, mobile-specific vulnerabilities, and device management.","operational-technology":"Concerns specific to OT environments, bridging IT and industrial systems with focus on availability, safety, and legacy system integration.","robotics":"Concerns specific to robotic systems, including autonomous operation, human-robot interaction safety, and motion control security.","scada":"Concerns specific to Supervisory Control and Data Acquisition systems, including remote monitoring, control system security, and protocol vulnerabilities.","smart-grid":"Concerns specific to smart grid infrastructure, including advanced metering, grid automation, and distributed energy resource management.","data-protection":"Concerns related to data protection regulations such as GDPR, CCPA, and cross-border data transfer requirements.","export-control":"Concerns related to export control regulations, including EAR, ITAR, and dual-use technology restrictions.","intellectual-property":"Concerns related to patents, trade secrets, copyright, and other intellectual property rights and protections.","legal-compliance":"Regulatory and legal requirements, including contractual obligations, liability considerations, and legal holds.","licensing":"Concerns related to software licensing, licence compatibility, open source obligations, and commercial licensing terms.","privacy":"Concerns related to personal data protection, privacy by design, consent management, and individual rights.","regulatory-compliance":"Concerns related to compliance with industry-specific regulations, standards, and certification requirements.","maintainability":"Concerns related to the ease of maintaining, updating, and supporting software and systems over their lifecycle.","performance":"Concerns related to system performance, scalability, response times, and resource utilisation.","quality-assurance":"Concerns related to testing, validation, verification, and overall quality metrics and processes.","reliability":"Concerns related to system reliability, fault tolerance, mean time between failures, and degradation modes.","testability":"Concerns related to the ability to test components and systems, including test coverage, test automation, and test data management.","incident-response":"Concerns related to detecting, responding to, and recovering from security incidents and breaches.","penetration-testing":"Concerns related to authorised security testing, vulnerability assessment, and security validation activities.","red-team":"Concerns related to adversarial simulation, attack path analysis, and security control effectiveness testing.","risk-management":"Concerns related to risk identification, assessment, treatment, and ongoing risk monitoring.","threat-intelligence":"Concerns related to threat actor analysis, indicators of compromise, and proactive threat hunting.","threat-modeling":"Concerns related to identifying weaknesses, threats, countermeasures, attack surfaces, and trust boundaries.","vulnerability-management":"Concerns related to vulnerability identification, prioritisation, remediation tracking, and disclosure processes.","accessibility":"Concerns related to ensuring systems are usable by people with disabilities, including WCAG compliance.","ethics":"Concerns related to ethical considerations in technology development, including algorithmic fairness and responsible innovation.","human-factors":"Concerns related to human-system interaction, usability, operator error prevention, and ergonomic design.","interoperability":"Concerns related to the ability of systems to exchange and use information effectively across boundaries.","resilience":"Concerns related to system resilience, business continuity, disaster recovery, and graceful degradation.","sustainability":"Concerns related to environmental sustainability, energy efficiency, and responsible resource consumption.","transparency":"Concerns related to openness, auditability, and the ability for stakeholders to understand system behaviour and composition."}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings. Consumers should consider ratings in prioritization decisions; source ratings may differ and aid prioritization.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value shall be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"perspectives":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectives"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file +{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value shall be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"threats":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threats"},"risks":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risks"},"controls":{"$ref":"#/$defs/cyclonedx-control-2.0/$defs/controls"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"profiles":{"$ref":"#/$defs/cyclonedx-profile-2.0/$defs/profiles"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"perspectives":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectives"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}}},"cyclonedx-behavior-2.0":{"type":"null","title":"CycloneDX Behavior Model","$defs":{"behaviors":{"type":"object","title":"Behaviors","description":"Behaviors performed by objects within the BOM.","additionalProperties":false,"properties":{"instances":{"type":"array","title":"Instances","description":"Individual behavior instances.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance"}},"graphs":{"type":"array","title":"Graphs","description":"Behavior graphs that model behaviour over time as activity flows, state machines, or a mixture of the two.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorGraph"}}}},"behaviorInstance":{"type":"object","title":"Behavior Instance","description":"A behavior performed by one or more objects within the BOM.","additionalProperties":false,"required":["bom-ref","behavior"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"The behavior from the taxonomy."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"actors":{"type":"array","title":"Actors","description":"References using bom-link or bom-ref to objects that perform this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"targets":{"type":"array","title":"Targets","description":"References using bom-link or bom-ref to objects affected by this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"trigger":{"type":"string","title":"Trigger","description":"The condition or event that initiates a behavior.","enum":["startup","shutdown","scheduled","event-driven","user-initiated","api-call","signal","condition-based","continuous","on-demand","unknown"],"meta:enum":{"startup":"Triggered during system or component initialisation.","shutdown":"Triggered during system or component termination.","scheduled":"Triggered at predetermined times or intervals.","event-driven":"Triggered in response to a specific event.","user-initiated":"Triggered by explicit user action.","api-call":"Triggered by an API invocation.","signal":"Triggered by a system or inter-process signal.","condition-based":"Triggered when specific conditions are met.","continuous":"Runs continuously during normal operation.","on-demand":"Triggered on demand as needed.","unknown":"The trigger mechanism is not known."}},"ordering":{"type":"string","title":"Ordering","description":"Execution semantics for the nodes of a graph when transitions do not fully specify the order.","enum":["sequential","unordered","parallel"],"meta:enum":{"sequential":"Nodes execute in ordinal order. Each completes before the next begins.","unordered":"All nodes execute, but the order is not guaranteed.","parallel":"Nodes may execute concurrently."}},"acknowledgment":{"type":"array","title":"Acknowledgment","description":"Indicates how the behavior or graph was identified. Multiple values indicate the behavior was both declared and observed.","uniqueItems":true,"items":{"type":"string","enum":["declared","observed"],"meta:enum":{"declared":"The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.","observed":"The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis."}}},"behaviorGraph":{"type":"object","title":"Behavior Graph","description":"A graph of nodes joined by transitions that models behaviour over time. A node may be an activity, a state, an event, a gateway, or a start or end point, so the same construct expresses an activity or process flow (where the nodes are activities), a state machine (where the nodes are states), or a mixture of the two.","additionalProperties":false,"required":["bom-ref","nodes"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the graph."},"description":{"type":"string","title":"Description","description":"A description of the graph and the behaviour it models."},"kind":{"type":"string","title":"Kind","description":"An optional hint at the intent of the graph.","enum":["activity","state-machine","mixed"],"meta:enum":{"activity":"The graph models a process or activity flow whose nodes are activities.","state-machine":"The graph models a state machine whose nodes are states.","mixed":"The graph mixes activity and state nodes."}},"subject":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Subject","description":"Reference using bom-link or bom-ref to the object whose behaviour this graph describes."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"ordering":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/ordering"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"nodes":{"type":"array","title":"Nodes","description":"The nodes of the graph.","minItems":1,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorNode"}},"transitions":{"type":"array","title":"Transitions","description":"The transitions between nodes. Transitions express the ordering of an activity flow and the triggered, guarded moves of a state machine.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/transition"}}},"allOf":[{"if":{"properties":{"ordering":{"const":"sequential"}},"required":["ordering"]},"then":{"properties":{"nodes":{"items":{"required":["ordinal"]}}}}}]},"behaviorNode":{"type":"object","title":"Behavior Node","description":"A single node in a behavior graph. The kind determines what the node represents and which additional properties apply.","additionalProperties":false,"required":["bom-ref","kind"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"kind":{"type":"string","title":"Kind","description":"The kind of node.","enum":["activity","state","event","gateway","initial","final"],"meta:enum":{"activity":"An action that is performed, identified by a behavior, a behavior-instance reference, or a nested graph. The activity-flow counterpart of a step.","state":"A durable condition the subject rests in until a transition fires. The state-machine counterpart of a node. A composite state references its nested region through 'graph'.","event":"An intermediate event that occurs during the graph.","gateway":"A branch or merge point whose outgoing transitions carry the guards.","initial":"The starting point of the graph or of a composite node.","final":"A completion point of the graph or of a composite node."}},"name":{"type":"string","title":"Name","description":"The name of the node."},"description":{"type":"string","title":"Description","description":"A description of the node."},"ordinal":{"type":"integer","title":"Ordinal","minimum":1,"description":"Position within a sequential graph. Required when the graph ordering is 'sequential'. Ignored when transitions define the order."},"behavior":{"$ref":"../behavior-taxonomy.schema.json","title":"Behavior","description":"For an activity node, the behavior performed, drawn from the taxonomy. Mutually exclusive with 'ref' and 'graph'."},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Behavior Reference","description":"For an activity node, a reference to a behavior instance. Mutually exclusive with 'behavior' and 'graph'."},"graph":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Graph Reference","description":"A reference to a nested behavior graph. For an activity node it is the sub-process performed and is mutually exclusive with 'behavior' and 'ref'; for a composite node it is the nested region."},"actors":{"type":"array","title":"Actors","description":"References using bom-link or bom-ref to objects that perform this node.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"targets":{"type":"array","title":"Targets","description":"References using bom-link or bom-ref to objects affected by this node.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"eventType":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger","title":"Event Type","description":"For an event node, the nature of the event, reusing the trigger vocabulary, such as signal, scheduled, or event-driven."},"gatewayKind":{"type":"string","title":"Gateway Kind","description":"For a gateway node, the branching semantics applied across its outgoing transitions.","enum":["exclusive","inclusive","parallel","complex"],"meta:enum":{"exclusive":"Exactly one outgoing transition is taken, the first whose guard holds.","inclusive":"Every outgoing transition whose guard holds is taken.","parallel":"All outgoing transitions are taken concurrently, forking and later joining execution.","complex":"Branch selection follows a complex condition described in the transition guards."}},"onEntry":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"On Entry","description":"For a state node, a reference to a behavior instance performed when the state is entered."},"onExit":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"On Exit","description":"For a state node, a reference to a behavior instance performed when the state is exited."},"doActivity":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Do Activity","description":"For a state node, a reference to a behavior instance performed while the subject remains in the state."}},"allOf":[{"if":{"properties":{"kind":{"const":"activity"}},"required":["kind"]},"then":{"oneOf":[{"required":["behavior"]},{"required":["ref"]},{"required":["graph"]}]}}]},"transition":{"type":"object","title":"Transition","description":"A directed edge from one node to another. In an activity flow it expresses ordering; in a state machine it expresses a triggered, guarded move between states.","additionalProperties":false,"required":["source","target"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the transition."},"description":{"type":"string","title":"Description","description":"A description of the transition."},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Source","description":"Reference to the source node."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Target","description":"Reference to the target node."},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"guard":{"type":"string","title":"Guard","description":"A guard condition; the transition fires only when it evaluates to true."},"default":{"type":"boolean","title":"Default","description":"Whether this transition is taken when no other guard from the same source node holds."},"effect":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Effect","description":"Reference to a behavior instance performed when the transition fires."}}}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","$defs":{"blueprints":{"type":"array","title":"Blueprints","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint"},"description":"A collection of blueprints, each supporting a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling."},"blueprint":{"type":"object","title":"Blueprint","description":"A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.","required":["name","modelTypes"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the blueprint, used to identify this model within the BOM and distinguish it from other blueprints.","minLength":1},"description":{"type":"string","title":"Description","description":"A detailed explanation of the blueprint, including its scope, the system or subsystem it represents, and any relevant context about the modelling objectives or intended audience."},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/metadata"},"modelTypes":{"type":"array","title":"Model Types","minItems":1,"uniqueItems":true,"description":"The types of models being represented.","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model."},"behaviors":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviors"},"dataStores":{"type":"array","title":"Data Stores","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore"},"description":"Structured description of data stores used in the model."},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet"},"description":"Datasets handled by the system, including placements and sensitivity."},"zones":{"type":"array","title":"Zones","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics."},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones."},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets."},"relationships":{"type":"array","title":"Relationships","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationship"},"description":"Static, structural relationships between elements of the model, complementing the runtime exchanges captured by flows."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/actor"},"description":"Human or system actors involved in the model, distinct from assets."},"assumptions":{"type":"array","title":"Assumptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process."},"visualizations":{"type":"array","title":"Visualizations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model."},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"type":"object","properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Use Case Reference","description":"A reference to a use case object defined in definitions."},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the blueprint assets that are involved in or exercised by this use case."},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the blueprint flows that are triggered or traversed during the execution of this use case."},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case."}}},"description":"Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements."},"requirements":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements, declared in definitions, that are derived from or related to this model."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"modelType":{"title":"Model Type","description":"The type of model being represented, either a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. Threat, risk, and privacy analyses are represented in their own models, which reference the blueprint, rather than as blueprint model types.","oneOf":[{"type":"string","title":"Predefined Model Type","description":"A predefined model type from the enumeration.","enum":["architecture","behavioral","conceptual","data-flow","deployment","logical","network","operational","physical","process"],"meta:enum":{"architecture":"An architecture model of the system or software, capturing its major components, their responsibilities, and the interfaces and relationships between them. Broader than a single view, it frames the overall design.","behavioral":"A behavioural model, capturing how the system acts over time through its processes, state changes, interactions, and control flow, as opposed to its static structure.","conceptual":"A conceptual model at the highest level of abstraction, capturing the key entities, concepts, and relationships in technology-neutral terms without implementation detail. The first level of the conceptual, logical, and physical progression.","data-flow":"A data flow model showing how data moves between processes, data stores, and external entities. This is the substrate most commonly used for STRIDE per-element threat analysis.","deployment":"A deployment model showing how software is allocated to runtime and infrastructure, including nodes, containers, environments, and the artifacts placed on them.","logical":"A logical model detailing the structure and behaviour of the system independent of any specific implementation technology. The middle level of the conceptual, logical, and physical progression.","network":"A network model showing topology and connectivity, including segments, links, and the paths over which components communicate.","operational":"An operational model describing how the system is run and supported in production, including procedures, responsibilities, and operational dependencies.","physical":"A physical model at the implementation level, capturing the tangible realization of the system such as hardware, devices, infrastructure, topology, and physical locations. The most concrete level of the conceptual, logical, and physical progression.","process":"A process model describing a business or system process as an ordered set of activities and decisions and the actors that carry them out."}},{"type":"object","title":"Custom Model Type","description":"A custom model type not covered by the predefined enumeration, allowing organisations to define domain-specific model categories.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom model type."},"description":{"type":"string","title":"Description","description":"A description of the custom model type."}}}]},"metadata":{"type":"object","title":"Blueprint Metadata","description":"Metadata about the creation, review, and approval of the blueprint.","additionalProperties":false,"properties":{"timestamp":{"type":"string","title":"Timestamp","format":"date-time","description":"When the blueprint was created or last updated."},"authors":{"type":"array","title":"Authors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"},"description":"The parties that created the blueprint. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `author`."},"reviewer":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party that reviewed the blueprint. The party's `roles` should include `reviewer`."},"reviewDate":{"type":"string","title":"Review Date","format":"date-time","description":"When the blueprint was reviewed."},"approver":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party that approved the blueprint. The party's `roles` should include `signatory` or a custom role identifying the approving authority."},"approvalDate":{"type":"string","title":"Approval Date","format":"date-time","description":"When the blueprint was approved."},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","title":"Validity Period","description":"The period during which the blueprint is considered valid.","additionalProperties":false,"properties":{"start":{"type":"string","title":"Start","format":"date-time","description":"When the blueprint becomes valid."},"end":{"type":"string","title":"End","format":"date-time","description":"When the blueprint expires."},"reviewFrequency":{"type":"string","title":"Review Frequency","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)."}}},"scope":{"type":"object","title":"Scope","description":"Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the scope."},"description":{"type":"string","title":"Description","description":"Description of what is included and excluded from the model."},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Explicit boundaries of the model."},"includedComponents":{"type":"array","title":"Included Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to components explicitly included."},"excludedComponents":{"type":"array","title":"Excluded Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to components explicitly excluded."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","title":"Asset","description":"A component, service, data store, actor, or other element included in the blueprint model. An actor asset references a party, since a party such as a person, persona, system, or organization may itself be an asset, including a person in the intelligence sense of a human source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset."},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the component this asset represents."},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the service this asset represents."},"partyRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the party this asset represents, such as a person, persona, system, or organization. Used when the asset is an actor."},"type":{"title":"Asset Type","description":"The kind of asset. Use the custom option for kinds not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Asset Type","enum":["actor","agent","api","broker","cache","component","container","data","data-store","device","endpoint","function","gateway","infrastructure","interface","model","module","network","process","queue","resource","service","stream","subsystem","system","tool"],"meta:enum":{"actor":"An actor that is an asset in its own right, referencing a party via partyRef. A party such as a system or organization is commonly an asset, and a person may be an asset in the intelligence sense of a human source.","agent":"Autonomous AI or software agent.","api":"API endpoint or interface.","broker":"Message broker or event bus infrastructure.","cache":"Caching layer or in-memory data store.","component":"Software component or application.","container":"Container or orchestration unit.","data":"Dataset.","data-store":"Database, file system, or data repository.","device":"Physical or IoT device.","endpoint":"Service endpoint or URL.","function":"Serverless function or lambda.","gateway":"API gateway, load balancer, or proxy.","infrastructure":"Infrastructure component.","interface":"System interface or contract.","model":"AI or machine learning model.","module":"Software module or package.","network":"Network segment or resource.","process":"Business or system process.","queue":"Message queue or task queue.","resource":"Generic resource or artifact.","service":"Service or microservice.","stream":"Data stream or event stream.","subsystem":"Part of a larger system.","system":"Complete system or application.","tool":"A tool or capability invoked by an agent, such as a function, API, or service exposed to an AI agent."}},{"type":"object","title":"Custom Asset Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom asset type."},"description":{"type":"string","title":"Description","description":"A description of the custom asset type."}}}]},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the asset."},"description":{"type":"string","title":"Description","description":"Description of the asset's role and purpose."},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the zone containing this asset."},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"responsibilities":{"type":"array","title":"Responsibilities","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Responsibilities or functions of this asset."},"interfaces":{"type":"array","title":"Interfaces","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset."},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage."},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required."},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"title":"Component Reference Asset","description":"An asset defined by reference to a component declared elsewhere in the BOM.","required":["bom-ref","componentRef"]},{"title":"Service Reference Asset","description":"An asset defined by reference to a service declared elsewhere in the BOM.","required":["bom-ref","serviceRef"]},{"title":"Party Reference Asset","description":"An asset defined by reference to a party declared elsewhere in the BOM, such as a person, persona, system, or organization that is itself an asset.","required":["bom-ref","partyRef"]},{"title":"Inline Asset","description":"An asset defined inline within the blueprint with an explicit type and name.","required":["bom-ref","type","name"]}]},"dataStore":{"type":"object","title":"Data Store","description":"A persistent storage system used within the modelled system to hold, retrieve, or manage data.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the data store."},"description":{"type":"string","title":"Description","description":"Purpose and contents of the store."},"type":{"title":"Type","description":"The type of data store. Use the custom option for technologies not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Data Store Type","enum":["block","blockchain","cache","column-family","data-lake","data-warehouse","document","event-log","file","graph","hierarchical","in-memory","key-value","ledger","message-queue","multi-model","object","registry","relational","search","spatial","time-series","vector"],"meta:enum":{"block":"Block storage exposing raw volumes.","blockchain":"Distributed ledger or blockchain storage.","cache":"Caching tier.","column-family":"Wide-column or column-family store.","data-lake":"Data lake or lakehouse for raw and semi-structured data.","data-warehouse":"Analytical data warehouse optimised for OLAP workloads.","document":"Document database.","event-log":"Event log or append-only streaming store.","file":"File system or network-attached storage.","graph":"Graph database.","hierarchical":"Hierarchical or tree-structured database, such as a directory store.","in-memory":"In-memory data store used as a primary store.","key-value":"Key-value store.","ledger":"Immutable, append-only ledger database.","message-queue":"Message queue or broker with persistent storage.","multi-model":"A store supporting multiple data models.","object":"Object storage.","registry":"Configuration or service registry.","relational":"Relational database.","search":"Search index or full-text search engine.","spatial":"Spatial or geospatial database.","time-series":"Time-series database.","vector":"Vector database for embeddings and similarity search."}},{"type":"object","title":"Custom Data Store Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom data store type."},"description":{"type":"string","title":"Description","description":"A description of the custom data store type."}}}]},"vendor":{"type":"string","title":"Vendor","description":"The vendor or publisher of the data store product."},"product":{"type":"string","title":"Product","description":"The name of the data store product."},"version":{"type":"string","title":"Version","description":"The version of the data store product."},"environment":{"type":"string","title":"Environment","description":"Deployment environment (prod, test, etc.)."},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the zone where the asset resides."},"location":{"type":"string","title":"Location","description":"Physical or logical hosting location."},"technologies":{"type":"array","title":"Technologies","uniqueItems":true,"items":{"type":"string"},"description":"Supporting technologies or services."},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to data sets stored here."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataSet":{"type":"object","title":"Data Set","description":"A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.","required":["bom-ref","name","description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the dataset."},"description":{"type":"string","title":"Description","minLength":1,"description":"What information is contained and why it exists."},"dataProfiles":{"type":"array","title":"Data Profiles","description":"Data profiles that govern the dataset. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile, typically declared in the root profiles catalogue.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice"}},"dataObjects":{"type":"array","title":"Data Objects","description":"The specific data objects stored in the dataset. Each object names a payload and may reference one of the dataset's data profiles for its governing policy.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataObject"}},"recordCount":{"type":"integer","title":"Record Count","description":"Approximate number of records."},"owners":{"type":"array","title":"Owners","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"},"description":"Parties that own the dataset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required."},"placements":{"type":"array","title":"Placements","uniqueItems":true,"items":{"type":"object","title":"Placement","description":"Describes where a dataset physically or logically resides and the storage characteristics at that location.","required":["dataStore"],"additionalProperties":false,"properties":{"dataStore":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the store holding this dataset."},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the dataset is encrypted at this location."},"retention":{"type":"string","title":"Retention","description":"Retention policy for this placement."},"replicated":{"type":"boolean","title":"Replicated","description":"Indicates if this placement is a replica."}}},"description":"Where the dataset resides."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface."},"type":{"title":"Type","description":"The type of interface. Use the custom option for types not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Interface Type","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"]},{"type":"object","title":"Custom Interface Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom interface type."},"description":{"type":"string","title":"Description","description":"A description of the custom interface type."}}}]},"description":{"type":"string","description":"Description of the interface."},"specification":{"type":"string","description":"Link or reference to interface specification."},"protocol":{"type":"string","description":"Communication protocol used."},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)."},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed."}}},"zone":{"type":"object","title":"Zone","description":"A grouping of assets that share a common characteristic, security posture, or administrative control, so they can be reasoned about as a unit. A zone may be logical, physical, network, trust, or another kind, may nest within a parent zone, and is connected to or separated from other zones by boundaries.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the zone."},"description":{"type":"string","title":"Description","description":"Description of the zone's characteristics."},"type":{"title":"Type","description":"The type of zone. Use the custom option for types not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Zone Type","enum":["availability","compliance","data","deployment","functional","geographic","logical","network","organizational","physical","process","tenant","trust"],"meta:enum":{"availability":"An availability or fault-isolation zone, such as a cloud availability zone, used to bound the blast radius of failures and reason about redundancy and resilience.","compliance":"A compliance scope zone whose assets fall under a specific regulatory regime, such as PCI DSS, HIPAA, or FedRAMP, delineating what is in scope and the controls applied.","data":"A data classification zone grouping assets by the sensitivity of the data they hold or process, such as public, internal, confidential, or restricted.","deployment":"A deployment environment grouping assets by lifecycle stage, such as development, staging, or production.","functional":"A functional grouping of assets that serve a common purpose or capability, independent of where or how they are deployed.","geographic":"A geographic or data-residency zone bounding assets to a region, country, or jurisdiction, used to reason about sovereignty and cross-border data flows.","logical":"A logical grouping of assets defined by architecture or design rather than physical placement.","network":"A network segmentation zone, such as a subnet, VLAN, or security group, within which assets share network-level reachability and controls.","organizational":"An organizational or administrative zone grouping assets under a common owner, team, or authority.","physical":"A physical zone bounding assets to a tangible location, such as a data centre, building, or device enclosure.","process":"A process or execution isolation zone, such as a sandbox, container runtime, or trusted execution environment, within which code runs with a defined level of isolation.","tenant":"A tenancy isolation zone separating the assets and data of one tenant from another in a multi-tenant system.","trust":"A security trust zone whose assets share a common level of trust, so that movement between trust zones is where authentication, authorization, and validation are enforced."}},{"type":"object","title":"Custom Zone Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom zone type."},"description":{"type":"string","title":"Description","description":"A description of the custom zone type."}}}]},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the parent zone if this is a sub-zone."},"characteristics":{"type":"array","title":"Characteristics","uniqueItems":true,"items":{"type":"string"},"description":"Key characteristics of this zone."},"constraints":{"type":"array","title":"Constraints","uniqueItems":true,"items":{"type":"string"},"description":"Constraints or limitations of this zone."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","title":"Boundary","description":"An edge that separates or connects two or more zones, marking a point where security controls, policies, or trust levels change. The controls expected when data or actors cross it are captured in crossingRequirements, and the threat model's trust boundary extends a boundary with trust semantics.","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the boundary."},"type":{"title":"Type","description":"The type of boundary. Use the custom option for types not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Boundary Type","enum":["data","functional","network","organizational","physical","process","trust"],"meta:enum":{"data":"A data classification boundary, crossed when data moves between zones of differing sensitivity, where reclassification, masking, or validation may apply.","functional":"A functional boundary between areas of differing responsibility or capability.","network":"A network boundary, such as a firewall, gateway, or security group, controlling reachability between network zones.","organizational":"An organizational or administrative boundary between assets under different ownership or authority.","physical":"A physical security boundary, such as a facility perimeter or device enclosure, between physical zones.","process":"A process or execution boundary between isolation contexts, such as between a sandbox and its host.","trust":"A trust boundary between zones of differing trust, the primary point at which authentication, authorization, and input validation are enforced and a key trigger for threat analysis."}},{"type":"object","title":"Custom Boundary Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom boundary type."},"description":{"type":"string","title":"Description","description":"A description of the custom boundary type."}}}]},"zones":{"type":"array","title":"Zones","uniqueItems":true,"minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the zones this boundary connects or separates."},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"sessionManagement":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/sessionManagement"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","title":"Crossing Requirements","description":"The security controls, policies, and constraints applied when data or actors cross a boundary between zones, such as the authentication and authorization enforced, the protocols permitted, and the validation, logging, and monitoring performed at the crossing.","additionalProperties":false,"properties":{"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced at this boundary."},"dataValidation":{"type":"boolean","title":"Data Validation","description":"Whether data is validated when crossing this boundary."},"dataTransformation":{"type":"boolean","title":"Data Transformation","description":"Whether data is transformed when crossing this boundary."},"logging":{"type":"boolean","title":"Logging","description":"Whether crossings are logged."},"monitoring":{"type":"boolean","title":"Monitoring","description":"Whether crossings are monitored."},"rateLimit":{"type":"string","title":"Rate Limit","description":"Rate limiting policy."},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Allowed protocols for crossing."}}},"sessionManagement":{"type":"object","title":"Session Management","description":"The lifecycle of the authenticated session established at this boundary, covering session timeouts, access and refresh token validity, and logout behaviour. These properties characterize the session that results from authenticating, independently of the authentication method used.","additionalProperties":false,"properties":{"accessTokenExpires":{"type":"boolean","title":"Access Token Expires","description":"Whether access tokens issued for this boundary expire."},"accessTokenTtl":{"type":"integer","title":"Access Token Time To Live","minimum":0,"description":"Validity period of an access token, in seconds."},"refreshToken":{"type":"boolean","title":"Refresh Token","description":"Whether refresh tokens are issued for this boundary."},"refreshTokenExpires":{"type":"boolean","title":"Refresh Token Expires","description":"Whether refresh tokens expire."},"refreshTokenTtl":{"type":"integer","title":"Refresh Token Time To Live","minimum":0,"description":"Validity period of a refresh token, in seconds."},"idleTimeout":{"type":"integer","title":"Idle Timeout","minimum":0,"description":"Period of inactivity after which the session ends, in seconds."},"absoluteTimeout":{"type":"integer","title":"Absolute Timeout","minimum":0,"description":"Period after session creation after which the session ends regardless of activity, in seconds."},"userLogout":{"type":"boolean","title":"User Logout","description":"Whether a user can explicitly end the session."},"systemLogout":{"type":"boolean","title":"System Logout","description":"Whether the system can end the session without user action."}}},"relationship":{"type":"object","title":"Relationship","description":"A typed structural relationship from one element to one or more others, complementing the runtime exchanges captured by flows. The subject is `ref`, and the kind of relationship is expressed as a single typed property whose value lists the targets, mirroring the dependency graph for readability.","additionalProperties":false,"required":["ref"],"oneOf":[{"required":["aggregates"]},{"required":["associates"]},{"required":["composes"]},{"required":["contains"]},{"required":["dependsOn"]},{"required":["generalizes"]},{"required":["realizes"]},{"required":["serves"]},{"required":["custom"]}],"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference using bom-link or bom-ref to the subject element of the relationship."},"aggregates":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Aggregates","description":"The subject is the whole in a whole-part relationship in which each target part may exist independently of the whole."},"associates":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Associates","description":"The subject has a general association with each target."},"composes":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Composes","description":"The subject is the whole in a whole-part relationship in which each target part cannot exist without the whole."},"contains":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Contains","description":"The subject contains or nests each target."},"dependsOn":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Depends On","description":"The subject depends on each target."},"generalizes":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Generalizes","description":"The subject is a generalisation of each target, as in inheritance."},"realizes":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Realizes","description":"The subject realises or implements each target."},"serves":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Serves","description":"The subject provides a service to each target."},"custom":{"type":"array","title":"Custom Relationships","description":"Relationships whose kind is not covered by the predefined properties. Each entry names the kind and lists its targets.","uniqueItems":true,"items":{"type":"object","title":"Custom Relationship","additionalProperties":false,"required":["type","targets"],"properties":{"type":{"type":"string","title":"Type","minLength":1,"description":"The name of the custom relationship kind."},"targets":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets","title":"Targets","description":"The targets of the custom relationship."},"description":{"type":"string","title":"Description","description":"A description of the custom relationship kind."}}}}}},"relationshipTargets":{"type":"array","title":"Relationship Targets","description":"References using bom-link or bom-ref to the target elements of a relationship.","minItems":1,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"flow":{"type":"object","title":"Flow","description":"Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or description of the flow."},"description":{"type":"string","title":"Description","description":"Detailed description of what flows and why."},"type":{"title":"Type","description":"The type of flow. Use the custom option for types not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Flow Type","enum":["control","data","energy","event","financial","message","physical","process","signal"],"meta:enum":{"control":"Control or command flow.","data":"Data or information flow.","energy":"Power or energy flow.","event":"Event or notification flow.","financial":"Financial, value, or payment flow.","message":"Message or communication flow.","physical":"Physical movement of goods or materials.","process":"Business process flow.","signal":"Hardware or system signal."}},{"type":"object","title":"Custom Flow Type","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom flow type."},"description":{"type":"string","title":"Description","description":"A description of the custom flow type."}}}]},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the source of the flow. The source may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that originates the exchange."},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the destination of the flow. The destination may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that receives the exchange."},"bidirectional":{"type":"boolean","title":"Bidirectional","default":false,"description":"Whether flow occurs in both directions."},"synchronous":{"type":"boolean","title":"Synchronous","description":"Whether the flow is synchronous or asynchronous."},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the data carried by this flow is encrypted in transit."},"volume":{"type":"string","title":"Volume","description":"Expected volume or frequency of flow."},"timing":{"type":"string","title":"Timing","description":"Timing characteristics (real-time, batch, scheduled)."},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Communication protocols used by this flow."},"dataProfiles":{"type":"array","title":"Data Profiles","description":"Data profiles that govern the data carried by this flow. A flow may carry data governed by multiple profiles, for example a payment submission carrying both payment card data and customer personally identifiable information. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice"}},"dataObjects":{"type":"array","title":"Data Objects","description":"The specific data objects carried by this flow. Each object names a payload and may reference one of the flow's data profiles for its governing policy.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataObject"}},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required for this flow."},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced on this flow."},"sequence":{"type":"integer","title":"Sequence","minimum":0,"description":"Ordering hint so flows can be assembled into sequence diagrams."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"actor":{"type":"object","title":"Actor","description":"An actor is a contextual binding between a party and the modelled system. The party identifies who or what is acting (an organisation, person, system, or persona). The actor layer adds properties that are meaningful only within the blueprint, such as the permissions the actor holds in this system and the trust zone in which the actor operates. Identity, roles, archetype, and inter-party relations such as delegation are carried by the wrapped party and shall not be duplicated on the actor.","required":["bom-ref","party"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this actor binding. References to actors from other parts of the blueprint, such as use cases or flows, use this identifier."},"party":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","title":"Party","description":"The party that this actor binds to the modelled system. May be an inline party object declaring identity and roles in place, or a bom-link or bom-ref to a party declared elsewhere in the document."},"description":{"type":"string","title":"Description","description":"A narrative describing this actor's role within the modelled system, distinct from the party's identity-level description. Use to record context-specific framing such as why this actor is in scope or how it interacts with the assets in this blueprint."},"permissions":{"type":"array","title":"Permissions","uniqueItems":true,"items":{"type":"string"},"description":"The permissions, capabilities, or duties this actor holds within the modelled system. Distinct from any innate party-level capabilities; these are scoped to the blueprint."},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Zone","description":"Reference using bom-link or bom-ref to the trust zone in which the actor operates."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","title":"Assumption","description":"A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies."},"topic":{"title":"Topic","description":"The topic of the assumption. Use the custom option for topics not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Assumption Topic","enum":["availability","business","compliance","operational","performance","security","technical"],"meta:enum":{"availability":"Assumption about system uptime, redundancy, or failover capabilities.","business":"Assumption about business requirements, constraints, or organizational context.","compliance":"Assumption about regulatory, legal, or policy compliance obligations.","operational":"Assumption about operational procedures, staffing, or maintenance practices.","performance":"Assumption about throughput, latency, capacity, or scalability characteristics.","security":"Assumption about threat landscape, trust boundaries, or security controls.","technical":"Assumption about technology choices, capabilities, or technical constraints."}},{"type":"object","title":"Custom Assumption Topic","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom assumption topic."},"description":{"type":"string","title":"Description","description":"A description of the custom assumption topic."}}}]},"relatedAssets":{"type":"array","title":"Related Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes."},"validity":{"type":"string","title":"Validity","enum":["invalid","unknown","unverified","verified"],"meta:enum":{"invalid":"The assumption has been disproven or is no longer applicable.","unknown":"The validity of the assumption has not yet been assessed.","unverified":"The assumption has been identified but not yet validated.","verified":"The assumption has been confirmed as true through validation."},"default":"unknown","description":"The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound."},"impact":{"type":"string","title":"Impact","description":"A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components."},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`."},"validationMethod":{"type":"string","title":"Validation Method","description":"The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement."},"validationDate":{"type":"string","title":"Validation Date","format":"date-time","description":"The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation."}}},"visualization":{"type":"object","title":"Visualization","description":"A visual representation of the model or a subset of its elements, capturing the diagram type, its content, and the elements depicted.","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the visualization."},"description":{"type":"string","title":"Description","description":"Description of what the visualization shows."},"type":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType"},"attachment":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL to the diagram if stored externally."},"level":{"type":"string","title":"Level","enum":["detailed","high","medium","overview"],"meta:enum":{"detailed":"Fine-grained view showing implementation-level specifics.","high":"High-level view showing major components and relationships.","medium":"Intermediate view balancing breadth and depth.","overview":"Top-level summary providing a broad perspective of the system."},"description":"Level of detail in the visualization."},"elements":{"type":"array","title":"Elements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to elements shown in this visualization."},"interactive":{"type":"boolean","title":"Interactive","description":"Whether the visualization is interactive."},"layers":{"type":"array","title":"Layers","uniqueItems":true,"items":{"type":"string"},"description":"Layers or views available in the visualization."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"visualizationType":{"type":"object","title":"Visualization Type","description":"The type of diagram or visual representation.","oneOf":[{"title":"Predefined Visualization Type","description":"A visualization type selected from a predefined set of well-known diagram types.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","enum":["activity","architecture","attack-tree","block","class","code","communication","component","container","context","data-flow","deployment","entity","flowchart","matrix","mind-map","network","process","sequence","state","timing","use-case"],"meta:enum":{"activity":"Activity or workflow diagram.","architecture":"System architecture diagram.","attack-tree":"Attack tree diagram showing alternative paths to a goal.","block":"Block diagram, including SysML block definition and internal block diagrams.","class":"Class or object diagram.","code":"Code structure diagram.","communication":"Communication diagram, formerly known as the collaboration diagram.","component":"Component diagram.","container":"Container diagram, as in C4.","context":"Context diagram.","data-flow":"Data flow diagram, or DFD.","deployment":"Deployment or infrastructure diagram.","entity":"Entity relationship diagram.","flowchart":"Flowchart depicting steps or decision logic.","matrix":"Matrix diagram, such as a dependency structure or traceability matrix.","mind-map":"Mind map diagram for decomposition or brainstorming.","network":"Network topology diagram.","process":"Business process diagram.","sequence":"Sequence or interaction diagram.","state":"State machine diagram.","timing":"Timing diagram showing state changes over time.","use-case":"Use case diagram."}}}},{"title":"Custom Visualization Type","description":"A custom visualization type not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization type."},"description":{"type":"string","title":"Description","description":"A description of the custom visualization type."}}}]},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories."},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search."}}},"ownership":{"type":"array","title":"Ownership","description":"Parties responsible for the asset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the relationship (`owner`, `steward`, `custodian`, `end-user`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"}},"authenticationType":{"title":"Authentication Type","description":"The authentication method or protocol used to verify identity, either a predefined value from the enumeration or a custom object describing a method not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Authentication Type","description":"A predefined authentication method from the enumeration.","enum":["api-key","basic","bearer","biometric","certificate","digest","eap","fido2","form","hmac","jwt","kerberos","ldap","magic-link","mtls","none","ntlm","oauth1","oauth2","oidc","pin","psk","push","radius","saml","scram","session-cookie","ssh","totp"],"meta:enum":{"api-key":"API key authentication.","basic":"HTTP Basic authentication (RFC 7617), where the browser presents a native credential dialog and the username and password are sent on each request.","bearer":"Bearer token authentication.","biometric":"Biometric authentication, such as fingerprint or face recognition.","certificate":"Certificate-based authentication.","digest":"Digest authentication.","eap":"Extensible Authentication Protocol, commonly used with IEEE 802.1X.","fido2":"FIDO2 or WebAuthn passwordless authentication.","form":"Form-based authentication, where credentials such as a username and password are submitted through an application login form rather than the browser-native HTTP Basic dialog.","hmac":"HMAC request signing using a shared secret key.","jwt":"JSON Web Token authentication.","kerberos":"Kerberos authentication.","ldap":"LDAP directory authentication.","magic-link":"Passwordless authentication using a single-use link.","mtls":"Mutual TLS authentication.","none":"No authentication required.","ntlm":"NTLM authentication.","oauth1":"OAuth 1.0 authentication.","oauth2":"OAuth 2.0 authentication.","oidc":"OpenID Connect authentication.","pin":"Personal identification number, a short secret used as a knowledge factor, such as a device or application unlock PIN.","psk":"Pre-shared key authentication.","push":"Out-of-band push approval, where a prompt is sent to a registered device or application for the user to approve or deny, optionally confirmed by matching a displayed number.","radius":"RADIUS authentication.","saml":"SAML authentication.","scram":"Salted Challenge Response Authentication Mechanism.","session-cookie":"Session authentication using a server-side session identified by a cookie.","ssh":"SSH key authentication.","totp":"Time-based one-time password authentication."}},{"type":"object","title":"Custom Authentication Type","description":"A custom authentication method not covered by the predefined enumeration, allowing organisations to describe proprietary, emerging, or composite authentication approaches.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom authentication method."},"description":{"type":"string","title":"Description","description":"A description of the custom authentication method, including how identity is verified and any relevant constraints."}}}]},"authorizationType":{"title":"Authorization Type","description":"The authorization model used to determine and enforce access permissions, either a predefined value from the enumeration or a custom object describing a model not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Authorization Type","description":"A predefined authorization model from the enumeration.","enum":["abac","acl","capability","dac","mac","none","pbac","radac","rbac","rebac"],"meta:enum":{"abac":"Attribute-Based Access Control.","acl":"Access Control Lists.","capability":"Capability-Based Access Control.","dac":"Discretionary Access Control.","mac":"Mandatory Access Control.","none":"No authorization controls.","pbac":"Policy-Based Access Control.","radac":"Risk-Adaptive Access Control.","rbac":"Role-Based Access Control.","rebac":"Relationship-Based Access Control."}},{"type":"object","title":"Custom Authorization Type","description":"A custom authorization model not covered by the predefined enumeration, allowing organisations to describe proprietary, domain-specific, or composite access control models.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom authorization model."},"description":{"type":"string","title":"Description","description":"A description of the custom authorization model, including how access decisions are made and any relevant constraints."}}}]}}},"cyclonedx-business-objective-2.0":{"type":"null","title":"CycloneDX Business Objective Model","$defs":{"businessObjectives":{"type":"array","title":"Business Objectives","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-business-objective-2.0/$defs/businessObjective"},"description":"A collection of reusable business objectives that other elements may reference."},"businessObjective":{"type":"object","title":"Business Objective","description":"A business goal that a subject supports and that threats, risks, use cases, and requirements can be traced back to. Business objectives anchor risk-centric analysis, such as the first stage of PASTA, where threats and risks are evaluated against what the organization is trying to achieve.","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the business objective."},"description":{"type":"string","title":"Description","description":"A description of the business objective."},"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality","description":"The business criticality of the objective."},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for this objective. May be an inline party object or a reference to a previously declared party."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm","title":"Hash Algorithm","description":"The standard, well-known algorithm used to compute the hash."},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue","title":"Hash Value","description":"The value of the hash computed using the standard, well-known algorithm."}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","perspective","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","swid-tag","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","perspective":"A CycloneDX perspective defines a domain-specific view, enabling different audiences to interpret and navigate the data through their own conceptual lens.","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","swid-tag":"A Software Identification (SWID) tag document conforming to ISO/IEC 19770-2. The reference resolves to the XML SoftwareIdentity document itself, including all of its metadata (entities, evidence, payload, links, and meta elements). This is distinct from the `swid` identifier scheme, which carries only the tagId of a SWID tag.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signatures":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatures","title":"Signatures","description":"Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"parties":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/parties"},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"componentOrChoice":{"title":"Component or Component Choice","description":"An entry in a components array. May be a concrete component, or a component-choice wrapper that expresses a conditional or alternate relationship between two or more components. The discriminator is the `type` property: when `type` is `component-choice`, the entry shall conform to the `componentChoice` schema; otherwise it shall conform to the `component` schema.","oneOf":[{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentChoice"}]},"componentChoice":{"type":"object","title":"Component Choice","description":"A wrapper that expresses a conditional or alternate relationship between two or more components. Use to model approved alternates, multi-sourced parts, build variants, and required component groups in physical device bills of materials.","required":["type","operator","components"],"additionalProperties":false,"properties":{"type":{"type":"string","const":"component-choice","title":"Type","description":"Discriminator for a component-choice entry. The value shall be the literal string `component-choice`."},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component-choice elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"A display name for the choice. Typically corresponds to a reference designator, a design intent name, or a description of the role the chosen component fulfils.","examples":["2N2222 or PN2222A Transistor","U1 5V LDO Regulator"]},"description":{"type":"string","title":"Description","description":"A description of the choice and the rationale behind the alternates."},"operator":{"type":"string","enum":["OR","XOR","AND"],"meta:enum":{"OR":"Any non-empty subset of the contained components may be installed. Use for approved alternates where more than one may legitimately appear in a given instance.","XOR":"Exactly one of the contained components is installed in any single instance. Use for approved alternates that are mutually exclusive per instance, while the population of units may include multiple alternates across sourcing.","AND":"All of the contained components are installed together as a group. Use for tightly coupled component sets such as a transceiver and its required matching balun."},"title":"Operator","description":"The logical relationship between the contained components."},"components":{"type":"array","minItems":2,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentOrChoice"},"title":"Components","description":"Two or more alternate or grouped entries. Each entry may itself be a component-choice to express nested alternates, such as a choice between kits."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."},"accountInfo":{"type":"string","title":"Account Information","description":"The account or user information associated with the occurrence."},"systemOwner":{"type":"string","title":"System Owner","description":"The owner of the system where the component was found."},"startTime":{"type":"string","format":"date-time","title":"Start Time","description":"The date and time when the process detecting the occurrence started."},"endTime":{"type":"string","format":"date-time","title":"End Time","description":"The date and time when the process detecting the occurrence ended."},"usageCount":{"type":"integer","minimum":0,"title":"Usage Count","description":"The number of times the component occurred in the detecting process."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["scheme"],"additionalProperties":false,"properties":{"scheme":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityScheme"},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the scheme that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}},"identifiers":{"type":"array","title":"Identifiers","description":"Identifiers asserted by one or more parties to identify this component. Each entry groups one or more identity claims by the party asserting them. Identifiers carry positive claims of identity. For unverified or inferred identity data, use evidence.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identifier"},"uniqueItems":true},"identifier":{"type":"object","title":"Identifier","description":"A set of identifiers attributed to a single asserting party.","required":["party","identities"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"party":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Asserting Party","description":"Reference using bom-link or bom-ref to the party making the identity assertion."},"identities":{"type":"array","title":"Identities","description":"The discrete identity claims asserted by the party.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identity"},"minItems":1,"uniqueItems":true}}},"identity":{"type":"object","title":"Identity","description":"A single identity claim, pairing a typed identifier scheme with the value asserted under that scheme.","required":["scheme","value"],"additionalProperties":false,"properties":{"scheme":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityScheme"},"value":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/identityValue"}}},"identityScheme":{"title":"Identifier Scheme","description":"The scheme under which an identifier is asserted. Either a predefined value or a custom scheme described by name and description.","oneOf":[{"type":"string","enum":["purl","cpe","swid","swhid","omniborid","epc-rfid","giai","gln","gmn","gtin-8","gtin-12","gtin-13","gtin-14","mpn","part-number","model-number","sku","serial-number","asset-tag","udi-di","udi-pi","fcc-id","imei","mac-address","tei"],"meta:enum":{"purl":"Package-URL identifier, conforming to the Package-URL specification.","cpe":"Common Platform Enumeration name, conforming to NIST Interagency Report 7695.","swid":"Software Identification tag identifier, conforming to ISO/IEC 19770-2.","swhid":"Software Heritage persistent identifier.","omniborid":"OmniBOR Artifact Identifier, also known as a gitoid.","epc-rfid":"Electronic Product Code - RFID (EPC Tag Data Standard)","giai":"Global Individual Asset Identifier (GIAI)","gln":"Global Location Number (GLN)","gmn":"Global Model Number (GMN)","gtin-8":"Global Trade Identification Number (GTIN-8 / EAN/UCC-8)","gtin-12":"Global Trade Identification Number (GTIN-12 / UPC-A)","gtin-13":"Global Trade Identification Number (GTIN-13 / EAN/UCC-13)","gtin-14":"Global Trade Identification Number (GTIN / EAN/UCC-14 or ITF-14)","mpn":"Manufacturer Part Number, assigned by the original manufacturer.","part-number":"Part number assigned by a distributor, integrator, or operator.","model-number":"Product model number assigned by the manufacturer.","sku":"Stock Keeping Unit, assigned by a seller or distributor.","serial-number":"Unique identifier for an individual instance of a product.","asset-tag":"Asset tag assigned by the owning or operating organization.","udi-di":"Unique Device Identifier, Device Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.","udi-pi":"Unique Device Identifier, Production Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.","fcc-id":"United States Federal Communications Commission equipment identifier.","imei":"International Mobile Equipment Identity, conforming to 3GPP TS 23.003.","mac-address":"IEEE 802 Media Access Control address.","tei":"Transparency Exchange Identifier conforming to the Transparency Exchange API specification."}},{"type":"object","title":"Custom Identifier Scheme","description":"A custom identifier scheme not represented in the predefined taxonomy.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom identifier scheme."},"description":{"type":"string","title":"Description","description":"A description of the custom identifier scheme."}}}]},"identityValue":{"type":"string","minLength":1,"title":"Identifier Value","description":"The value of an identifier."}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-control-2.0":{"type":"null","title":"CycloneDX Control Model","$defs":{"controls":{"type":"array","title":"Controls","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-control-2.0/$defs/control"},"description":"The safeguards and countermeasures that are recommended or in place. Controls may be declared on their own for governance, risk, and compliance use cases, or referenced from threats, trust boundaries, and risk responses."},"control":{"type":"object","title":"Control","description":"A safeguard or countermeasure that protects systems, data, or operations. A control binds the elements that implement it to the requirements it satisfies, and records its implementation status and assessed effectiveness.","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the control elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the control."},"description":{"type":"string","title":"Description","description":"A description of the control."},"category":{"title":"Category","description":"The category of the control. Use the custom option for a category specific to an organization's taxonomy.","oneOf":[{"title":"Predefined Control Category","type":"string","enum":["preventive","detective","corrective","compensating","deterrent","recovery"],"meta:enum":{"preventive":"Prevents an unwanted event from occurring.","detective":"Identifies and records that an unwanted event has occurred or is occurring.","corrective":"Remedies the condition that allowed an unwanted event.","compensating":"Provides an alternative safeguard where a primary control is not feasible.","deterrent":"Discourages an actor from attempting an unwanted action.","recovery":"Restores operations after an unwanted event."}},{"title":"Custom Control Category","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom category."},"description":{"type":"string","title":"Description","description":"A description of the custom category."}}}]},"status":{"title":"Status","description":"The implementation status of the control.","$ref":"#/$defs/cyclonedx-control-2.0/$defs/implementationStatus"},"appliesTo":{"type":"array","title":"Applies To","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the elements the control protects, such as components, services, zones, or boundaries. A control without this property applies to the organization or system as a whole."},"implementedBy":{"type":"array","title":"Implemented By","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the components, services, formulation workflows, or parties that implement the control."},"satisfies":{"type":"array","title":"Satisfies","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements the control satisfies, including requirements defined within standards."},"effectiveness":{"title":"Effectiveness","description":"The assessed effectiveness of the control.","$ref":"#/$defs/cyclonedx-control-2.0/$defs/effectiveness"},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for the control. May be an inline party object or a reference to a previously declared party."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"implementationStatus":{"title":"Implementation Status","description":"The implementation status of a control or response. Use the custom option for a status specific to an organization's process.","oneOf":[{"title":"Predefined Implementation Status","type":"string","enum":["recommended","proposed","approved","rejected","planned","in-progress","implemented","verified","decommissioned"],"meta:enum":{"recommended":"Suggested by a producer, standard, or assessor. Not yet entered into the adopting organization's decision process.","proposed":"Entered into the adopting organization's decision process but not yet approved.","approved":"Approved for implementation.","rejected":"Considered and declined, with no intent to implement.","planned":"Implementation is planned.","in-progress":"Implementation is in progress.","implemented":"Implemented and in effect.","verified":"Implemented and verified as effective.","decommissioned":"Removed from service."}},{"title":"Custom Implementation Status","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom status."},"description":{"type":"string","title":"Description","description":"A description of the custom status."}}}]},"effectiveness":{"type":"object","title":"Effectiveness","description":"The measured or assessed effectiveness of a control or response.","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":1,"title":"Percentage","description":"Effectiveness as a decimal from 0 to 1."},"rating":{"type":"string","title":"Rating","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk.","marginal":"Slightly reduces risk.","adequate":"Adequately reduces risk.","good":"Significantly reduces risk.","excellent":"Nearly eliminates risk."},"description":"Effectiveness as a qualitative rating."}}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"array","title":"Implementation platforms","description":"The target platforms for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","items":{"type":"string","title":"Platform","description":"The target platform for the implementation.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","riscv32","riscv64","other","unknown"],"meta:enum":{"generic":"Platform-independent implementation.","x86_32":"Intel/AMD 32-bit x86 architecture.","x86_64":"Intel/AMD 64-bit x86-64 architecture.","armv7-a":"ARM 32-bit application profile (Cortex-A).","armv7-m":"ARM 32-bit microcontroller profile (Cortex-M).","armv8-a":"ARM 64-bit application profile (AArch64).","armv8-m":"ARM 32-bit microcontroller with TrustZone.","armv9-a":"ARM 64-bit with enhanced security features.","armv9-m":"ARM microcontroller with advanced security.","s390x":"IBM Z series mainframe 64-bit.","ppc64":"IBM PowerPC 64-bit big-endian.","ppc64le":"IBM PowerPC 64-bit little-endian.","riscv32":"RISC-V 32-bit open standard architecture.","riscv64":"RISC-V 64-bit open standard architecture.","other":"Another platform.","unknown":"The platform is not known."}}},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","cavp","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","cavp":"Cryptographic Algorithm Validation Program","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","siv","gcm-siv","ocb","eax","kw","kwp","cts","xts","gmac","cmac","xpn","ff1","ff3-1","other","unknown"],"meta:enum":{"cbc":"Cipher Block Chaining mode.","ecb":"Electronic Codebook mode.","ccm":"Counter with CBC-MAC (AEAD).","gcm":"Galois/Counter Mode (AEAD).","cfb":"Cipher Feedback mode.","ofb":"Output Feedback mode.","ctr":"Counter mode.","siv":"Synthetic Initialization Vector mode.","gcm-siv":"GCM with Synthetic IV (nonce-misuse resistant).","ocb":"Offset Codebook Mode (AEAD).","eax":"Encrypt-then-Authenticate-then-Translate mode.","kw":"AES Key Wrap (RFC 3394).","kwp":"AES Key Wrap with Padding (RFC 5649).","cts":"Ciphertext Stealing mode.","xts":"XEX Tweaked-codebook with Stealing (disk encryption).","gmac":"Galois Message Authentication Code","cmac":"Cipher-based Message Authentication Code","xpn":"Extended Packet Numbering mode.","ff1":"Format-preserving encryption mode 1.","ff3-1":"Format-preserving encryption mode 3, update 1.","other":"Another mode of operation.","unknown":"The mode is not known."}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","pss","x931","other","unknown"],"meta:enum":{"pkcs5":"PKCS#5 padding for password-based cryptography.","pkcs7":"PKCS#7 padding with length-indicating bytes.","pkcs1v15":"PKCS#1 v1.5 padding for RSA.","oaep":"Optimal Asymmetric Encryption Padding for RSA.","raw":"No padding applied.","pss":"Probabilistic Signature Scheme for RSA signatures.","x931":"ANSI X9.31 padding for RSA.","other":"Another padding scheme.","unknown":"The padding scheme is not known."}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction"}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6},"secProperties":{"type":"array","title":"Security Properties","description":"Formal guarantees about an algorithm's resistance to specific adversarial capabilities under a defined threat model. Example: Key Encapsulation Mechanisms (KEMs) may target IND-CPA or IND-CCA security; choosing IND-CCA impacts safe use in settings with active/chosen-ciphertext attacks.","items":{"type":"string","title":"Security Property","examples":["IND-CPA","IND-CCA","IND-CCA2","SUF-CMA","EUF-CMA","collision-resistant","preimage-resistant","second-preimage-resistant"]}}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/fingerprint"},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"},"keyUsage":{"type":"array","title":"Key Usage","description":"Defines the permitted cryptographic usage for the asset.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptographicFunction","title":"Usage","description":"A permitted cryptographic usage."}}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"cryptographicFunction":{"type":"string","title":"Cryptographic Function","description":"A cryptographic function or usage.","enum":["generate","paramgen","paramver","keygen","keyver","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","keyagree","wrap","unwrap","other","unknown"],"meta:enum":{"generate":"Generates random data, IVs, or nonces.","paramgen":"Generates cryptographic domain parameters.","paramver":"Verifies cryptographic domain parameters.","keygen":"Generates cryptographic keys.","keyver":"Verifies cryptographic keys.","encrypt":"Transforms plaintext into ciphertext.","decrypt":"Transforms ciphertext into plaintext.","digest":"Computes a hash value from input data.","tag":"Generates an authentication tag for data integrity.","keyderive":"Derives keys from another key or shared secret.","sign":"Creates a digital signature using a private key.","verify":"Verifies a digital signature using a public key.","encapsulate":"Encapsulates a secret using a public key (KEM).","decapsulate":"Decapsulates a secret using a private key (KEM).","keyagree":"Derives a shared secret between parties.","wrap":"Encrypts a key for secure storage or transport.","unwrap":"Decrypts a wrapped key to recover the original key.","other":"Another cryptographic function.","unknown":"The cryptographic function is not known."}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"fingerprint":{"type":"object","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset.","oneOf":[{"title":"Standard Hash","description":"A fingerprint computed using a standard, well-known hash algorithm.","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},{"title":"Custom Fingerprint","description":"A fingerprint computed with a custom or non-standard algorithm not covered by the standard hash algorithms.","required":["customAlg","customContent"],"additionalProperties":false,"properties":{"customAlg":{"type":"string","title":"Custom Fingerprint Algorithm","description":"The name of the custom algorithm used to compute the fingerprint."},"customContent":{"type":"string","title":"Custom Fingerprint Content","description":"The value of the fingerprint computed using the custom algorithm."}}}]},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"type":"array","title":"References","description":"The bom-refs to the assets securing this asset (e.g., algorithms, hardware, keys).","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataProfiles":{"type":"array","title":"Data Profiles","description":"A catalogue of reusable data profile definitions. Each entry is a complete inline data profile carrying its own bom-ref so other objects may reference it.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"}},"dataProfile":{"type":"object","title":"Data Profile","description":"Captures the classification, information types, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data profile."},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or label that identifies this data profile, such as the name of the dataset, information asset, or data domain it describes.","examples":["Customer PII Dataset","Transaction Logs","Employee Health Records"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification","description":"The classification of the data, indicating the level of protection required. A data profile carries a single classification reflecting the highest applicable level for the data it describes."},"informationTypes":{"type":"array","title":"Information Types","description":"The types of information contained in the data. A data profile may contain multiple information types, for example a profile may carry both personally identifiable information and financial data. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/informationType"},"examples":[["pii","financial"],["phi","biometric",{"name":"minor-health-data","description":"Health information for individuals under 18, subject to COPPA and HIPAA."}]]},"subjects":{"type":"array","title":"Subjects","description":"The entities, groups, categories, or things that the data is about or pertains to. Identifying data subjects is essential for determining applicable privacy regulations, handling requirements, and protected class obligations.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/subject"},"examples":[[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR","IT"],"regulations":["GDPR"]},{"name":"Pediatric Patients","type":"group","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]}]]},"purposes":{"type":"array","title":"Purposes","description":"The stated purposes for which this data is collected, processed, or retained. Under the principle of purpose limitation, data must only be used for purposes compatible with those originally specified. Capturing purposes explicitly enables automated compliance checking and compatibility analysis across the data lifecycle.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/purpose"},"examples":[[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"}]]},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply to this data based on its nature, classification, or how it is processed and stored. See also subject.jurisdictions for jurisdictions that apply because of who the data is about."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply to this data based on its nature, classification, or processing context. See also subject.regulations for regulations that apply because of who the data is about."},"dataFormats":{"type":"array","title":"Data Formats","uniqueItems":true,"items":{"type":"string"},"description":"The formats in which the data is stored or transmitted.","examples":[["JSON","CSV","Parquet"]]},"schema":{"type":"array","title":"Schema","uniqueItems":true,"items":{"type":"string","format":"uri"},"description":"References to schema contracts or documents describing the data structure.","examples":[["https://example.com/schemas/customer-v2.json"]]},"access":{"type":"array","title":"Access","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures."},"collection":{"type":"array","title":"Collection","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations."},"disposal":{"type":"array","title":"Disposal","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction."},"handling":{"type":"array","title":"Handling","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations."},"processing":{"type":"array","title":"Processing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions."},"retention":{"type":"array","title":"Retention","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation."},"ttl":{"type":"integer","title":"Time to Live","minimum":1,"description":"The time-to-live in seconds for transient data that is not persisted, such as protected health information carried inside a short-lived JSON Web Token or sensitive material held in memory for the duration of a single request. Distinct from retention, which applies to persisted data and is governed by requirement objects.","examples":[300,3600]},"sharing":{"type":"array","title":"Sharing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataProfileChoice":{"title":"Data Profile Choice","description":"A data profile represented either as a complete inline object or as a reference to a previously declared profile. References use bom-link or bom-ref to point at a profile declared in the root profiles catalogue or elsewhere in the document.","oneOf":[{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference using bom-link or bom-ref to a previously declared data profile."}]},"dataObject":{"type":"object","title":"Data Object","description":"A specific data payload such as a message, record, or document. Distinct from a data profile, which is a policy template; a data object is an instance whose name, schema, format, and field-level attributes describe a concrete payload. The governing policy is supplied by an optional reference to a data profile. A single profile may govern many data objects; each data object refers to at most one profile.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data object."},"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the data object, such as the name of the message, record, document, or table row it represents.","examples":["user_registration","payment_request","audit_event"]},"description":{"type":"string","title":"Description","description":"A narrative explanation of the data object, including its purpose, origin, and any context relevant to interpreting its attributes."},"profile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice","title":"Profile","description":"The data profile that governs this object's classification, information types, and lifecycle requirements. May be an inline profile object or a reference using bom-link or bom-ref to a previously declared profile."},"informationTypes":{"type":"array","title":"Information Types","description":"The types of information contained in this object. May refine or extend the information types declared on the referenced profile. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/informationType"}},"schema":{"type":"object","title":"Schema","description":"The structural contract describing this object's shape, such as a JSON Schema, XSD, Avro schema, or Protobuf descriptor.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL or URN pointing to the schema document."},"mediaType":{"type":"string","title":"Media Type","description":"Media type of the schema, for example application/schema+json, application/xml, or application/vnd.apache.avro+json.","examples":["application/schema+json","application/xml","application/vnd.apache.avro+json"]},"comment":{"type":"string","title":"Comment","description":"Additional notes about the schema, such as its version or compatibility expectations."}}},"format":{"type":"object","title":"Format","description":"The serialisation or encoding format of this object, such as application/json, text/csv, or application/hl7-v2.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL or URN pointing to the format specification."},"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"comment":{"type":"string","title":"Comment","description":"Additional notes about the format."}}},"attributes":{"type":"array","title":"Attributes","description":"The fields, columns, or properties contained in this object. Each attribute may carry a typed information type to support field-level classification and compliance analysis.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataAttribute"}},"relationships":{"type":"array","title":"Relationships","description":"Relationships from this data object to other data objects, such as the associations between entities in a logical or conceptual data model.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataRelationship"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataAttribute":{"type":"object","title":"Data Attribute","description":"A single field, column, or property within a data object. Carries an optional information type so that producers and consumers can classify and reason about data at field granularity rather than only at the object level.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this attribute, enabling it to be referenced as a key target."},"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the attribute as it appears in the data object, such as a field name, column name, or property key.","examples":["email","dateOfBirth","panToken","amount"]},"description":{"type":"string","title":"Description","description":"A narrative explanation of the attribute, such as its semantics, expected values, or constraints."},"informationType":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/informationType","title":"Information Type","description":"The information type carried by this attribute. Field-level typing enables compliance analysis at finer granularity than the object-level information types."},"required":{"type":"boolean","title":"Required","description":"Indicates whether the attribute is required for the data object to be valid."},"sensitive":{"type":"boolean","title":"Sensitive","description":"Indicates whether the attribute carries sensitive content that warrants extra protection beyond the object-level classification, such as masking in logs or stricter access controls."},"key":{"type":"string","title":"Key","enum":["primary","foreign","unique"],"meta:enum":{"primary":"The attribute is part of the primary key that uniquely identifies the data object.","foreign":"The attribute is a foreign key referencing another data object.","unique":"The attribute carries a uniqueness constraint."},"description":"The key role of the attribute within the data object."},"references":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"References","description":"For a foreign key, a reference using bom-link or bom-ref to the data object or attribute it refers to."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataRelationship":{"type":"object","title":"Data Relationship","description":"A relationship from one data object to another, such as an association between entities in a logical or conceptual data model, carrying its cardinality and optionally the attributes that participate.","additionalProperties":false,"required":["target","cardinality"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"The name of the relationship, such as the role or verb that describes it."},"description":{"type":"string","title":"Description","description":"A description of the relationship."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"Reference using bom-link or bom-ref to the related data object."},"cardinality":{"type":"string","title":"Cardinality","enum":["one-to-one","one-to-many","many-to-one","many-to-many"],"meta:enum":{"one-to-one":"Each record of the source relates to at most one record of the target, and the reverse.","one-to-many":"Each record of the source relates to many records of the target.","many-to-one":"Many records of the source relate to one record of the target.","many-to-many":"Many records of the source relate to many records of the target."},"description":"The cardinality of the relationship."},"sourceAttributes":{"type":"array","title":"Source Attributes","description":"References using bom-link or bom-ref to the attributes on this data object that participate in the relationship, such as the foreign key columns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"targetAttributes":{"type":"array","title":"Target Attributes","description":"References using bom-link or bom-ref to the attributes on the target data object that the relationship refers to, such as the primary key columns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"subject":{"type":"object","title":"Subject","description":"An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. A subject is identified in one of three ways: inline by `name` and `type`, by an inline `party` object, or by `ref` pointing at any bom-ref'd element declared elsewhere in the document (a party, component, service, asset, dataset, or other element). At least one of these forms shall be supplied. Subject-context attributes such as protected-class status, applicable jurisdictions, and applicable regulations are carried here regardless of which identification form is used.","additionalProperties":false,"anyOf":[{"required":["name","type"]},{"required":["party"]},{"required":["ref"]}],"examples":[{"name":"EU Residents","type":"group","protectedClass":false,"jurisdictions":["DE","FR"],"regulations":["GDPR"]},{"ref":"party-pediatric-patients","protectedClass":true,"jurisdictions":["US"],"regulations":["HIPAA","COPPA"]},{"party":{"roles":[{"role":"data-subject"}],"persona":{"archetype":"customer","scope":"external","description":"Fleet vehicle owners enrolled in the connected-services platform."}},"protectedClass":false}],"properties":{"name":{"type":"string","title":"Name","description":"The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor. Optional when `party` or `ref` is supplied.","minLength":1,"examples":["EU Residents","Pediatric Patients","Fleet Vehicles"]},"type":{"type":"string","title":"Type","description":"A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices. Optional when `party` or `ref` is supplied.","minLength":1,"examples":["individual","group","technology"]},"party":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/party","title":"Party","description":"An inline party object identifying the subject. Use this when the subject is best modelled as a party (organization, person, system, or persona) and has not been declared elsewhere in the document. The party's `roles` should include `data-subject`."},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference using bom-link or bom-ref to any element declared elsewhere in the document that identifies the subject, such as a party, component, service, asset, dataset, or other bom-ref'd element. Use this when the subject is already represented elsewhere and you want to point at it rather than redeclare it."},"protectedClass":{"type":"boolean","title":"Protected Class","description":"Indicates whether this subject represents or includes a legally protected class under applicable regulations. Protected classes are groups defined by characteristics such as race, ethnicity, religion, gender, age, disability, sexual orientation, national origin, or genetic information. When true, additional regulatory obligations may apply to the collection, processing, and sharing of data about this subject, including GDPR special category data provisions, US civil rights protections, COPPA requirements for children, and HIPAA protections for health information."},"jurisdictions":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/jurisdictions","description":"The jurisdictions whose laws and regulations apply specifically because of this subject. See also dataProfile.jurisdictions for jurisdictions that apply to the data itself."},"regulations":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/regulations","description":"The regulations that apply specifically because of this subject. See also dataProfile.regulations for regulations that apply to the data itself."},"description":{"type":"string","title":"Description","description":"A narrative explanation of the subject, its relationship to the data, and any special handling considerations. This may include why the subject is relevant, what aspects of the subject the data captures, and any known sensitivities or regulatory implications."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"jurisdictions":{"type":"array","title":"Jurisdictions","description":"The geographic or political jurisdictions whose laws and regulations apply. Values should use ISO 3166-1 alpha-2 country codes or ISO 3166-2 subdivision codes for subnational jurisdictions.","uniqueItems":true,"items":{"type":"string","minLength":2,"examples":["US","GB","US-CA"]},"examples":[["US","GB","DE"]]},"regulations":{"type":"array","title":"Regulations","description":"The specific laws, regulations, or compliance frameworks that apply.","uniqueItems":true,"items":{"type":"string","minLength":1,"examples":["GDPR","HIPAA","PCI-DSS"]},"examples":[["GDPR","CCPA","PCI-DSS"]]},"purpose":{"type":"object","title":"Purpose","description":"The stated reason for collecting, processing, or retaining data. Purpose is a foundational principle in data protection law — under GDPR Article 5(1)(b), CCPA, PIPEDA, and virtually every modern privacy framework, data must be collected for specified, explicit, and legitimate purposes, and must not be further processed in a manner incompatible with those original purposes (purpose limitation). Capturing purposes explicitly enables automated compliance checking and purpose-compatibility analysis.","required":["name"],"additionalProperties":false,"examples":[{"name":"Service Delivery","legalBasis":"contract"},{"name":"Fraud Prevention","legalBasis":"legitimate interest"},{"name":"Marketing Analytics","legalBasis":"consent"}],"properties":{"name":{"type":"string","title":"Name","description":"The name of the purpose for which data is collected or processed.","minLength":1,"examples":["Service Delivery","Fraud Prevention","Marketing Analytics"]},"description":{"type":"string","title":"Description","description":"A detailed explanation of the purpose, how the data serves it, and any constraints on use. This narrative should be specific enough to evaluate whether subsequent processing activities are compatible with the original stated purpose."},"legalBasis":{"type":"string","title":"Legal Basis","description":"The legal basis under applicable law that authorises data collection or processing for this purpose. Use terminology consistent with the applicable jurisdiction and regulation.","minLength":1,"examples":["consent","contract","legitimate interest"]},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataClassification":{"title":"Data Classification","description":"Classifies data by the level of protection it requires, either using a predefined classification level or a custom level not covered by the enumeration. Classification drives protection requirements such as access control, encryption, disclosure restrictions, and statutory handling obligations.","oneOf":[{"type":"string","title":"Predefined Classification","description":"A predefined classification level from the enumeration.","enum":["confidential","internal","public","restricted","classified"],"meta:enum":{"confidential":"Confidential information requiring protection.","internal":"Internal use only within the organisation.","public":"Public information that can be freely shared.","restricted":"Highly restricted information with limited access and special protection measures.","classified":"Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations."}},{"type":"object","title":"Custom Classification","description":"A custom classification level not covered by the predefined enumeration.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom classification level."},"description":{"type":"string","title":"Description","description":"A description of what this custom classification level means and the protections it implies."}}}]},"informationType":{"title":"Information Type","description":"Identifies a type of information contained in the data, either using a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. A single dataset can contain multiple information types and is captured as an array on the data profile.","oneOf":[{"type":"string","title":"Predefined Information Type","description":"A predefined information type from the enumeration.","enum":["authentication","behavioral","biometric","communication","credentials","device","financial","genetic","intellectual-property","location","logs","operational","pci","phi","pii","safety","telemetry"],"meta:enum":{"authentication":"Authentication data such as passwords, PINs, or security questions.","behavioral":"Behavioural data such as browsing history, usage patterns, or profiling data.","biometric":"Biometric data such as fingerprints, facial recognition, or voice patterns.","communication":"Communication content such as messages, emails, or call records.","credentials":"Secrets, tokens, or credentials.","device":"Device identifiers or hardware-level data.","financial":"Financial statements or transaction data.","genetic":"Genetic or genomic data.","intellectual-property":"Intellectual property or trade secrets.","location":"Precise or inferred geographic location data.","logs":"Operational or security log data.","operational":"Operational or process data.","pci":"Payment card industry data.","phi":"Protected health information.","pii":"Personally identifiable information.","safety":"Safety critical data or signals.","telemetry":"System or product telemetry data."}},{"type":"object","title":"Custom Information Type","description":"A custom information type not covered by the predefined enumeration.","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom information type."},"description":{"type":"string","title":"Description","description":"A description of the custom information type and any handling implications it carries."}}}]},"dataGovernance":{"type":"array","title":"Data Governance","description":"Parties responsible for the data throughout its lifecycle. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the governance relationship (`owner` for ownership and risk accountability, `steward` for content and business rules, `custodian` for safe custody, transport, and storage, `data-controller`, `data-processor`, `data-recipient`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"}},"dataFlowDirection":{"type":"string","title":"Data Flow Direction","description":"Specifies the flow direction of the data. Direction is relative to the service.","enum":["bi-directional","inbound","outbound","unknown"],"meta:enum":{"bi-directional":"Data flows in and out of the service.","inbound":"Data that enters a service.","outbound":"Data that exits a service.","unknown":"The directional flow of data is not known."}}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"References using bom-link or bom-ref to the controls that mitigate identified gaps in conformance with the requirement. Each mitigation strategy should be substantiated by evidence.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"Reference using bom-link or bom-ref to the target of the claim, such as a control, system, application, module, team, person, process, or business unit."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"References using bom-link or bom-ref to the controls that mitigate identified weaknesses in the evidence supporting the claim. Each mitigation strategy should be substantiated by evidence.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"},"useCases":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCases"},"requirements":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirements"},"businessObjectives":{"$ref":"#/$defs/cyclonedx-business-objective-2.0/$defs/businessObjectives"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-jss_X590_2023_10-2.0":{"type":"null","title":"CycloneDX Model for JSON Signature Scheme (JSS)","description":"JSON Schema implementing ITU-T X.590 (10/2023) – JSON Signature Scheme (JSS). Defines the structure for digitally signing JSON objects while keeping the payload in JSON format. Supports single signatures, multiple independent signatures, and chained counter-signatures. Intended for use as a $defs import in CycloneDX 2.0.","$defs":{"timestamp":{"title":"Timestamp","description":"An RFC 3339 timestamp in the UTC+0 time zone. Must use the 'Z' suffix. Sub-second precision, when present, MUST be exactly three digits (millisecond precision). If no sub-second digits are included, the decimal point MUST NOT be present. Matches the pattern: yyyy-mm-ddThh:mm:ss[.sss]Z","type":"string","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](?:\\.[0-9]+)?Z$","examples":["2023-10-29T13:56:08Z","2023-10-29T13:56:08.000Z","2023-11-15T08:30:00.123Z"]},"identifier":{"title":"Identifier","description":"A Universally Unique Identifier (UUID) conformant with RFC 4122. Used to uniquely identify a signature object. Signatures sharing the same 'id' are treated as versions of the same logical signature, differentiated by their 'modified' timestamp.","type":"string","format":"uuid","pattern":"^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$","examples":["f47ac10b-58cc-4372-a567-0e02b2c3d479"]},"hashAlgorithm":{"title":"Hash Algorithm","description":"This property identifies the hashing algorithm, as defined by the Internet Assigned Numbers Authority (IANA)…, that was used to hash the JCS version of the full JSON object (JSON Object + JSS Signature) and is a case-sensitive ASCII string. Implementations MAY use any current and widely accepted hashing algorithm (e.g., sha-256, sha-512) that is defined in the IANA registry. The actual signing process, defined in the algorithm property, sometimes uses an internal hashing algorithm inside the signing process itself, this property MAY identify the same hashing algorithm as the signing process or MAY identify a different hashing algorithm.","type":"string","pattern":"^[a-z0-9-]+$","examples":["sha-256","sha-384","sha-512","sha3-256","sha3-512"]},"algorithmVocabulary":{"title":"Signature Algorithm Type Vocabulary (signature-algorithm-type-ov)","description":"NOTE – At the time of this writing quantum safe algorithms could come from those defined in XMSS [IETF RFC 8391] section 5.3 or LMS [IETF RFC 8554] section 5.1 and other algorithms could come from those defined in JWA [IETF RFC 7518] section 3.1 or [IETF RFC 8037] section 3.1 (see the table below for a list of values from those RFCs). While JWA [IETF RFC 7518] section 3.1 defines the following symmetric algorithms: HS256, HS384, and HS512, these algorithms SHOULD NOT be used. If one of these three symmetric algorithms is used, the sharing and transmission of those keys is out of scope for this Recommendation.","type":"string","enum":["XMSS-SHA2_10_256","XMSS-SHA2_16_256","XMSS-SHA2_20_256","LMS_SHA256_M32_H5","LMS_SHA256_M32_H10","LMS_SHA256_M32_H15","LMS_SHA256_M32_H20","LMS_SHA256_M32_H25","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512","Ed25519","Ed448"]},"algorithm":{"title":"Signing Algorithm","description":"This property identifies the algorithm that was used to sign the JSON data and is a case-sensitive ASCII string. The value for this property SHOULD come from the signature-algorithm-type-ov vocabulary (see clause 6.2.2) and SHOULD be a current and widely accepted quantum safe algorithm, but MAY use any currently accepted safe algorithm.","type":"string","anyOf":[{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithmVocabulary"},{"type":"string","title":"Other algorithm identifier","description":"Any other current, widely accepted, safe algorithm identifier not present in the signature-algorithm-type-ov vocabulary (X.590 clause 6.2.2 makes that vocabulary a SHOULD, not a MUST)."}],"examples":["Ed25519","ES256","XMSS-SHA2_10_256","LMS_SHA256_M32_H5","PS512"]},"publicKey":{"title":"Public Key (PEM, header-stripped)","description":"This property contains a privacy enhanced mail (PEM) encoded public key without the header and footer for the algorithm selected in the algorithm property.","type":"string","pattern":"^[A-Za-z0-9+/]+={0,2}$","examples":["MCowBQYDK2VwAyEAubMonBfU9pvIbj5RCiWQLD45Jvu6mKr+kQXjvjW8ZkU="]},"publicCertChain":{"title":"Public Certificate Chain","description":"This property contains a public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.7 of [IETF RFC 7517] as quoted here. This property \"contains a chain (X.509 certificate chain) of one or more PKIX certificates [IETF RFC 5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (section 4 of [IETF RFC 4648] – not base64URL.encoded) DER [b-ITU-T X.690] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key.\" This property is called \"x5c\" in section 4.7 of [IETF RFC 7517].","type":"array","items":{"type":"string","description":"Base64-encoded (standard, not base64URL) DER-encoded PKIX certificate value (RFC 5280)."},"minItems":1},"certUrl":{"title":"Certificate URL","description":"This property contains a uniform resource identifier (URI) [IETF RFC 3986] that refers to a resource for an X.509 public key certificate or certificate chain [IETF RFC 5280] for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.6 of [IETF RFC 7517] as quoted here. \"The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [IETF RFC 5280] in PEM-encoded form, with each certificate delimited as specified in section 6.1 of RFC 4945 [IETF RFC 4945]. The key in the first certificate MUST match the public key. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [IETF RFC 2818] [IETF RFC 5246]; the identity of the server MUST be validated, as per section 6 of RFC 6125 [IETF RFC 6125].\" This property is called \"x5u\" in section 4.6 of [IETF RFC 7517].","type":"string","format":"uri","pattern":"^https://","examples":["https://pki.example.com/certs/signing-cert.pem"]},"thumbprint":{"title":"Certificate Thumbprint","description":"This property contains a fingerprint of a public key or public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.9 of [IETF RFC 7517] as quoted here. This property \"is a base64URL.encoded SHA-256 thumbprint (a.k.a. digest, X.509 certificate SHA-256 thumbprint) of the DER encoding of an X.509 certificate [IETF RFC 5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key.\" This property is called \"x5t#S256\" in section 4.9 of [IETF RFC 7517].","type":"string","pattern":"^[A-Za-z0-9_-]{43}$","examples":["NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"]},"signatureObject":{"title":"Signature Object","description":"A JSS signature object as defined in ITU-T X.590 clause 6.2. Captures the hashing algorithm, signing algorithm, public key material (in one of four forms), the base64URL-encoded digital signature value, and optional metadata. May nest a child 'signature' property to form a counter-signature chain.","type":"object","properties":{"hash_algorithm":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/hashAlgorithm"},"algorithm":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/algorithm"},"public_key":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicKey"},"public_cert_chain":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/publicCertChain"},"cert_url":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/certUrl"},"thumbprint":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/thumbprint"},"value":{"title":"Signature Value","description":"A base64URL.encoded signature that was created using the signature algorithm defined in the algorithm property and a key. In pseudo code it is defined as: base64URL.encode(sign(algorithm, key, hash(jcs()))).","type":"string","pattern":"^[A-Za-z0-9_-]+={0,2}$"},"signature":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject","title":"Counter-Signature","description":"This property enables a signature to be countersigned, meaning a signature can be signed by another signature."},"type":{"title":"Type Indicator","description":"The value of this property MUST be jss.","type":"string","const":"jss"},"id":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/identifier","title":"Signature Identifier","description":"A value that uniquely identifies the signature. All signatures with the same ID are considered different versions of the same signature and the version of the signature is identified by its modified property."},"related_to":{"title":"Related Object Reference","description":"A value that can identify the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.","type":"string"},"related_version":{"title":"Related Object Version","description":"A value that can identify the version of the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.","type":"string"},"created":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Created Timestamp","description":"The time at which this signature was originally created. The creator can use any time it deems most appropriate as the time the signature was created, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The created property MUST NOT be changed when creating a new version of the signature.","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$"},"modified":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Modified Timestamp","description":"The time that this particular version of the signature was last modified. The creator can use any time it deems most appropriate as the time that this version of the signature was modified, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The modified property MUST be later than or equal to the value of the created property. If the created and modified properties are the same, then this is the first version of the signature.","pattern":"^[0-9]{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12][0-9]|3[01])T(?:[01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\\.[0-9]{3}Z$"},"revoked":{"title":"Revoked Flag","description":"A boolean that identifies if the signature creator deems that this signature is no longer valid. The default value is false.","type":"boolean","default":false},"signee":{"title":"Signee","description":"An unstructured string value for the name of the entity or organization that produced this signature.","type":"string"},"valid_from":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Valid From","description":"The time from which this signature is considered valid. If omitted, the signature is valid at all times or until the timestamp defined by valid_until. If the revoked property is true then this property MUST be ignored."},"valid_until":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/timestamp","title":"Valid Until","description":"The time at which this signature is no longer considered valid. If the valid_until property is omitted, then there is no constraint on the latest time for which the signature is valid. This property MUST be greater than the timestamp in the valid_from property if the valid_from property is defined. If the revoked property is true then this property MUST be ignored."}},"required":["hash_algorithm","algorithm","value"],"anyOf":[{"required":["public_key"],"description":"Public key material provided as PEM-encoded public key (header/footer stripped)."},{"required":["public_cert_chain"],"description":"Public key material provided as a base64-encoded DER X.509 certificate chain."},{"required":["cert_url"],"description":"Public key material provided by reference to a TLS-accessible certificate URI."},{"required":["thumbprint"],"description":"Public key material referenced by a base64URL-encoded SHA-256 certificate thumbprint."}],"unevaluatedProperties":true},"signatures":{"title":"Signatures Array","description":"A JSON array of one or more signature objects. MUST be located at the top-level of the signed JSON object. The property name used to hold this array SHOULD be 'signatures', but implementations MAY use a different name provided it does not conflict with any other top-level property name in the host JSON object. All signature objects in this array are independent parallel signatures over the same JSON object; for chained counter-signatures, use the nested 'signature' property within an individual signature object.","type":"array","items":{"$ref":"#/$defs/cyclonedx-jss_X590_2023_10-2.0/$defs/signatureObject"},"minItems":1}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-party-2.0":{"type":"null","title":"CycloneDX Party Model","$defs":{"party":{"type":"object","title":"Party","description":"Identifies an organization, individual, system, or abstract archetype that participates in supplying, producing, attesting, operating, owning, regulating, or otherwise relating to the subject. Each party plays one or more named roles. Roles may carry preference order (`role.order`) to express primary, alternate, and secondary rankings among parties sharing the same role.\n\nExactly one identity sub-shape (`organization`, `person`, `system`, or `persona`) shall be present. Optional sub-objects layer inter-party relationships and standard extension data.","required":["roles"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"roles":{"type":"array","minItems":1,"uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/role"},"title":"Roles","description":"One or more roles the party fulfils. Each role may carry an `order` indicating preference among parties sharing the same role (for example, primary versus alternate supplier)."},"organization":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/organization","description":"Identity attributes valid when the party is an organization, company, government body, or other collective."},"person":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/person","description":"Identity attributes valid when the party is an individual person."},"system":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/system","title":"System","description":"Identity attributes valid when the party is a software system, hardware system, service account, automation, or autonomous agent."},"persona":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/persona","title":"Persona","description":"Identity attributes valid when the party is an abstract archetype rather than a specific named instance."},"relations":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyRelations","title":"Relations","description":"Links from this party to other parties."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"required":["organization"]},{"required":["person"]},{"required":["system"]},{"required":["persona"]}]},"parties":{"type":"array","title":"Parties","description":"Parties associated with the subject. Each item identifies an organization, individual, system, or abstract archetype playing one or more named roles such as manufacturer, supplier, author, integrator, quality-control, or any custom role. The same party can hold multiple roles, each independently ranked via `role.order` to express preference (for example, primary supplier with order 1 and alternate supplier with order 2). Items may be inline party objects or references to parties declared elsewhere.","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"}},"partyChoice":{"title":"Party Choice","description":"A party represented either as a complete object or as a reference to a previously declared party.","oneOf":[{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/party"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A refLinkType pointing to a previously declared party."}]},"role":{"title":"Role","description":"A role that a party fulfils. May be a predefined role from the CycloneDX role taxonomy or a custom role definition. The optional `order` property ranks parties that share the same role, supporting use cases such as primary versus alternate suppliers in hardware manufacturing supply chains.","oneOf":[{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/preDefinedRole"},{"title":"Custom Role","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom role.","examples":["Chief Executive Officer","Data Protection Officer","Release Manager"]},"description":{"type":"string","title":"Description","description":"A description of the custom role, including its responsibilities and scope."},"order":{"type":"integer","minimum":1,"title":"Order","description":"Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked."}}}]},"preDefinedRole":{"title":"Pre-Defined Role","type":"object","required":["role"],"additionalProperties":false,"properties":{"role":{"type":"string","title":"Role","description":"A predefined role from the CycloneDX role taxonomy.","enum":["agent","assembler","asserter","attacker","auditor","author","broker","carrier","certificate-authority","committer","competitor","consignee","consignor","contributor","customer","custodian","customs-broker","data-controller","data-processor","data-recipient","data-subject","delegate","developer","distributor","end-user","engineer","exporter","freight-forwarder","holder","importer","insider-threat","inspector","insurer","integrator","issuer","key-escrow-agent","legal-contact","licensee","licensor","maintainer","manufacturer","operator","owner","packager","partner","principal","publisher","purchaser","quality-control","regulator","relying-party","repackager","researcher","reviewer","security-contact","signatory","steward","subject","supplier","support-contact","third-party-logistics","timestamp-authority","validation-authority","verifier","warehouse-operator"],"meta:enum":{"agent":"Software or AI agent acting autonomously or semi-autonomously, typically on behalf of a principal.","assembler":"The party that assembles or integrates constituent parts into the subject. Common in hardware manufacturing and software build pipelines.","asserter":"The party making assertions about the subject, such as patent ownership or compliance claims.","attacker":"A hostile party targeting the subject.","auditor":"The party that conducted an audit or assessment of the subject.","author":"The party that created the subject. Common when the subject is created through manual processes.","broker":"The party that acts as an intermediary in commercial transactions.","carrier":"The party that physically transports goods, such as shipping lines, airlines, or trucking companies.","certificate-authority":"The party that issues, signs, and manages digital certificates within a public key infrastructure.","committer":"The party who committed or pushed changes to a version control system.","competitor":"A competing party in the same market or domain as the subject's organization.","consignee":"The party designated to receive a shipment of goods.","consignor":"The party that sends or ships goods to a consignee.","contributor":"A party that contributed to the development of the subject without being the primary author.","customer":"Customer of the organization that owns the subject.","custodian":"The party responsible for the safe custody, transport, and storage of the subject.","customs-broker":"The party that facilitates the clearance of goods through customs barriers.","data-controller":"The party that determines the purposes and means of processing personal data.","data-processor":"The party that processes personal data on behalf of a data controller.","data-recipient":"The party to which personal data is disclosed.","data-subject":"The natural person whose personal data is processed.","delegate":"A party exercising authority on behalf of another party identified via relations.delegatedBy.","developer":"Software developer or platform engineer.","distributor":"The party that distributes the subject to downstream consumers or customers.","end-user":"The end user of a system, service, or product.","engineer":"Engineer responsible for designing, implementing, or operating a system.","exporter":"The party that sends goods to another country for trade or sale.","freight-forwarder":"The party that arranges the shipment and logistics of goods on behalf of shippers.","holder":"The party that holds a verifiable credential, claim, or asset.","importer":"The party that brings goods into a country from abroad for trade or sale.","insider-threat":"A hostile or negligent party with legitimate access.","inspector":"The party that inspects goods for quality, safety, or regulatory compliance.","insurer":"The party that provides insurance coverage.","integrator":"The party that integrates the subject into a larger system or product.","issuer":"The party that issues a credential, claim, identifier, or asset.","key-escrow-agent":"The party that holds copies of cryptographic keys in escrow.","legal-contact":"The designated party to contact for legal matters.","licensee":"The party to which a license for the subject has been granted.","licensor":"The party that grants a license for the subject.","maintainer":"The party responsible for ongoing maintenance, including updates, patches, and security fixes.","manufacturer":"The party that manufactured or produced the subject. Common when the subject is produced through automated processes.","operator":"The party responsible for operating or running the subject in a production environment.","owner":"The party that holds ownership rights over the subject.","packager":"The party that packages goods for storage, shipment, or retail sale.","partner":"Business partner with a defined relationship.","principal":"The party on whose behalf another party acts, paired with delegate.","publisher":"The party that published the subject, making it available for consumption.","purchaser":"The party that purchased the subject or a license for its use.","quality-control":"The party responsible for quality control activities, including inspection, testing, and verification.","regulator":"Government or industry regulator with administrative authority over the subject.","relying-party":"The party that relies on credentials, claims, or attestations issued by another party.","repackager":"The party that repackages the subject, potentially combining it with other components.","researcher":"Security researcher, bug bounty hunter, or academic conducting authorized study.","reviewer":"The party that reviewed the subject or its associated evidence.","security-contact":"The designated party to contact in the event of a security incident.","signatory":"The party authorized to sign on behalf of an organization, affirming the validity or accuracy of statements or attestations.","steward":"The party responsible for the content, context, and associated business rules of the subject.","subject":"The party to whom an issued credential, claim, or identifier is bound.","supplier":"The party that supplied the subject. The supplier may often be the manufacturer, but may also be a distributor or repackager.","support-contact":"The designated party to contact for technical support.","third-party-logistics":"The party that provides outsourced logistics services.","timestamp-authority":"The party that issues trusted timestamps.","validation-authority":"The party that provides certificate validation services.","verifier":"The party that verifies credentials, claims, or attestations.","warehouse-operator":"The party responsible for storing, handling, and managing inventory within a warehouse or distribution centre."}},"order":{"type":"integer","minimum":1,"title":"Order","description":"Preference order among parties sharing this role. Lower values indicate higher preference. Ties are permitted. Absence means unranked. For example, a primary supplier may have `order: 1` while an alternate supplier has `order: 2`.","examples":[1,2,3]}}},"organization":{"type":"object","title":"Organization Identity","description":"Identity attributes for a party that is an organization, company, government body, or other collective.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The common display or trading name of the organization. Use when the registered legal name is unknown or when the everyday name differs from the legal one.","examples":["Acme","Globex"]},"legalName":{"type":"string","title":"Legal Name","description":"The registered legal name of the organization, including any suffix such as Inc., S.r.l., GmbH, or LLC.","examples":["Acme Microcontrollers S.r.l.","Acme Holdings, Inc."]},"description":{"type":"string","title":"Description","description":"A description of the organization itself, distinct from any role-specific or contextual description applied at the party wrapper level."},"logo":{"type":"string","format":"iri-reference","title":"Logo","description":"URL to an image representing the organization. Useful for catalog, datasheet, and user interface views."},"foundingDate":{"type":"string","format":"date","title":"Founding Date","description":"The date the organization was founded. Supports supplier due diligence and age-of-organization signals."},"dissolutionDate":{"type":"string","format":"date","title":"Dissolution Date","description":"The date the organization was dissolved or wound down. When present, the organization is no longer active."},"jurisdiction":{"type":"string","title":"Jurisdiction","description":"Country of registration as an ISO 3166-1 alpha-2 or alpha-3 code, optionally followed by an ISO 3166-2 subdivision separated by a hyphen.","examples":["US-DE","IT-BO","CHE"]},"identifiers":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/identifier"},"title":"Identifiers","description":"Identifiers issued to or associated with the organization. May include legal and registration identifiers (LEI, DUNS, CAGE, NCAGE, EORI, VAT, tax identifiers) and non-legal identifiers such as workload or machine identities."},"formerNames":{"type":"array","items":{"type":"string"},"title":"Former Names","description":"Prior names of the organization. Use when the entity has been renamed, merged, or acquired. Distinct from `aliases`, which captures concurrent alternate designations.","examples":[["Atmel Corporation"]]},"aliases":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Aliases","description":"Concurrent alternate designations for the organization. Distinct from `formerNames`, which captures historical names. Common when modeling tracked threat-actor groups that are known by different designations across threat-intelligence vendors.","examples":[["Fancy Bear","STRONTIUM","Sofacy","Sednit","Pawn Storm"]]},"url":{"type":"array","title":"URLs","description":"URLs associated with the organization. Each entry carries a `name` label and a `url` value so producers can describe homepage, support portal, press, status, code repository, and similar without ambiguity.","items":{"type":"object","required":["url"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the URL, such as `homepage`, `support`, `press`, `status`, or `repository`.","examples":["homepage","support","press","status","repository"]},"url":{"type":"string","format":"iri-reference","title":"URL"}}}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/postalAddress"},"title":"Addresses","description":"Physical addresses associated with the organization."}}},"person":{"type":"object","title":"Person Identity","description":"Identity attributes for a party that is an individual person. The name model is intentionally unstructured: a single freeform `name` captures the full name as the person wishes to be known, accommodating the wide variation of naming conventions across cultures. See https://www.w3.org/International/questions/qa-personal-names for background.","additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The person's full name as they wish to be known. A single freeform string. No assumption is made about given-versus-family ordering, mononym versus multi-component names, patronymics, or honorific embedding. Producers should use the form the person uses themselves.","examples":["Ada Lovelace","Suharto","Maria del Carmen García López","Nguyễn Văn An"]},"sortName":{"type":"string","title":"Sort Name","description":"Optional sortable form of the name for catalog and index views. Use when the natural form of `name` does not sort intuitively, for example a comma-separated last-name-first form.","examples":["Lovelace, Ada","García López, Maria del Carmen"]},"honorificPrefix":{"type":"string","title":"Honorific Prefix","description":"Honorific or title preceding the name, used in forms of address. Distinct from the name itself.","examples":["Dr.","Prof."]},"honorificSuffix":{"type":"string","title":"Honorific Suffix","description":"Honorific or post-nominal letters following the name, used in forms of address. Distinct from the name itself.","examples":["PhD","Esq."]},"jobTitle":{"type":"string","title":"Job Title","description":"The person's job title. Useful for credit lines and attribution.","examples":["Chief Information Security Officer","Data Protection Officer","Senior Software Engineer"]},"description":{"type":"string","title":"Description","description":"A description of the person, distinct from any role-specific or contextual description applied at the party wrapper level."},"email":{"type":"array","title":"Email","description":"Email addresses associated with the person. Each entry carries a `name` label and an `address` value so producers can describe work, personal, support, and similar contexts without ambiguity.","items":{"type":"object","required":["address"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the email, such as `work`, `personal`, `support`, or `security`.","examples":["work","personal","support","security"]},"address":{"type":"string","format":"idn-email","title":"Address"}}}},"phone":{"type":"array","title":"Phone","description":"Phone numbers associated with the person. Each entry carries a `name` label and a `number` value. Numbers should be expressed in E.164 form where possible.","items":{"type":"object","required":["number"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the phone, such as `office`, `mobile`, `fax`, or `pager`.","examples":["office","mobile","fax","pager"]},"number":{"type":"string","title":"Number","examples":["+1-555-0100","+44 20 7946 0958"]}}}},"url":{"type":"array","title":"URLs","description":"URLs associated with the person. Each entry carries a `name` label and a `url` value so producers can describe homepage, social profiles, code repositories, and similar without ambiguity.","items":{"type":"object","required":["url"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"Label describing the URL, such as `homepage`, `github`, `linkedin`, `mastodon`, or `orcid`.","examples":["homepage","github","linkedin","orcid"]},"url":{"type":"string","format":"iri-reference","title":"URL"}}}},"address":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/postalAddress","title":"Address"},"affiliation":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Affiliation","description":"Reference using bom-link or bom-ref to an organization party with which the person is affiliated."}}},"system":{"type":"object","title":"System Identity","description":"Identity attributes for a party that is a software system, hardware system, service account, automation, or autonomous agent.","additionalProperties":false,"properties":{"kind":{"title":"Kind","description":"The kind of system the party represents. May be a predefined kind from the CycloneDX system-kind taxonomy expressed as a plain string, or a custom kind expressed as an object with `name` and optional `description`.","oneOf":[{"title":"Pre-Defined Kind","type":"string","enum":["software-system","hardware-system","service-account","machine-identity","automation","agent","bot","oracle","smart-contract","device","robot"],"meta:enum":{"software-system":"Application, service, or platform that performs actions as itself.","hardware-system":"Physical device or appliance that performs actions. Includes vehicles, drones, satellites, medical devices, network equipment, and industrial controllers unless a more specific kind applies.","service-account":"Non-human identity used by automation to authenticate.","machine-identity":"Cryptographic identity such as a certificate principal or workload identity.","automation":"Pipeline, job, or scheduled task that performs actions deterministically.","agent":"Autonomous or semi-autonomous agent that can plan and execute. Includes AI agents.","bot":"Scripted automation that interacts with an interface. Includes chatbots, robotic process automation bots, and scraping bots.","oracle":"External data feed or oracle, including blockchain oracles that bridge off-chain data into on-chain systems.","smart-contract":"On-chain program that executes deterministically.","device":"Physical end user device such as a phone or IoT device acting as a party in its own right.","robot":"Physical robot or autonomous mechanical system. For software-only counterparts, see `bot`, `agent`, or `automation`."}},{"title":"Custom Kind","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom kind."},"description":{"type":"string","title":"Description","description":"A description of the custom kind."}}}]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"Reference to any bom-ref'd object that represents this system. The referenced object provides the underlying identity (component, service, blueprint asset, or other object type). Use to associate the party with its concrete representation declared elsewhere."},"identifiers":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/identifier"},"title":"Identifiers","description":"Machine identifiers for the system, such as service principal, workload identity, certificate subject, or device serial."},"permissions":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Permissions","description":"Capabilities or duties the system possesses."}}},"persona":{"type":"object","title":"Persona Identity","description":"Identity attributes for a party that is an abstract archetype rather than a specific named instance. Use for generic users, generic suppliers, or hypothesized attackers when a specific party is intentionally not named. When the specific instance is known (for example a tracked APT group), use `organization` instead.","additionalProperties":false,"properties":{"description":{"type":"string","title":"Description","description":"Free-text description of the persona instance. Use to refine the archetype with details relevant to the threat model, such as the persona's assumed context, history, or behavioral pattern.","examples":["Disgruntled administrator with elevated access to the payment gateway and motive driven by recent performance review."]},"archetype":{"title":"Archetype","description":"The persona archetype. May be a predefined archetype from the CycloneDX persona-archetype taxonomy expressed as a plain string, or a custom archetype expressed as an object with `name` and optional `description`.","oneOf":[{"title":"Pre-Defined Archetype","type":"string","enum":["end-user","power-user","administrator","developer","operator","internal","external","anonymous","guest","customer","partner","supplier","vendor","contractor","third-party","auditor","researcher","regulator","law-enforcement","attacker","insider-threat","hacktivist","nation-state","organized-crime","competitor","public"],"meta:enum":{"end-user":"Typical end user of the system.","power-user":"Advanced user with higher than average privileges.","administrator":"Administrative or privileged user.","developer":"Application developer or platform engineer.","operator":"Operational staff running the system.","internal":"Generic internal party.","external":"Generic external party without an account or operational relationship.","anonymous":"Unauthenticated visitor interacting with the system.","guest":"Semi-authenticated user with restricted privileges.","customer":"Customer of the organization that owns the subject.","partner":"Business partner with a defined relationship.","supplier":"Generic supplier providing goods or services on a transactional basis.","vendor":"Vendor delivering and operating goods or services with operational access to the subject.","contractor":"Third party with operational access under contract.","third-party":"Generic third party that does not fit partner, supplier, vendor, or contractor.","auditor":"External auditor or assessor.","researcher":"Security researcher, bug bounty hunter, or academic. Authorized probing party.","regulator":"Government or industry regulator with administrative authority over the subject.","law-enforcement":"Law enforcement entity with investigative authority.","attacker":"Generic hostile external party.","insider-threat":"Hostile or negligent party with legitimate access.","hacktivist":"Hostile party motivated by ideology or activism.","nation-state":"Hostile party sponsored or directed by a national government.","organized-crime":"Hostile party operating as part of an organized criminal enterprise.","competitor":"Generic competitor.","public":"General public not in direct interaction with the subject."}},{"title":"Custom Archetype","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name"},"description":{"type":"string","title":"Description"}}}]},"scope":{"type":"string","title":"Scope","enum":["internal","external","mixed"],"meta:enum":{"internal":"Persona is internal to the organization that owns the subject.","external":"Persona is external to the organization that owns the subject.","mixed":"Persona may appear in either internal or external contexts."}},"permissions":{"type":"array","items":{"type":"string"},"uniqueItems":true,"title":"Permissions","description":"Capabilities the persona is assumed to hold."},"assumedPosture":{"type":"string","title":"Assumed Security Posture","description":"Assumed security posture of the persona in this context.","examples":["authenticated","unauthenticated","authorized","privileged"]}}},"partyRelations":{"type":"object","title":"Party Relations","description":"Links from this party to other parties. Captures hierarchical, organizational, and delegation relationships. Order ranking is on the role itself (`role.order`), not here.","additionalProperties":false,"properties":{"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent","description":"Reference to a parent party. Models organizational hierarchy, group membership, and corporate parent or subsidiary relationships."},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Delegated By","description":"Reference to another party that delegated authority to this one. Models situations such as an autonomous agent acting on behalf of a human user, a contractor acting on behalf of a principal, or a service account assuming a role."}}},"identifier":{"type":"object","title":"Identifier","description":"An identifier issued by a recognized authority. Includes legal and registration identifiers as well as machine and workload identities.","required":["scheme","value"],"additionalProperties":false,"properties":{"scheme":{"title":"Scheme","description":"The identifier scheme. May be a predefined scheme from the CycloneDX identifier-scheme taxonomy expressed as a plain string, or a custom scheme expressed as an object with `name` and optional `description` and `url`.","oneOf":[{"title":"Pre-Defined Scheme","type":"string","enum":["lei","duns","ncage","cage","eori","vat","gst","ein","tin","ruc","bvd","swift-bic","sec-cik","isin","figi","opencorporates","gln","gtin","iso6523","ofac-sdn","un-lm","oidc-sub","spiffe","did","vc-id"],"meta:enum":{"lei":"Legal Entity Identifier per ISO 17442.","duns":"Dun and Bradstreet D-U-N-S Number.","ncage":"NATO Commercial and Government Entity code.","cage":"United States Commercial and Government Entity code.","eori":"Economic Operator Registration and Identification number used in European Union customs.","vat":"Value Added Tax registration number.","gst":"Goods and Services Tax registration number.","ein":"United States Employer Identification Number.","tin":"Generic Taxpayer Identification Number.","ruc":"Registro Unico de Contribuyentes used in several Latin American countries.","bvd":"Bureau van Dijk identifier.","swift-bic":"Business Identifier Code per ISO 9362.","sec-cik":"United States Securities and Exchange Commission Central Index Key.","isin":"International Securities Identification Number per ISO 6166.","figi":"Financial Instrument Global Identifier.","opencorporates":"OpenCorporates company identifier.","gln":"GS1 Global Location Number.","gtin":"GS1 Global Trade Item Number when the party is also a registered trade entity.","iso6523":"ISO 6523 organization identifier. The value should encode the four-digit International Code Designator (ICD) followed by the organization identifier per the registry referenced by the ICD.","ofac-sdn":"United States Office of Foreign Assets Control Specially Designated Nationals list identifier.","un-lm":"United Nations Locode for a specific facility or jurisdiction.","oidc-sub":"OpenID Connect subject identifier for a machine or service identity.","spiffe":"SPIFFE ID for a workload identity.","did":"W3C Decentralized Identifier (DID) per https://www.w3.org/TR/did-core/. Common for autonomous agents, federated services, and verifiable-credential subjects.","vc-id":"W3C Verifiable Credential identifier per https://www.w3.org/TR/vc-data-model/."}},{"title":"Custom Scheme","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name"},"description":{"type":"string","title":"Description"},"url":{"type":"string","format":"iri-reference","title":"URL","description":"URL of the scheme registry or specification."}}}]},"schemeVersion":{"type":"string","title":"Scheme Version","description":"The version of the scheme that issued this identifier, if applicable."},"value":{"type":"string","title":"Value","description":"The value of the identifier."},"issuedDate":{"type":"string","format":"date","title":"Issued Date"},"expirationDate":{"type":"string","format":"date","title":"Expiration Date"},"issuer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Issuer","description":"Reference using bom-link or bom-ref to the party that issued the identifier."}}},"postalAddress":{"type":"object","title":"Postal Address","description":"An address used to identify a contactable or operational location.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference Identifier","description":"An optional identifier that can be used to reference the address from elsewhere. Every bom-ref shall be unique within the containing instance. The value should not start with the prefix 'urn:cdx:' to avoid conflicts with BOM-Link identifiers."},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code. When the isoCode property is present, the value of isoCode is authoritative."},"region":{"type":"string","title":"Region","description":"The region or state in the country. When the isoCode property carries an ISO 3166-2 subdivision, the value of isoCode is authoritative.","examples":["Texas"]},"isoCode":{"type":"string","pattern":"^[A-Z]{2}(-[A-Z0-9]{1,3})?$","title":"ISO Code","description":"An ISO 3166-1 alpha-2 country code, optionally followed by an ISO 3166-2 subdivision code separated by a hyphen. When present, this property is authoritative over the free-text country and region properties.","examples":["IT-BO","US-CA","DE-BY"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address. Multi-line addresses are expressed as a single string with line breaks (`\\n`) between lines. Implementations and serialization formats are not required to preserve the order of elements in an array, so a multi-line address shall not be modeled as an array.","examples":["100 Main Street","Acme Tower\nSuite 1200\n100 Main Street"]},"coordinates":{"type":"object","title":"Geographic Coordinates","description":"Geographic coordinates of the address.","additionalProperties":false,"required":["latitude","longitude"],"properties":{"latitude":{"type":"number","minimum":-90,"maximum":90,"title":"Latitude","description":"Latitude in decimal degrees. Four or more decimal places are recommended for facility-level precision."},"longitude":{"type":"number","minimum":-180,"maximum":180,"title":"Longitude","description":"Longitude in decimal degrees. Four or more decimal places are recommended for facility-level precision."},"altitude":{"type":"number","title":"Altitude","description":"Altitude in meters above the reference ellipsoid identified by the datum property."},"datum":{"type":"string","title":"Datum","description":"The geodetic datum used for the coordinates. WGS84 is assumed when omitted.","default":"WGS84","examples":["WGS84","NAD83","ETRS89"]}}}}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-perspective-2.0":{"type":"null","title":"CycloneDX Perspective Model","$defs":{"perspectives":{"type":"array","title":"Perspectives","description":"Defines domain-specific views into the document, enabling different audiences to interpret and navigate the data through their own conceptual lens. Each perspective identifies relevant data types and may provide domain-specific terminology mappings.","items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspective"}},"perspective":{"type":"object","title":"Perspective","description":"A domain-specific view that identifies the types of data relevant to a particular audience and provides optional terminology mappings to facilitate interpretation. Perspectives enable tooling to generate filtered views, translate terminology, and validate document completeness against audience-specific requirements.","additionalProperties":false,"required":["name","mappings"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Perspective Name","description":"The name of the perspective, typically indicating the target audience or domain.","examples":["AI/ML Transparency","Device Manufacturing Regulatory Compliance","Minimum Elements of an SBOM"]},"description":{"type":"string","title":"Description","description":"A description of the perspective, its intended audience, and the use cases it supports."},"domains":{"type":"array","title":"Domains","description":"The domains or disciplines to which this perspective applies. Allows selection of multiple pre-defined domains, custom domains, or a combination of both.","items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveDomainChoice"}},"mappings":{"type":"array","title":"Data Type Mappings","description":"An array of mappings that identify the types of data relevant to this perspective using JSON path expressions. Each mapping may include domain-specific terminology.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveMapping"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"perspectiveMapping":{"type":"object","title":"Perspective Mapping","description":"Maps a JSON path expression to domain-specific terminology, enabling audiences to interpret CycloneDX data using familiar nomenclature. Each mapping identifies a data type within the document structure and may provide alternative names and descriptions used by the target audience.","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"Path Expression","description":"A [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression that identifies the types of data relevant to this perspective.","examples":["$.components[*].pedigree","$.components[?(@.type=='machine-learning-model')].modelCard","$.components[?(@.type=='cryptographic-asset')]","$.vulnerabilities"]},"nativeName":{"type":"string","title":"Native Name","description":"The domain-specific term used by the target audience to describe the data identified by the expression.","examples":["Foundation Models","Training Corpus","Cryptographic Inventory","Component Provenance"]},"nativeDescription":{"type":"string","title":"Native Description","description":"A domain-specific description of the data type, explaining its significance within the context of the perspective."},"relevance":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectiveRelevance"},"weight":{"type":"number","title":"Weight","description":"Describes the importance of a field in relation to other fields. Values shall be between 0.0 and 1.0. This allows for relative ranking of mappings, where higher values indicate greater importance.","minimum":0,"maximum":1},"rationale":{"type":"string","title":"Rationale","description":"Explains why this data type is relevant to the perspective and how it should be interpreted or used."}}},"perspectiveRelevance":{"type":"string","title":"Perspective Relevance","description":"Indicates the importance of a data type to a perspective.","enum":["required","recommended","optional","informative"],"meta:enum":{"required":"This data type is essential for the perspective and should always be present.","recommended":"This data type is highly relevant and should be included when available.","optional":"This data type provides supplementary information that may be useful.","informative":"This data type provides background context but is not directly actionable."}},"perspectiveDomainChoice":{"title":"Perspective Domain Choice","description":"Allows selection of a pre-defined domain or specification of a custom domain.","oneOf":[{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/preDefinedPerspectiveDomain"},{"type":"object","title":"Custom Domain","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Domain Name","description":"The name of the custom domain."},"description":{"type":"string","title":"Domain Description","description":"A description of the custom domain, its scope, and the concerns it addresses."}}}]},"preDefinedPerspectiveDomain":{"type":"string","title":"Pre-Defined Perspective Domain","description":"A pre-defined domain or discipline to which a perspective applies. Domains span security disciplines, safety engineering, industry verticals, technology areas, compliance frameworks, and cross-cutting concerns.","enum":["application-security","cloud-security","container-security","cryptographic-security","cyber-security","data-security","endpoint-security","firmware-security","hardware-security","identity-access-management","network-security","operational-security","physical-security","supply-chain-security","web-security","automotive-safety","aviation-safety","environmental-safety","functional-safety","machinery-safety","maritime-safety","nuclear-safety","patient-safety","process-safety","railway-safety","aerospace-defense","automotive","building-automation","consumer-electronics","critical-infrastructure","education","energy-utilities","financial-services","government","healthcare","insurance","legal","manufacturing","media-entertainment","pharmaceuticals","retail","telecommunications","transportation","artificial-intelligence","edge-computing","embedded-systems","industrial-control-systems","industrial-iot","internet-of-things","machine-learning","medical-devices","mobile","operational-technology","robotics","scada","smart-grid","data-protection","export-control","intellectual-property","legal-compliance","licensing","privacy","regulatory-compliance","maintainability","performance","quality-assurance","reliability","testability","incident-response","penetration-testing","red-team","risk-management","threat-intelligence","threat-modeling","vulnerability-management","accessibility","ethics","human-factors","interoperability","resilience","sustainability","transparency"],"meta:enum":{"application-security":"Security concerns related to software applications, including vulnerabilities, secure coding practices, input validation, and dependency management.","cloud-security":"Security concerns specific to cloud computing environments, including configuration, identity management, data protection, and shared responsibility models.","container-security":"Security concerns related to containerised applications, including image provenance, runtime protection, orchestration security, and supply chain integrity.","cryptographic-security":"Concerns related to cryptographic implementations, algorithm selection, key management, certificate handling, and post-quantum cryptography readiness.","cyber-security":"Broad security concerns encompassing threat detection, incident response, security operations, and defence-in-depth strategies.","data-security":"Concerns related to protecting data at rest, in transit, and in use, including encryption, access controls, and data loss prevention.","endpoint-security":"Security concerns for end-user devices including workstations, mobile devices, and peripherals, encompassing malware protection and device management.","firmware-security":"Security concerns specific to firmware, including secure boot, firmware updates, integrity verification, and protection against persistent threats.","hardware-security":"Security concerns related to physical hardware, including trusted platform modules, hardware security modules, side-channel attacks, and tamper resistance.","identity-access-management":"Concerns related to authentication, authorisation, identity lifecycle management, privileged access, and zero-trust architectures.","network-security":"Security concerns related to network infrastructure, including firewalls, intrusion detection, segmentation, and secure communications.","operational-security":"Security concerns related to the deployment, configuration, and day-to-day operation of systems in production environments.","physical-security":"Security concerns related to physical access controls, environmental protections, surveillance, and tamper evidence.","supply-chain-security":"Concerns related to the security, integrity, and trustworthiness of components, vendors, and processes throughout the supply chain.","web-security":"Security concerns specific to web applications and services, including OWASP Top 10 vulnerabilities, API security, and client-side protections.","automotive-safety":"Safety concerns for automotive systems aligned with ISO 26262, including hazard analysis, functional safety requirements, and ASIL classifications.","aviation-safety":"Safety concerns for aviation systems aligned with DO-178C, DO-254, and DO-326A, including design assurance levels and airworthiness requirements.","environmental-safety":"Concerns related to environmental protection, hazardous materials handling, emissions, and ecological impact assessment.","functional-safety":"Safety concerns aligned with IEC 61508 and derivative standards, focusing on systematic failures, safety integrity levels, and risk reduction.","machinery-safety":"Safety concerns for industrial machinery aligned with ISO 12100 and IEC 62443, including safeguarding, emergency stops, and risk assessment.","maritime-safety":"Safety concerns for maritime and offshore systems, including vessel automation, navigation systems, and compliance with maritime regulations.","nuclear-safety":"Safety concerns for nuclear facilities and systems, including defence-in-depth, safety classification, and regulatory compliance with nuclear standards.","patient-safety":"Safety concerns for medical devices and healthcare systems focusing on preventing harm to patients, including adverse event prevention and clinical risk management.","process-safety":"Safety concerns for industrial processes involving hazardous materials, including process hazard analysis, safety instrumented systems, and layers of protection.","railway-safety":"Safety concerns for railway systems aligned with EN 50126, EN 50128, and EN 50129, including signalling, train control, and safety cases.","aerospace-defense":"Concerns specific to aerospace and defence industries, including mission-critical systems, military standards, and classified information handling.","automotive":"Industry-specific concerns for automotive manufacturers and suppliers, including ISO/SAE 21434 cyber security and vehicle type approval.","building-automation":"Concerns related to building management systems, HVAC controls, access systems, and smart building infrastructure.","consumer-electronics":"Concerns specific to consumer electronic devices, including product safety, electromagnetic compatibility, and consumer protection regulations.","critical-infrastructure":"Concerns related to systems designated as critical infrastructure, including sector-specific requirements and national security considerations.","education":"Concerns specific to educational institutions and EdTech, including student data protection, FERPA compliance, and academic integrity.","energy-utilities":"Concerns specific to energy and utility sectors, including NERC CIP compliance, grid security, and operational continuity.","financial-services":"Concerns specific to financial institutions, including PCI DSS, SOX compliance, fraud prevention, and transaction integrity.","government":"Concerns specific to government agencies and contractors, including FedRAMP, FISMA, and public sector procurement requirements.","healthcare":"Concerns specific to healthcare organisations, including HIPAA compliance, electronic health records, and healthcare interoperability.","insurance":"Concerns specific to insurance industry, including actuarial data integrity, claims processing security, and regulatory compliance.","legal":"Concerns specific to legal industry, including attorney-client privilege, e-discovery, and legal hold requirements.","manufacturing":"Concerns specific to manufacturing environments, including production systems, quality management, and shop floor security.","media-entertainment":"Concerns specific to media and entertainment, including digital rights management, content protection, and broadcast systems.","pharmaceuticals":"Concerns specific to pharmaceutical industry, including FDA 21 CFR Part 11, GxP compliance, and drug safety systems.","retail":"Concerns specific to retail industry, including point-of-sale security, e-commerce platforms, and customer data protection.","telecommunications":"Concerns specific to telecommunications providers, including network infrastructure, subscriber data, and regulatory compliance.","transportation":"Concerns related to transportation systems beyond automotive and rail, including logistics, fleet management, and traffic control systems.","artificial-intelligence":"Concerns related to AI systems, including model transparency, algorithmic bias, explainability, and ethical considerations.","edge-computing":"Concerns specific to edge computing deployments, including distributed processing, local data handling, and remote device management.","embedded-systems":"Concerns specific to embedded systems development, including real-time constraints, resource limitations, and hardware-software integration.","industrial-control-systems":"Concerns specific to ICS environments, including PLCs, DCS, and industrial automation security aligned with IEC 62443.","industrial-iot":"Concerns specific to Industrial Internet of Things deployments, combining IT security with OT requirements and industrial protocols.","internet-of-things":"Concerns related to IoT devices and ecosystems, including device security, communication protocols, and fleet management.","machine-learning":"Concerns specific to ML models, including training data provenance, model lineage, performance metrics, and reproducibility.","medical-devices":"Concerns specific to medical device development aligned with IEC 62304, FDA guidance, and MDR/IVDR requirements.","mobile":"Concerns specific to mobile applications and devices, including app store requirements, mobile-specific vulnerabilities, and device management.","operational-technology":"Concerns specific to OT environments, bridging IT and industrial systems with focus on availability, safety, and legacy system integration.","robotics":"Concerns specific to robotic systems, including autonomous operation, human-robot interaction safety, and motion control security.","scada":"Concerns specific to Supervisory Control and Data Acquisition systems, including remote monitoring, control system security, and protocol vulnerabilities.","smart-grid":"Concerns specific to smart grid infrastructure, including advanced metering, grid automation, and distributed energy resource management.","data-protection":"Concerns related to data protection regulations such as GDPR, CCPA, and cross-border data transfer requirements.","export-control":"Concerns related to export control regulations, including EAR, ITAR, and dual-use technology restrictions.","intellectual-property":"Concerns related to patents, trade secrets, copyright, and other intellectual property rights and protections.","legal-compliance":"Regulatory and legal requirements, including contractual obligations, liability considerations, and legal holds.","licensing":"Concerns related to software licensing, licence compatibility, open source obligations, and commercial licensing terms.","privacy":"Concerns related to personal data protection, privacy by design, consent management, and individual rights.","regulatory-compliance":"Concerns related to compliance with industry-specific regulations, standards, and certification requirements.","maintainability":"Concerns related to the ease of maintaining, updating, and supporting software and systems over their lifecycle.","performance":"Concerns related to system performance, scalability, response times, and resource utilisation.","quality-assurance":"Concerns related to testing, validation, verification, and overall quality metrics and processes.","reliability":"Concerns related to system reliability, fault tolerance, mean time between failures, and degradation modes.","testability":"Concerns related to the ability to test components and systems, including test coverage, test automation, and test data management.","incident-response":"Concerns related to detecting, responding to, and recovering from security incidents and breaches.","penetration-testing":"Concerns related to authorised security testing, vulnerability assessment, and security validation activities.","red-team":"Concerns related to adversarial simulation, attack path analysis, and security control effectiveness testing.","risk-management":"Concerns related to risk identification, assessment, treatment, and ongoing risk monitoring.","threat-intelligence":"Concerns related to threat actor analysis, indicators of compromise, and proactive threat hunting.","threat-modeling":"Concerns related to identifying weaknesses, threats, countermeasures, attack surfaces, and trust boundaries.","vulnerability-management":"Concerns related to vulnerability identification, prioritisation, remediation tracking, and disclosure processes.","accessibility":"Concerns related to ensuring systems are usable by people with disabilities, including WCAG compliance.","ethics":"Concerns related to ethical considerations in technology development, including algorithmic fairness and responsible innovation.","human-factors":"Concerns related to human-system interaction, usability, operator error prevention, and ergonomic design.","interoperability":"Concerns related to the ability of systems to exchange and use information effectively across boundaries.","resilience":"Concerns related to system resilience, business continuity, disaster recovery, and graceful degradation.","sustainability":"Concerns related to environmental sustainability, energy efficiency, and responsible resource consumption.","transparency":"Concerns related to openness, auditability, and the ability for stakeholders to understand system behaviour and composition."}}}},"cyclonedx-profile-2.0":{"type":"null","title":"CycloneDX Profile Model","$defs":{"profiles":{"type":"object","title":"Profiles","description":"A registry of reusable, named characterizations of how a subject behaves or is governed within a domain. Profiles separate characterization from identity: identity describes who or what the subject is; the profile describes the durable attributes that characterize it. A profile is referenced by its bom-ref from the elements it characterizes, so a single profile can be reused by many subjects.","additionalProperties":false,"properties":{"dataProfiles":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfiles"},"threatProfiles":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatProfiles"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"A collection of requirements representing specific needs, constraints, or capabilities that must be met."},"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"},"uniqueItems":true},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"},"uniqueItems":true},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"},"uniqueItems":true},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"Optional reference using bom-link or bom-ref to a parent requirement. Establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}},"requirementAssertions":{"type":"array","title":"Requirement Assertions","description":"A list of assertions describing how a component relates to specific requirements.","uniqueItems":true,"items":{"type":"object","title":"Requirement Assertion","description":"An assertion linking one or more requirements to a component, specifying the nature of the relationship.","required":["assertionType","requirementRefs"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the relationship between the component and the requirement.","enum":["conflicts","not-applicable","not-assessed","other","partially-satisfies","satisfies","violates"],"meta:enum":{"conflicts":"The component is in tension with the requirement but a definitive determination of violation has not been made. This may indicate partial incompatibility, competing constraints, or an unresolved evaluation.","not-applicable":"The requirement does not pertain to this component. The evaluator has reviewed the requirement and determined it is irrelevant.","not-assessed":"The relationship between the component and the requirement has not yet been evaluated.","other":"A relationship that does not fit into the other predefined assertion types.","partially-satisfies":"The component partially meets the requirement but does not fully satisfy all of its conditions or acceptance criteria.","satisfies":"The component fully satisfies the requirement, meeting all of its conditions and acceptance criteria.","violates":"The component has been evaluated and conclusively determined to not meet the requirement, breaching one or more of its conditions or acceptance criteria."}},"requirementRefs":{"type":"array","title":"Requirement References","description":"A list of BOM references linking to requirement objects defined in the BOM.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"description":{"type":"string","title":"Description","description":"Additional context or clarification regarding the assertion."}}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","$defs":{"risks":{"type":"object","title":"Risks","description":"A collection of risks identified through risk analysis, together with the assessments that evaluate them. The model is framework-neutral and can document risk regardless of the risk management framework in use, including [ISO 31000](https://www.iso.org/iso-31000-risk-management.html), [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final), the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework), [COSO ERM](https://www.coso.org/), [ISO/IEC 27005](https://www.iso.org/standard/80585.html), and OCTAVE. It accommodates qualitative, semi-quantitative, and quantitative assessment, and each rating records the scoring methodology used, such as [FAIR](https://www.fairinstitute.org/), [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), DREAD, [FMEA](https://asq.org/quality-resources/fmea), NIST SP 800-30, or OCTAVE Allegro. Each risk separates inherent, residual, and target ratings so risk reduction is explicit.","additionalProperties":false,"properties":{"risks":{"type":"array","title":"Risks","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risk"},"description":"The documented risks identified through risk analysis."},"assessments":{"type":"array","title":"Assessments","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Point-in-time risk assessment events, each evaluating one or more of the documented risks."},"riskAppetites":{"type":"array","title":"Risk Appetites","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAppetite"},"description":"The risk appetites that apply to this collection. Multiple entries support a document covering more than one party."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"The domain or category of risk. Use the custom option for domains specific to an organization's risk taxonomy.","oneOf":[{"title":"Predefined Risk Domain","type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply-chain","technical","project","ethical","societal","human-rights","health","legal"],"meta:enum":{"security":"Information security and cybersecurity risks.","privacy":"Data protection and privacy risks.","operational":"Business operations and continuity risks.","financial":"Financial loss and economic impact risks.","compliance":"Regulatory and legal compliance risks.","strategic":"Strategic business and market risks.","reputational":"Brand and reputation damage risks.","safety":"Human safety and physical security risks.","environmental":"Environmental impact and sustainability risks.","supply-chain":"Supply chain and third-party risks.","technical":"Technical and technology risks.","project":"Project delivery and execution risks.","ethical":"Ethical risks, including the responsible use of automated decision-making and artificial intelligence.","societal":"Risks to society, communities, or democratic and civic processes.","human-rights":"Risks to fundamental human rights, including discrimination and loss of autonomy.","health":"Risks to physical or mental health and wellbeing.","legal":"Legal exposure, including liability and contractual risks."}},{"title":"Custom Risk Domain","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom risk domain."},"description":{"type":"string","title":"Description","description":"A description of the custom risk domain."}}}]},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain."}}},"riskAttribute":{"title":"Risk Attribute","description":"A security or privacy attribute representing a potential impact area when a risk is realized. Use the custom option for attributes specific to an organization's risk taxonomy.","oneOf":[{"title":"Predefined Risk Attribute","type":"string","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data-subject-rights","integrity","minimization","non-repudiation","possession","privacy","purpose-limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities.","authentication":"Verifying the identity of users, devices, or systems before granting access.","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources.","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified.","availability":"Ensuring systems, data, and services are accessible and operational when needed.","compliance":"Adherence to applicable laws, regulations, policies, and standards.","confidentiality":"Preventing unauthorized access to or disclosure of information.","connectivity":"Maintaining secure and reliable communication between systems or components.","control":"Enabling individuals to manage how their personal data is used and shared.","data-subject-rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorized actors.","minimization":"Limiting data collection and retention to what is strictly necessary for the intended purpose.","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications.","possession":"Ensuring control or custody over data or assets, regardless of ownership.","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards.","purpose-limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection.","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing.","utility":"Ensuring data is usable and in a format suitable for the intended purpose."}},{"title":"Custom Risk Attribute","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom risk attribute."},"description":{"type":"string","title":"Description","description":"A description of the custom risk attribute."}}}]},"risk":{"type":"object","required":["bom-ref","name","statement"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"A human-readable name for the risk."},"statement":{"type":"string","description":"Structured risk statement describing source, event, and impact."},"description":{"type":"string","description":"Additional narrative about the risk."},"domains":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"description":"The risk domains this risk affects."},"affects":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the subjects this risk concerns. A subject may be a component, service, dataset, or model, or a party such as a person, persona, or organization, including a group at risk of being systematically disadvantaged."},"relatedThreats":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats or threat scenarios from a threat model that inform this risk. A reference may point to a discrete threat or to a threat scenario."},"relatedVulnerabilities":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the vulnerabilities that inform this risk."},"relatedWeaknesses":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the weaknesses that inform this risk."},"relatedRequirements":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements whose absence or non-conformance gives rise to this risk, such as a requirement that is unmet or only partially met."},"relatedStandards":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the standards whose non-conformance gives rise to this risk."},"relatedClaims":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the conformance claims that give rise to this risk, such as a [CycloneDX Attestations](https://cyclonedx.org/capabilities/attestations/) claim recording that a requirement is unmet or only partially met. The degree of conformance is carried by the claim, not by the risk."},"relatedBusinessObjectives":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the business objectives this risk threatens."},"inherentRisk":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/rating","description":"The assessed risk before any responses are applied."},"residualRisk":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/rating","description":"The assessed risk remaining after responses are applied."},"targetRisk":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/rating","description":"The risk level the organization aims to reach for this risk. The overall risk appetite is recorded separately on the risks collection or assessment."},"responses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskResponse"},"description":"The responses applied to this risk."},"status":{"title":"Status","description":"The lifecycle status of the risk. Use the custom option for a status specific to an organization's risk process.","oneOf":[{"title":"Predefined Risk Status","type":"string","enum":["identified","assessed","mitigated","accepted","transferred","retired"],"meta:enum":{"identified":"Risk has been identified but not yet evaluated.","assessed":"Risk has been assessed and prioritized.","mitigated":"Responses are in place reducing this risk.","accepted":"Risk has been formally accepted.","transferred":"Risk has been transferred to another party.","retired":"Risk no longer applies."}},{"title":"Custom Risk Status","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom status."},"description":{"type":"string","title":"Description","description":"A description of the custom status."}}}]},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for this risk. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"rating":{"type":"object","title":"Rating","description":"A methodology-neutral assessment of risk along likelihood and impact, with an overall score. The same shape expresses inherent, residual, and target risk so reductions can be compared. A rating can be qualitative (a `level`), semi-quantitative (a numeric `score` on a bounded scale), or quantitative (for example a probable monetary loss under [FAIR](https://www.fairinstitute.org/)). For a catalogue of assessment techniques, see [IEC 31010](https://www.iso.org/standard/72140.html).","additionalProperties":false,"properties":{"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"detectability":{"type":"object","title":"Detectability","additionalProperties":false,"description":"The ease or likelihood of detecting the event before or as it is realized, used as a third axis by methodologies such as [FMEA](https://asq.org/quality-resources/fmea), whose risk priority number multiplies severity, occurrence, and detection.","properties":{"score":{"type":"number","minimum":0,"description":"The detection value on the scale defined by the methodology. For FMEA, a higher value indicates that the event is harder to detect and therefore riskier."},"description":{"type":"string","description":"A narrative explanation of the detectability assessment."}}},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"Confidence in this rating, expressed as a decimal from 0 to 1, where 1 is full confidence. Supports quantitative methods that reason over uncertainty."},"rationale":{"type":"string","title":"Rationale","description":"The justification for this rating, including the method and the evidence considered."}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.","enum":["very-low","low","medium","high","very-high","certain"],"meta:enum":{"very-low":"Very unlikely to occur (less than 10% probability).","low":"Unlikely to occur (10 to 30% probability).","medium":"Possible to occur (30 to 60% probability).","high":"Likely to occur (60 to 85% probability).","very-high":"Very likely to occur (85 to 99% probability).","certain":"Almost certain to occur (greater than 99% probability)."}},"score":{"type":"number","minimum":0,"description":"Numeric likelihood score on the scale defined by the methodology."},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal from 0 to 1."},"frequency":{"type":"number","minimum":0,"title":"Frequency","description":"The expected number of events within the timeframe, for frequency-based methods such as the [FAIR](https://www.fairinstitute.org/) loss event frequency. Unlike a probability, a frequency may exceed 1."},"timeframe":{"type":"string","title":"Timeframe","description":"The period over which the probability or frequency is assessed, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year."},"range":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/estimateRange","description":"A range for the probability or frequency, supporting quantitative methods that reason over distributions."},"factors":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor"},"description":"The factors considered when determining the likelihood level."},"rationale":{"type":"string","description":"The justification for the likelihood rating."}}},"likelihoodFactor":{"type":"object","title":"Likelihood Factor","description":"An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment. It is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.","minLength":1},"type":{"title":"Type","description":"The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","oneOf":[{"title":"Predefined Likelihood Factor Type","description":"A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","type":"string","enum":["attack-vector","contact-frequency","control-effectiveness","detectability","discoverability","exploit-maturity","exposure","motivation","opportunity","targeting","threat-capability","vulnerability"],"meta:enum":{"attack-vector":"Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.","contact-frequency":"How often the threat actor comes into contact with the target asset, independent of any intent to act. Aligns with the FAIR contact frequency factor.","control-effectiveness":"Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation. Corresponds to resistance strength in FAIR.","detectability":"Likelihood that the activity is detected before the risk is realized. Lower detectability increases the chance of a successful action. Aligns with the OWASP Risk Rating intrusion detection factor and the FMEA detection axis.","discoverability":"Ease with which the weakness or opportunity can be found by a potential actor. Aligns with the OWASP Risk Rating ease of discovery factor.","exploit-maturity":"Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.","exposure":"Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.","motivation":"Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.","opportunity":"Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.","targeting":"Degree to which the threat actor specifically selects this asset or organization rather than acting opportunistically. Aligns with the NIST SP 800-30 targeting factor.","threat-capability":"Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.","vulnerability":"Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor."}},{"title":"Custom Likelihood Factor Type","description":"A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the custom likelihood factor type.","minLength":1},"description":{"type":"string","title":"Description","description":"A description of the custom likelihood factor type and how it contributes to likelihood assessment."}}}]},"level":{"type":"string","title":"Level","description":"The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.","enum":["very-low","low","medium","high","very-high","certain"],"meta:enum":{"very-low":"This factor has minimal contribution to risk realization (less than 10% influence).","low":"This factor has limited contribution to risk realization (10 to 30% influence).","medium":"This factor moderately contributes to risk realization (30 to 60% influence).","high":"This factor strongly contributes to risk realization (60 to 85% influence).","very-high":"This factor very strongly contributes to risk realization (85 to 99% influence).","certain":"This factor almost certainly contributes to risk realization (greater than 99% influence)."}},"score":{"type":"number","title":"Score","description":"A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to likelihood.","minimum":0},"weight":{"type":"number","title":"Weight","description":"The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.","minimum":0,"maximum":1},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","major","catastrophic"],"description":"The qualitative impact severity level.","meta:enum":{"negligible":"Minimal impact with no significant consequences.","low":"Minor impact with limited consequences.","moderate":"Moderate impact affecting some operations.","major":"Significant impact with serious consequences.","catastrophic":"Catastrophic impact with existential consequences."}},"polarity":{"type":"string","title":"Polarity","description":"Whether the impact represents a harm or a benefit. Benefits support modeling opportunities and positive risk.","enum":["harm","benefit"],"meta:enum":{"harm":"A negative impact or downside.","benefit":"A positive impact or upside."}},"score":{"type":"number","minimum":0,"description":"Numeric impact score on the scale defined by the methodology."},"categories":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactCategory"},"description":"The categories of impact, including harms relevant to AI and societal risk."},"factors":{"type":"array","title":"Factors","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactFactor"},"description":"The factors considered when determining the impact, allowing methodologies that derive impact from multiple weighted dimensions to record the breakdown."},"range":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/estimateRange","description":"A range for the impact score, supporting quantitative methods that reason over distributions."},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"The risk attributes affected."},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"A description of the potential impact."}}},"impactCategory":{"title":"Impact Category","description":"A category of impact, including harms relevant to AI and societal risk. Use the custom option for categories specific to an organization's risk taxonomy.","oneOf":[{"title":"Predefined Impact Category","type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic","bias","discrimination","fairness","human-rights","environmental","societal","psychological","physical","health"],"meta:enum":{"confidentiality":"Impact on data confidentiality.","integrity":"Impact on data or system integrity.","availability":"Impact on service availability.","financial":"Financial loss or impact.","reputation":"Reputational damage.","regulatory":"Regulatory compliance impact.","safety":"Human safety impact.","privacy":"Privacy violation impact.","operational":"Operational disruption.","strategic":"Strategic business impact.","bias":"Systematic bias in automated outputs or decisions.","discrimination":"Unfair treatment of individuals or groups, including on the basis of protected attributes.","fairness":"Impact on the fair and equitable treatment of affected groups.","human-rights":"Impact on fundamental human rights, including autonomy and dignity.","environmental":"Environmental impact, including energy use and carbon emissions.","societal":"Impact on society, communities, or civic processes.","psychological":"Psychological or emotional harm.","physical":"Physical harm to people or property.","health":"Impact on physical or mental health."}},{"title":"Custom Impact Category","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom impact category."},"description":{"type":"string","title":"Description","description":"A description of the custom impact category."}}}]},"impactFactor":{"type":"object","title":"Impact Factor","description":"An individual contributing factor used to determine the overall impact of a risk or scenario. Methodologies such as OWASP Risk Rating, DREAD, and OCTAVE Allegro derive impact from several weighted dimensions, and each factor captures one dimension with its own rating.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the impact factor being evaluated, such as 'Financial damage' or 'Reputation damage'."},"category":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactCategory","description":"The impact dimension this factor measures."},"score":{"type":"number","minimum":0,"title":"Score","description":"A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to impact."},"weight":{"type":"number","minimum":0,"maximum":1,"title":"Weight","description":"The relative importance of this factor in the overall impact calculation, expressed as a decimal from 0 to 1. OCTAVE Allegro, for example, ranks impact areas and multiplies the ranking by the factor value."},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated and how it contributes to the overall impact assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"estimateRange":{"type":"object","title":"Estimate Range","description":"A three-point estimate, supporting quantitative methods such as FAIR that reason over distributions rather than single values.","additionalProperties":false,"properties":{"minimum":{"type":"number","description":"The minimum, or lower bound, estimate."},"mostLikely":{"type":"number","description":"The most likely estimate."},"maximum":{"type":"number","description":"The maximum, or upper bound, estimate."}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"The estimated financial loss, in the units given by currency."},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"The currency of the financial values, as an [ISO 4217](https://www.iso.org/iso-4217-currency-codes.html) code."},"affectedUsers":{"type":"integer","description":"The number of affected users."},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"The expected downtime, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration."},"dataRecords":{"type":"integer","description":"The number of data records affected."},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"The recovery time, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration."},"financialLossRange":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/estimateRange","description":"A distribution of estimated financial loss, supporting quantitative methods such as FAIR that reason over ranges."},"affectedGroups":{"type":"integer","minimum":0,"description":"The number of distinct groups or populations affected."}}},"riskScore":{"type":"object","title":"Risk Score","description":"The overall risk score, expressed as a qualitative `level`, a numeric `score`, or both, with `vector` and `methodology` recording how it was derived. The scale of `score` is defined by the methodology, since rating systems differ. For example, [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) averages factors from 0 to 9, [DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) averages five 1 to 10 ratings, [FMEA](https://asq.org/quality-resources/fmea) multiplies three 1 to 10 axes into a 1 to 1000 risk priority number, and [FAIR](https://www.fairinstitute.org/) expresses probable loss in monetary terms.","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"The overall qualitative risk level.","meta:enum":{"info":"Informational.","low":"Low risk.","medium":"Medium risk.","high":"High risk.","critical":"Critical risk."}},"score":{"type":"number","minimum":0,"description":"Numeric risk score on the scale defined by the methodology."},"vector":{"type":"string","description":"A textual representation of the metric values used to derive the score, in the format defined by the methodology."},"methodology":{"title":"Methodology","description":"The risk rating methodology used to derive this score. Only methodologies that define a scoring calculation are listed; governance frameworks such as [ISO 31000](https://www.iso.org/iso-31000-risk-management.html) are recorded as standards rather than as a score methodology. Use the custom option for methodologies not listed.","oneOf":[{"title":"Predefined Risk Methodology","type":"string","enum":["dread","fair","fmea","nist-sp-800-30","octave","owasp-risk-rating","qualitative-matrix"],"meta:enum":{"dread":"[DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) risk rating model, the average of five ratings (damage, reproducibility, exploitability, affected users, discoverability) each scored 1 to 10.","fair":"[Factor Analysis of Information Risk (FAIR)](https://www.fairinstitute.org/), a quantitative methodology expressing risk as loss event frequency multiplied by loss magnitude.","fmea":"[Failure Mode and Effects Analysis (FMEA)](https://asq.org/quality-resources/fmea), using a risk priority number of severity multiplied by occurrence multiplied by detection.","nist-sp-800-30":"[NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final) guide for conducting risk assessments, using its exemplary likelihood and impact scales.","octave":"[OCTAVE Allegro](https://www.sei.cmu.edu/documents/786/2007_005_001_14885.pdf), using its relative risk score.","owasp-risk-rating":"[OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), averaging likelihood and impact factors each scored 0 to 9.","qualitative-matrix":"A qualitative risk matrix that derives a risk level by plotting a likelihood band against an impact band, such as a five by five matrix producing a score from 1 to 25."}},{"title":"Custom Risk Methodology","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom risk methodology."},"description":{"type":"string","title":"Description","description":"A description of the custom risk methodology."}}}]}}},"riskResponse":{"type":"object","title":"Risk Response","description":"An action taken to modify a risk, pairing the chosen strategy with the controls that implement it. Covers the full set of dispositions, from avoiding or reducing a risk to accepting it or, for a positive risk, pursuing it.","required":["bom-ref","strategy"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference this response elsewhere using a bom-ref or bom-link."},"strategy":{"type":"string","title":"Strategy","description":"The disposition chosen for the risk.","enum":["avoid","reduce","transfer","accept","exploit","enhance"],"meta:enum":{"avoid":"Eliminate the risk by removing its source or not proceeding with the activity.","reduce":"Lower the likelihood or impact of the risk through controls.","transfer":"Shift the risk to another party, for example through insurance or contract.","accept":"Take no further action and retain the risk.","exploit":"Pursue an opportunity so that a positive risk occurs.","enhance":"Increase the likelihood or benefit of a positive risk."}},"description":{"type":"string","title":"Description","description":"A description of the response."},"controls":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that implement this response."},"status":{"title":"Status","description":"The implementation status of the response.","$ref":"#/$defs/cyclonedx-control-2.0/$defs/implementationStatus"},"effectiveness":{"$ref":"#/$defs/cyclonedx-control-2.0/$defs/effectiveness"},"cost":{"type":"string","title":"Cost","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort.","low":"Low cost and effort.","medium":"Moderate cost and effort.","high":"High cost and significant effort.","extreme":"Extreme cost and major effort."}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for this response. May be an inline party object or a reference to a previously declared party."},"targetDate":{"type":"string","format":"date-time","title":"Target Date","description":"The date by which this response is targeted to be implemented."},"addresses":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the items this response addresses, such as a threat, vulnerability, weakness, or another risk."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assessment":{"type":"object","required":["bom-ref","type","cadence","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"A human-readable name for the assessment."},"type":{"type":"array","title":"Type","minItems":1,"uniqueItems":true,"description":"The kinds of assessment performed, given as one or more named exercises or instruments. The type classifies the assessment exercise; the domains of risk evaluated are carried by the referenced risks rather than restated here. Use the custom option for kinds specific to an organization's process.","items":{"oneOf":[{"title":"Predefined Assessment Type","type":"string","enum":["security","privacy","operational","safety","financial","environmental","supply-chain","compliance","data-protection-impact","fundamental-rights-impact","ai-impact","business-impact","third-party","threat","vulnerability","model-risk","fraud"],"meta:enum":{"security":"Security risk assessment, evaluating threats to the confidentiality, integrity, and availability of a subject.","privacy":"Privacy risk assessment, evaluating risks to individuals arising from the processing of personal data.","operational":"Operational risk assessment, evaluating risks to ongoing operations and continuity.","safety":"Safety risk assessment, evaluating risks of harm to people or property.","financial":"Financial risk assessment, evaluating exposure to financial loss, such as credit, market, or liquidity risk.","environmental":"Environmental risk assessment, evaluating the effect of an activity on the natural environment, including energy use and emissions.","supply-chain":"Supply chain risk assessment, evaluating risks across the chain that delivers a product or service, including software and hardware provenance, for example following [NIST SP 800-161](https://csrc.nist.gov/pubs/sp/800/161/r1/final).","compliance":"Compliance assessment, evaluating conformance with applicable laws, regulations, policies, or standards.","data-protection-impact":"Data protection impact assessment (DPIA), assessing high-risk processing of personal data, for example as described under Article 35 of the [GDPR](https://gdpr-info.eu/art-35-gdpr/).","fundamental-rights-impact":"Fundamental rights impact assessment (FRIA), evaluating the effect of a system on fundamental rights, for example as introduced for certain high-risk AI systems by the [EU AI Act](https://artificialintelligenceact.eu/).","ai-impact":"Artificial intelligence impact assessment, evaluating the risks and impacts of an AI system, for example following the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework).","business-impact":"Business impact analysis (BIA), evaluating the operational and financial consequences of disruption to a business function.","third-party":"Third-party risk assessment, evaluating the risk arising from a specific external party relationship, such as a vendor, supplier, or service provider, as distinct from the broader supply chain.","threat":"Threat assessment, evaluating the threats and threat actors relevant to a subject.","vulnerability":"Vulnerability assessment, evaluating weaknesses that could be exploited.","model-risk":"Model risk assessment, evaluating the risk that a decision or quantitative model is incorrect or misused, including model validation.","fraud":"Fraud risk assessment, evaluating exposure to fraudulent activity and the controls that detect or prevent it."}},{"title":"Custom Assessment Type","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom assessment type."},"description":{"type":"string","title":"Description","description":"A description of the custom assessment type."}}}]}},"cadence":{"title":"Cadence","description":"The temporal cadence or occasion on which the assessment is performed. Use the custom option for patterns specific to an organization's process.","oneOf":[{"title":"Predefined Assessment Cadence","type":"string","enum":["initial","periodic","continuous","triggered","ad-hoc"],"meta:enum":{"initial":"Initial, baseline assessment performed once at the outset.","periodic":"Scheduled, recurring assessment.","continuous":"Continuous, automated monitoring, as in a GRC engineering or continuous controls monitoring practice.","triggered":"Assessment triggered by a specific event, such as a change or an incident.","ad-hoc":"Unplanned, one-off assessment, neither scheduled nor triggered by a defined event."}},{"title":"Custom Assessment Cadence","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom assessment cadence."},"description":{"type":"string","title":"Description","description":"A description of the custom assessment cadence."}}}]},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed."},"scope":{"type":"string","title":"Scope","description":"The scope of the assessment, including the systems, boundaries, and what is in or out of scope."},"status":{"title":"Status","description":"The lifecycle status of the assessment. Use the custom option for a status specific to an organization's process.","oneOf":[{"title":"Predefined Assessment Status","type":"string","enum":["draft","in-progress","completed","approved","superseded"],"meta:enum":{"draft":"The assessment is being prepared.","in-progress":"The assessment is underway.","completed":"The assessment is finished.","approved":"The assessment has been reviewed and approved.","superseded":"The assessment has been replaced by a later one."}},{"title":"Custom Assessment Status","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom status."},"description":{"type":"string","title":"Description","description":"A description of the custom status."}}}]},"assessors":{"type":"array","title":"Assessors","items":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice"},"description":"The parties that performed the assessment. Each may be an inline party or a reference to a previously declared party, and may be a person or an automated system, agent, or tool. Automated assessors support continuous and automated assessment, as in a GRC engineering practice. A party's `roles` should include `auditor` or `assessor`."},"summary":{"type":"string","description":"An executive summary of the assessment."},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to risk entries evaluated in this assessment."},"overallRisk":{"type":"object","required":["method","score"],"additionalProperties":false,"properties":{"method":{"title":"Method","description":"The aggregation method used to derive the overall risk from the assessed risks. Use the custom option for methods not listed, such as a quantitative roll-up of loss distributions under FAIR.","oneOf":[{"title":"Predefined Aggregation Method","type":"string","enum":["maximum","sum","average","weighted-average"],"meta:enum":{"maximum":"The overall risk equals the highest individual risk.","sum":"The overall risk is the sum of the individual risks, representing total exposure.","average":"The overall risk is the mean of the individual risks.","weighted-average":"The overall risk is a weighted mean of the individual risks."}},{"title":"Custom Aggregation Method","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom aggregation method."},"description":{"type":"string","title":"Description","description":"A description of the custom aggregation method."}}}]},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"description":{"type":"string","description":"An optional explanation for custom aggregation approaches."}},"description":"The aggregated risk result for this assessment."},"assumptions":{"type":"array","title":"Assumptions","items":{"type":"string"},"description":"The assumptions, constraints, and limitations under which the assessment was made, to be re-evaluated when they change."},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment."},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur."},"riskAppetites":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the risk appetites, declared under the risks collection, that applied for this assessment."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level.","meta:enum":{"none":"No priority.","low":"Low priority.","medium":"Medium priority.","high":"High priority.","critical":"Critical priority."}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level.","meta:enum":{"minimal":"Minimal impact on business operations.","low":"Low impact with minor inconvenience.","moderate":"Moderate impact affecting some operations.","high":"High impact affecting critical operations.","critical":"Critical impact with severe business consequences."}},"appetiteLevel":{"type":"string","description":"A qualitative risk appetite level, ranging from risk-averse to risk-seeking.","enum":["averse","minimal","cautious","open","hungry"],"meta:enum":{"averse":"Avoidance of risk is the priority, and only the lowest-risk options are acceptable.","minimal":"A preference for very low risk, accepting risk only where it is unavoidable.","cautious":"A preference for safe options, accepting limited and well-understood risk for reward.","open":"A willingness to accept higher risk where the potential reward justifies it.","hungry":"An active willingness to seek risk in pursuit of greater reward, within defined control limits."}},"riskAppetite":{"type":"object","title":"Risk Appetite","description":"The amount and type of risk a party is willing to pursue or retain, stated explicitly so that it is not left implicit in individual target ratings. An appetite may be attributed to a specific party through `party`, so a single document can record the appetites of more than one party, and it may be stated overall and refined per risk domain. Quantitative tolerances for a specific risk are expressed through that risk's target rating, and measurement of actual risk against the appetite is recorded through assessments.","required":["level"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference this risk appetite elsewhere, such as from an assessment."},"party":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party whose risk appetite this is. Set this when a single document captures the appetites of more than one party. May be an inline party object or a reference to a previously declared party."},"level":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/appetiteLevel","description":"The overall risk appetite level."},"statement":{"type":"string","title":"Statement","description":"A narrative statement of the overall risk appetite, including any qualifications or context."},"rationale":{"type":"string","description":"The justification for this appetite, such as the strategic objective or regulatory obligation that informs it."},"owner":{"$ref":"#/$defs/cyclonedx-party-2.0/$defs/partyChoice","description":"The party accountable for setting and approving this appetite, such as a board or risk committee. May be an inline party object or a reference to a previously declared party."},"horizon":{"type":"string","description":"The time horizon over which this appetite applies, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year."},"nextReview":{"type":"string","format":"date-time","description":"When this appetite is next due for review, since appetite changes with strategy, market conditions, and the threat landscape."},"categories":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["domain","level"],"additionalProperties":false,"properties":{"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain","description":"The risk domain this appetite entry applies to."},"level":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/appetiteLevel","description":"The appetite level for this risk domain."},"statement":{"type":"string","description":"A narrative statement of the appetite for this risk domain."},"rationale":{"type":"string","description":"The justification for the appetite for this risk domain."}}},"description":"Per-domain appetite, refining the overall appetite for specific risk domains such as security, privacy, or financial."}}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threats":{"type":"object","title":"Threats","description":"Threat-modelling content, including the documented threats, the scenarios that realize them, the attack patterns and attack trees that describe how they are carried out, and the trust boundaries they cross.","additionalProperties":false,"properties":{"threats":{"type":"array","title":"Threats","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threat"},"description":"The documented threats. Each describes what can go wrong, independent of any specific actor or occurrence."},"scenarios":{"type":"array","title":"Scenarios","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatScenario"},"description":"The threat scenarios, each realizing one or more documented threats in a specific way."},"attackPatterns":{"type":"array","title":"Attack Patterns","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPattern"},"description":"A library of attack patterns, typically aligned with CAPEC, that threats and scenarios can reference."},"attackTrees":{"type":"array","title":"Attack Trees","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackTree"},"description":"Attack trees that decompose attacker goals into sub-goals and techniques."},"attackPaths":{"type":"array","title":"Attack Paths","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPath"},"description":"Attack paths that describe the ordered progression of an attack across elements and trust boundaries, including lateral movement."},"abuseCases":{"type":"array","title":"Abuse Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/abuseCase"},"description":"Abuse or misuse cases that describe how the system can be exercised by an adversary."},"trustBoundaries":{"type":"array","title":"Trust Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/trustBoundary"},"description":"The trust boundaries of the system, extending the architectural boundaries defined in a blueprint with trust semantics."},"methodologies":{"type":"array","title":"Methodologies","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/methodology"},"description":"The threat modeling methodologies applied to produce this threat model, such as STRIDE, LINDDUN, PASTA, or attack trees."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"methodology":{"title":"Threat Modeling Methodology","description":"A threat modeling methodology applied to produce this threat model. Use the custom option for methodologies not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Threat Modeling Methodology","enum":["STRIDE","LINDDUN","PASTA","MAESTRO","OWASP","TRIKE","VAST","ATFAA","attack-tree"],"meta:enum":{"STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.","PASTA":"Process for Attack Simulation and Threat Analysis.","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome.","OWASP":"OWASP threat modelling methodology.","TRIKE":"Risk-based threat modelling methodology.","VAST":"Visual, Agile, and Simple Threat modelling.","ATFAA":"Advanced Threat Framework for Autonomous AI Agents.","attack-tree":"Attack tree methodology, decomposing attacker goals into sub-goals and techniques."}},{"type":"object","title":"Custom Threat Modeling Methodology","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom threat modeling methodology."},"description":{"type":"string","title":"Description","description":"A description of the custom threat modeling methodology."}}}]},"threat":{"type":"object","title":"Threat","description":"A documented threat, describing what can go wrong independent of any specific actor or occurrence. A threat can be catalogued on its own; a threat scenario references it to describe a specific realization.","additionalProperties":false,"required":["bom-ref","name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the threat elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the threat."},"description":{"type":"string","title":"Description","description":"A description of the threat."},"source":{"type":"string","title":"Source","description":"The source of the threat, such as a threat intelligence feed, a threat catalogue, or an analysis activity."},"origin":{"title":"Origin","description":"The nature of the threat source that gives rise to this threat, following the threat source types of [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final). Use the custom option for an origin not covered by the enumeration.","oneOf":[{"type":"string","title":"Predefined Origin","enum":["adversarial","accidental","structural","environmental"],"meta:enum":{"adversarial":"An adversary acting with intent, such as an individual, group, organization, or nation state.","accidental":"An erroneous action taken without malicious intent, such as a mistake by a privileged user or administrator.","structural":"A failure of equipment, software, or environmental controls, such as resource exhaustion or expiry of a component.","environmental":"A natural or human-made event outside the control of the organization, such as a fire, flood, or wide-area infrastructure outage."}},{"type":"object","title":"Custom Origin","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the custom origin."},"description":{"type":"string","title":"Description","description":"A description of the custom origin."}}}]},"categories":{"type":"array","title":"Categories","uniqueItems":true,"description":"The methodology-specific categories that this threat falls under. A threat may be categorized under more than one methodology, for example STRIDE and MAESTRO. The methodology is one of the supported threat-modelling methodologies, and it determines which category values are permitted.","items":{"type":"object","title":"Threat Category","description":"A threat category. The taxonomy determines the permitted category values.","additionalProperties":false,"required":["taxonomy","category"],"properties":{"taxonomy":{"type":"string","title":"Taxonomy","description":"The threat classification taxonomy that the category is drawn from.","enum":["STRIDE","LINDDUN","MAESTRO","MITRE-ATTACK"],"meta:enum":{"STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome, whose categories are its seven architectural layers.","MITRE-ATTACK":"The MITRE ATT&CK framework, whose categories are its Enterprise tactics."}},"category":{"type":"string","minLength":1,"title":"Category","description":"The category within the taxonomy. The permitted values are determined by the taxonomy."}},"allOf":[{"if":{"required":["taxonomy"],"properties":{"taxonomy":{"const":"STRIDE"}}},"then":{"properties":{"category":{"enum":["spoofing","tampering","repudiation","information-disclosure","denial-of-service","elevation-of-privilege"],"meta:enum":{"spoofing":"Impersonating something or someone, violating authenticity.","tampering":"Modifying data or code, violating integrity.","repudiation":"Denying having performed an action, violating non-repudiation.","information-disclosure":"Exposing information to unauthorized parties, violating confidentiality.","denial-of-service":"Denying or degrading service to legitimate users, violating availability.","elevation-of-privilege":"Gaining capabilities without proper authorization, violating authorization."}}}}},{"if":{"required":["taxonomy"],"properties":{"taxonomy":{"const":"LINDDUN"}}},"then":{"properties":{"category":{"enum":["linkability","identifiability","non-repudiation","detectability","disclosure-of-information","unawareness","non-compliance"],"meta:enum":{"linkability":"Linking data items to learn more about an individual.","identifiability":"Identifying an individual from data.","non-repudiation":"Being unable to deny a claim, harming plausible deniability.","detectability":"Detecting that an item of interest exists.","disclosure-of-information":"Revealing personal data, violating confidentiality.","unawareness":"Individuals being unaware of the processing of their data.","non-compliance":"Deviating from policy, regulation, or best practice."}}}}},{"if":{"required":["taxonomy"],"properties":{"taxonomy":{"const":"MAESTRO"}}},"then":{"properties":{"category":{"enum":["foundation-models","data-operations","agent-frameworks","deployment-and-infrastructure","evaluation-and-observability","security-and-compliance","agent-ecosystem"],"meta:enum":{"foundation-models":"Layer 1. The core models that provide the agent's capabilities.","data-operations":"Layer 2. Storage, retrieval, and processing of the agent's data.","agent-frameworks":"Layer 3. The frameworks and tools that build and run agents.","deployment-and-infrastructure":"Layer 4. The infrastructure on which agents are deployed and scaled.","evaluation-and-observability":"Layer 5. Evaluation, monitoring, and observability of agent behaviour.","security-and-compliance":"Layer 6. The cross-cutting security and compliance controls.","agent-ecosystem":"Layer 7. The applications and marketplace where agents deliver value to end-users."}}}}},{"if":{"required":["taxonomy"],"properties":{"taxonomy":{"const":"MITRE-ATTACK"}}},"then":{"properties":{"category":{"enum":["reconnaissance","resource-development","initial-access","execution","persistence","privilege-escalation","defense-evasion","credential-access","discovery","lateral-movement","collection","command-and-control","exfiltration","impact"]}}}}]}},"weaknesses":{"$ref":"#/$defs/cyclonedx-weakness-2.0/$defs/weaknesses","description":"The weaknesses, such as CWE classifications, that this threat exploits."},"relatedVulnerabilities":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the vulnerabilities that this threat exploits or that inform it."},"attackPatterns":{"type":"array","title":"Attack Patterns","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the attack patterns by which this threat is carried out."},"attackTrees":{"type":"array","title":"Attack Trees","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the attack trees that decompose this threat."},"abuseCases":{"type":"array","title":"Abuse Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the abuse cases that illustrate how this threat can be exercised."},"killChainPhase":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/killChainPhase","description":"The phase of the cyber kill chain at which this threat operates."},"behaviors":{"type":"array","title":"Behaviors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the declared behaviors that constitute the intent of this threat, drawn from the behavior taxonomy."},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"affectedAssets":{"type":"array","title":"Affected Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the kinds of assets this threat affects."},"relatedBusinessObjectives":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the business objectives this threat endangers."},"mitigations":{"type":"array","title":"Mitigations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that mitigate this threat."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"threatScenario":{"type":"object","title":"Threat Scenario","description":"A specific realization of a threat, in which an actor seeks to cause harm. The scenario references the threat it realizes, supplies the actor by reference to a party, and carries the scenario-specific traits and risk assessment, such as motivation, intent, access level, likelihood, and impact.","additionalProperties":false,"required":["bom-ref","name","threats"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the threat scenario elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the threat scenario."},"description":{"type":"string","title":"Description","description":"A description of the threat scenario."},"threats":{"type":"array","title":"Threats","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats that this scenario realizes. A scenario realizes one or more threats."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the party that is the actor in this scenario. Named adversary groups are organizations and abstract attacker classes are personas."},"threatProfile":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to a reusable threat profile that describes the durable capabilities of the actor."},"motivation":{"type":"array","title":"Motivation","uniqueItems":true,"description":"The motivations of the actor in this scenario.","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"],"meta:enum":{"financial":"Motivated by financial gain.","political":"Motivated by political objectives.","personal":"Motivated by personal reasons.","ideological":"Motivated by ideology or belief.","espionage":"Motivated by intelligence gathering.","destruction":"Motivated by the desire to destroy.","disruption":"Motivated by the desire to disrupt operations.","reputation":"Motivated by reputational gain or harm.","curiosity":"Motivated by curiosity.","competitive":"Motivated by competitive advantage.","revenge":"Motivated by revenge.","activism":"Motivated by activism."}}},"intent":{"type":"string","title":"Intent","description":"The intent of the actor in this scenario.","enum":["accidental","opportunistic","targeted","persistent"],"meta:enum":{"accidental":"The harm is caused without intent.","opportunistic":"The actor takes advantage of an opportunity as it arises.","targeted":"The actor deliberately targets the subject.","persistent":"The actor pursues the target persistently over time."}},"accessLevel":{"type":"string","title":"Access Level","description":"The level of access the actor is assumed to have in this scenario.","enum":["none","external","internal","privileged","physical"],"meta:enum":{"none":"No access.","external":"External access only.","internal":"Internal access, such as that of an ordinary user.","privileged":"Privileged or administrative access.","physical":"Physical access to the target."}},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","title":"Risk Attributes","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"The security and privacy attributes that this threat would compromise if realized."},"affectedAssets":{"type":"array","title":"Affected Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the assets affected in this scenario."},"relatedRisks":{"type":"array","title":"Related Risks","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the risks that this scenario contributes to."},"relatedVulnerabilities":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the vulnerabilities exploited in this scenario."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"threatProfiles":{"type":"array","title":"Threat Profiles","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatProfile"},"description":"Reusable threat profiles, each describing the durable characteristics of an actor that may pose a threat."},"threatProfile":{"type":"object","title":"Threat Profile","description":"A durable, actor-level characterization of the capability to pose a threat, capturing attributes that persist across scenarios. Scenario-specific attributes, such as motivation, intent, and access level, belong on a threat scenario rather than on this profile.","additionalProperties":false,"required":["bom-ref"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference this threat profile elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the threat profile."},"description":{"type":"string","title":"Description","description":"A description of the threat profile."},"sophistication":{"type":"string","title":"Sophistication","description":"The level of technical sophistication an actor characterized by this profile is assumed to possess.","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication.","minimal":"Minimal sophistication, relying on readily available tools and techniques.","intermediate":"Intermediate technical skills.","advanced":"Advanced skills consistent with a persistent and well-resourced actor.","expert":"Expert skills consistent with the most capable actors."}},"resources":{"type":"string","title":"Resources","description":"The level of resources an actor characterized by this profile is assumed to have available.","enum":["minimal","limited","moderate","substantial","unlimited"],"meta:enum":{"minimal":"Minimal resources.","limited":"Limited resources.","moderate":"Moderate resources.","substantial":"Substantial resources.","unlimited":"Effectively unlimited resources."}},"skillSet":{"type":"array","title":"Skill Set","uniqueItems":true,"items":{"type":"string"},"description":"The specific skills an actor characterized by this profile is assumed to possess."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"attackVector":{"type":"object","title":"Attack Vector","description":"The conditions under which an attack is possible, following the convention of common vulnerability scoring systems.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The context by which an attack is possible.","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via a network.","adjacent":"Exploitable from an adjacent network.","local":"Requires local access.","physical":"Requires physical access."}},"complexity":{"type":"string","title":"Complexity","description":"The complexity of the attack.","enum":["low","high"],"meta:enum":{"low":"The attack has low complexity.","high":"The attack has high complexity."}},"privileges":{"type":"string","title":"Privileges","description":"The level of privileges required to carry out the attack.","enum":["none","low","high"],"meta:enum":{"none":"No privileges are required.","low":"Low privileges are required.","high":"High privileges are required."}},"userInteraction":{"type":"string","title":"User Interaction","description":"Whether the attack requires interaction from a user other than the attacker.","enum":["none","required"],"meta:enum":{"none":"No user interaction is required.","required":"User interaction is required."}},"scope":{"type":"string","title":"Scope","description":"Whether a successful attack affects resources beyond the vulnerable component.","enum":["unchanged","changed"],"meta:enum":{"unchanged":"The attack affects only the vulnerable component.","changed":"The attack affects resources beyond the vulnerable component."}}}},"attackPattern":{"type":"object","title":"Attack Pattern","description":"A description of the common attributes and approach of an attack, typically aligned with CAPEC. Techniques are aligned with MITRE ATT&CK.","additionalProperties":false,"required":["bom-ref","name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the attack pattern elsewhere using a bom-ref or bom-link."},"capecId":{"type":"integer","minimum":1,"title":"CAPEC Identifier","description":"The Common Attack Pattern Enumeration and Classification (CAPEC) identifier for this attack pattern."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the attack pattern."},"description":{"type":"string","title":"Description","description":"A description of the attack pattern."},"prerequisites":{"type":"array","title":"Prerequisites","uniqueItems":true,"items":{"type":"string"},"description":"The conditions that must hold for the attack to be possible."},"techniques":{"type":"array","title":"Techniques","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"The techniques used to carry out the attack, typically aligned with MITRE ATT&CK."},"mitigations":{"type":"array","title":"Mitigations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that mitigate this attack pattern."},"examples":{"type":"array","title":"Examples","uniqueItems":true,"items":{"type":"string"},"description":"Real-world examples of the attack pattern."}}},"technique":{"type":"object","title":"Technique","description":"A specific technique used to carry out an attack, typically aligned with MITRE ATT&CK.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"The identifier of the technique, such as a MITRE ATT&CK technique identifier."},"name":{"type":"string","title":"Name","description":"The name of the technique."},"tactic":{"type":"string","title":"Tactic","description":"The tactic that the technique supports, such as a MITRE ATT&CK tactic."},"procedure":{"type":"string","title":"Procedure","description":"The specific procedure by which the technique is carried out."}}},"attackTree":{"type":"object","title":"Attack Tree","description":"A decomposition of an attacker goal into sub-goals and techniques, expressed as a flat collection of nodes. Each node lists its child nodes by reference together with an operator that says how those children combine, so the tree is expressed without nesting. One node is the root, representing the attacker goal.","additionalProperties":false,"required":["bom-ref","nodes"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the attack tree elsewhere using a bom-ref or bom-link."},"name":{"type":"string","title":"Name","description":"The name of the attack tree."},"description":{"type":"string","title":"Description","description":"A description of the attack tree."},"root":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Root BOM Reference","description":"Optional reference using bom-link or bom-ref to the root node within nodes, representing the attacker goal. When omitted, the root is the node that no other node lists as a child."},"nodes":{"type":"array","title":"Nodes","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackTreeNode"},"description":"The nodes of the attack tree. Each node references its child nodes, which are themselves entries in this array, forming the hierarchy without nesting."}}},"attackTreeNode":{"type":"object","title":"Attack Tree Node","description":"A node in an attack tree, representing an attacker goal, sub-goal, or technique. A node references its child nodes and carries an operator that says how those children combine. The hierarchy is expressed by these references rather than by nesting.","additionalProperties":false,"required":["bom-ref","name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the node elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The goal, sub-goal, or technique that the node represents."},"description":{"type":"string","title":"Description","description":"A description of the node."},"operator":{"type":"string","title":"Operator","description":"Specifies how the nodes listed in 'children' combine to achieve this node. A value of 'and' requires every child node; a value of 'or' requires any single child node. For example, a node whose children are a phishing node and a credential-stuffing node uses 'or' when either alone achieves it, or 'and' when both are needed together. A node with no children is a leaf and omits this property.","enum":["and","or"],"meta:enum":{"and":"All child nodes are required to achieve this node.","or":"Any one child node is sufficient to achieve this node."}},"children":{"type":"array","title":"Children","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the child nodes that decompose this node. Each child node is a separate entry in the same nodes array, so the hierarchy is expressed without nesting. A child node may be shared by more than one parent."},"attackPattern":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the attack pattern that this node represents."},"weakness":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the weakness that this node exploits."},"cost":{"type":"string","title":"Cost","description":"The relative cost to an attacker of achieving this node.","enum":["negligible","low","moderate","high","prohibitive"],"meta:enum":{"negligible":"Negligible cost.","low":"Low cost.","moderate":"Moderate cost.","high":"High cost.","prohibitive":"Prohibitive cost."}},"skill":{"type":"string","title":"Skill","description":"The skill level required to achieve this node.","enum":["none","basic","intermediate","advanced","expert"],"meta:enum":{"none":"No special skill is required.","basic":"Basic skill is required.","intermediate":"Intermediate skill is required.","advanced":"Advanced skill is required.","expert":"Expert skill is required."}},"detectability":{"type":"string","title":"Detectability","description":"How readily an attempt to achieve this node can be detected.","enum":["undetectable","low","moderate","high"],"meta:enum":{"undetectable":"The attempt is effectively undetectable.","low":"The attempt is difficult to detect.","moderate":"The attempt is moderately detectable.","high":"The attempt is readily detectable."}},"mitigations":{"type":"array","title":"Mitigations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that mitigate this node."}}},"abuseCase":{"type":"object","title":"Abuse Case","description":"A description of how an adversary can misuse the system to achieve a malicious goal. An abuse case is the security counterpart of a use case and reuses its flow structure.","additionalProperties":false,"required":["bom-ref","name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the abuse case elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the abuse case, typically expressed as a malicious goal."},"description":{"type":"string","title":"Description","description":"A narrative describing how the system can be misused or abused."},"abuser":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the party that abuses the system, typically an attacker persona."},"realizes":{"type":"array","title":"Realizes","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats that this abuse case realizes."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"The conditions that must hold before the abuse case can begin."},"mainFlow":{"type":"array","title":"Main Flow","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered steps the abuser follows."},"targets":{"type":"array","title":"Targets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the assets or flows targeted in this abuse case."},"detectionOpportunities":{"type":"array","title":"Detection Opportunities","uniqueItems":true,"items":{"type":"string"},"description":"The signals, logs, or controls that present an opportunity to detect the abuse."},"mitigations":{"type":"array","title":"Mitigations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that mitigate this abuse case."}}},"exploitability":{"type":"object","title":"Exploitability","description":"The degree to which a threat can be exploited in practice.","additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The maturity of available exploitation capability.","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Exploitation is theoretically possible but has not been demonstrated.","proof-of-concept":"A proof of concept exists.","functional":"A functional exploit exists.","weaponized":"A weaponized exploit is in use."}},"complexity":{"type":"string","title":"Complexity","description":"The complexity of exploitation.","enum":["trivial","low","medium","high","very-high"],"meta:enum":{"trivial":"Exploitation is trivial.","low":"Exploitation has low complexity.","medium":"Exploitation has medium complexity.","high":"Exploitation has high complexity.","very-high":"Exploitation has very high complexity."}},"skillRequired":{"type":"string","title":"Skill Required","description":"The skill level required to exploit the threat.","enum":["none","basic","intermediate","advanced","expert"],"meta:enum":{"none":"No special skill is required.","basic":"Basic skill is required.","intermediate":"Intermediate skill is required.","advanced":"Advanced skill is required.","expert":"Expert skill is required."}},"automatable":{"type":"boolean","title":"Automatable","description":"Whether exploitation can be automated."}}},"indicators":{"type":"object","title":"Indicators","description":"The observable indicators associated with a threat.","additionalProperties":false,"properties":{"compromise":{"type":"array","title":"Indicators of Compromise","uniqueItems":true,"items":{"type":"string"},"description":"The indicators that a compromise has occurred."},"attack":{"type":"array","title":"Indicators of Attack","uniqueItems":true,"items":{"type":"string"},"description":"The indicators that an attack is under way."},"signatures":{"type":"array","title":"Signatures","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"The detection signatures associated with the threat."}}},"signature":{"type":"object","title":"Signature","description":"A detection signature for a threat.","additionalProperties":false,"required":["type","value"],"properties":{"type":{"type":"string","title":"Type","description":"The type of signature.","enum":["yara","snort","regex","hash","behavior"],"meta:enum":{"yara":"A YARA rule.","snort":"A Snort rule.","regex":"A regular expression.","hash":"A cryptographic hash.","behavior":"A behavioural signature."}},"value":{"type":"string","minLength":1,"title":"Value","description":"The signature value or pattern."},"description":{"type":"string","title":"Description","description":"A description of what the signature detects."},"confidence":{"type":"string","title":"Confidence","description":"The confidence level of a detection by this signature.","enum":["low","medium","high"],"meta:enum":{"low":"Low confidence.","medium":"Medium confidence.","high":"High confidence."}}}},"trustBoundary":{"type":"object","title":"Trust Boundary","description":"A security annotation marking an architectural boundary as one across which trust changes. It references a boundary defined in a blueprint, where the zones, type, and crossing requirements already live, and adds only the trust differential and the threats and controls at that boundary.","additionalProperties":false,"required":["bom-ref","boundary"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An identifier which can be used to reference the trust boundary elsewhere using a bom-ref or bom-link."},"boundary":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the blueprint boundary that this trust boundary annotates."},"name":{"type":"string","title":"Name","description":"The name of the trust boundary."},"description":{"type":"string","title":"Description","description":"A description of the trust boundary."},"trustLevel":{"type":"string","title":"Trust Level","description":"The trust level differential across the boundary.","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"meta:enum":{"untrusted":"The boundary separates an untrusted zone.","semi-trusted":"The boundary separates a semi-trusted zone.","trusted":"The boundary separates a trusted zone.","highly-trusted":"The boundary separates a highly trusted zone."}},"threatsAtBoundary":{"type":"array","title":"Threats At Boundary","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats that could exploit this boundary."},"controlsAtBoundary":{"type":"array","title":"Controls At Boundary","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls in place at this boundary. Intended primarily for referencing externally defined controls. Where the control and boundary are declared together, prefer the control's appliesTo property."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"killChainPhase":{"type":"string","title":"Kill Chain Phase","description":"A phase of the cyber kill chain.","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target.","weaponization":"Creating a malicious payload.","delivery":"Transmitting the payload to the target.","exploitation":"Exploiting a vulnerability or weakness.","installation":"Installing malicious software or establishing a foothold.","command-and-control":"Establishing a command and control channel.","actions-on-objectives":"Achieving the goals of the attack."}},"attackPathStep":{"type":"object","title":"Attack Path Step","description":"A single step in an attack path, describing one action in the progression of an attack.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","description":"A short name for the step."},"description":{"type":"string","minLength":1,"title":"Description","description":"The action the adversary performs in this step."},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique","description":"The technique used in this step, typically aligned with MITRE ATT&CK."},"attackPattern":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the attack pattern applied in this step."},"killChainPhase":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/killChainPhase","description":"The phase of the cyber kill chain at which this step operates."},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the element or zone from which this step originates."},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the element or zone this step reaches."},"boundaryCrossed":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the trust boundary this step crosses."},"exploits":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the weaknesses or vulnerabilities this step exploits."},"mitigations":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that detect or prevent this step."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"attackPath":{"type":"object","title":"Attack Path","description":"An ordered sequence of steps that an adversary follows to progress from initial access toward an objective, crossing elements and trust boundaries. An attack path complements an attack tree: the tree decomposes a goal into alternatives, whereas the path expresses the temporal progression of a single attack, including lateral movement.","required":["bom-ref","name","steps"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","minLength":1,"title":"Name","description":"A human-readable name for the attack path."},"description":{"type":"string","title":"Description","description":"A description of the attack path."},"objective":{"type":"string","title":"Objective","description":"The attacker objective that the path works toward, such as exfiltrating data or achieving code execution."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the adversary that follows this path."},"steps":{"type":"array","title":"Steps","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPathStep"},"description":"The ordered steps of the path, from the initial action to the objective. The order of the array is significant."},"realizes":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the threats that this path realizes."},"relatedRisks":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the risks that this path contributes to."},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","$defs":{"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},"description":"A collection of use cases that describe how actors interact with the system to achieve specific goals."},"useCase":{"type":"object","title":"Use Case","description":"A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')."},"description":{"type":"string","title":"Description","description":"A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases."},"postconditions":{"type":"array","title":"Postconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced."},"mainFlow":{"type":"array","title":"Main Flow","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome."},"alternativeFlows":{"type":"array","title":"Alternative Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"},"description":"Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome."},"exceptions":{"type":"array","title":"Exceptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"},"description":"Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully."},"successCriteria":{"type":"array","title":"Success Criteria","uniqueItems":true,"items":{"type":"string"},"description":"Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off."},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case."},"businessObjectives":{"type":"array","title":"Business Objectives","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the business objectives this use case supports."},"notes":{"type":"array","title":"Notes","uniqueItems":true,"items":{"type":"string"},"description":"Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","title":"Step","description":"A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.","required":["number","description"],"additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","minimum":1,"description":"The sequence number indicating the ordinal position of this step within its flow, starting at 1."},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","description":"Reference using bom-link or bom-ref to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design."}}},"flow":{"type":"object","title":"Flow","description":"An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')."},"description":{"type":"string","title":"Description","description":"A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path."},"steps":{"type":"array","title":"Steps","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps."}}},"exception":{"type":"object","title":"Exception","description":"An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')."},"description":{"type":"string","title":"Description","description":"A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific error condition, system state, or external event that triggers this exception during the execution of the use case."},"handling":{"type":"string","title":"Handling","description":"The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support."}}},"useCaseAssertions":{"type":"array","title":"Use Case Assertions","description":"A list of assertions describing how a component relates to use cases defined in the BOM.","uniqueItems":true,"items":{"type":"object","title":"Use Case Assertion","description":"An assertion linking one or more use cases to a component, specifying the nature of the relationship.","required":["assertionType","useCaseRefs"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the relationship between the component and the use case.","enum":["extends","implements","inhibits","not-applicable","not-assessed","other","participates-in","supports","triggers","validates"],"meta:enum":{"extends":"The component adds optional or conditional behavior to the use case, augmenting its primary flow with additional capability.","implements":"The component implements or realises the use case, providing the primary capability that makes the use case functional.","inhibits":"The component is known to interfere with or block the correct execution of the use case.","not-applicable":"The use case does not pertain to this component. The evaluator has reviewed the use case and determined it is irrelevant.","not-assessed":"The relationship between the component and the use case has not yet been evaluated.","other":"A relationship that does not fit into the other predefined assertion types.","participates-in":"The component participates in the use case but is not solely responsible for its implementation.","supports":"The component provides enabling infrastructure for the use case without directly implementing or participating in it.","triggers":"The component initiates or kicks off the use case without being responsible for its implementation.","validates":"The component validates, tests, or verifies the correct execution of the use case."}},"useCaseRefs":{"type":"array","title":"Use Case References","description":"A list of BOM references linking to use case objects defined in the BOM.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"description":{"type":"string","title":"Description","description":"Additional context or clarification regarding the assertion."}}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings. Consumers should consider ratings in prioritization decisions; source ratings may differ and aid prioritization.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"weaknesses":{"$ref":"#/$defs/cyclonedx-weakness-2.0/$defs/weaknesses","description":"The weaknesses, such as CWE classifications, that give rise to this vulnerability."},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"mitigatingControls":{"type":"array","title":"Mitigating Controls","uniqueItems":true,"minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"description":"References using bom-link or bom-ref to the controls that prevent or reduce the exploitability or impact of the vulnerability. Substantiates justifications such as protected_by_mitigating_control, protected_at_perimeter, and protected_at_runtime."},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventive measures have been implemented that reduce the likelihood or impact of the vulnerability, or both. The controls may be referenced using the mitigatingControls property."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-weakness-2.0":{"type":"null","title":"CycloneDX Weakness Model","$defs":{"weaknesses":{"type":"array","title":"Weaknesses","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-weakness-2.0/$defs/weakness"},"description":"A collection of weaknesses, such as CWE classifications, that classify an underlying flaw."},"weakness":{"title":"Weakness","description":"A classification of an underlying weakness, given either by a Common Weakness Enumeration (CWE) identifier or by a free-text name with an optional description. The exploitability and the affected scope are expressed by the vulnerability or threat that references the weakness, not on the weakness itself.","oneOf":[{"type":"object","title":"CWE Weakness","description":"A weakness identified by its CWE identifier.","additionalProperties":false,"required":["cweId"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link."},"cweId":{"type":"integer","minimum":1,"title":"CWE Identifier","description":"The Common Weakness Enumeration (CWE) identifier that classifies this weakness."}}},{"type":"object","title":"Named Weakness","description":"A weakness identified by a free-text name, used where no CWE classification applies.","additionalProperties":false,"required":["name"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link."},"name":{"type":"string","minLength":1,"title":"Name","description":"The name of the weakness."},"description":{"type":"string","title":"Description","description":"A description of the weakness."}}}]}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value shall be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"threats":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threats"},"risks":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risks"},"controls":{"$ref":"#/$defs/cyclonedx-control-2.0/$defs/controls"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"profiles":{"$ref":"#/$defs/cyclonedx-profile-2.0/$defs/profiles"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"perspectives":{"$ref":"#/$defs/cyclonedx-perspective-2.0/$defs/perspectives"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signatures":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signatures"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file diff --git a/schema/2.0/cyclonedx-2.0-bundled.schema.json b/schema/2.0/cyclonedx-2.0-bundled.schema.json index fa6ad4c61..21895cc3a 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.schema.json @@ -13,6 +13,9 @@ "$schema": { "type": "string" }, + "$comment": { + "type": "string" + }, "specFormat": { "type": "string", "title": "Specification Format", @@ -64,6 +67,15 @@ "vulnerabilities": { "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities" }, + "threats": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threats" + }, + "risks": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/risks" + }, + "controls": { + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/controls" + }, "annotations": { "$ref": "#/$defs/cyclonedx-annotation-2.0/$defs/annotations" }, @@ -79,6 +91,9 @@ "blueprints": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints" }, + "profiles": { + "$ref": "#/$defs/cyclonedx-profile-2.0/$defs/profiles" + }, "citations": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations" }, @@ -800,13 +815,13 @@ "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance" } }, - "flows": { + "graphs": { "type": "array", - "title": "Flows", - "description": "Behavior flows that organise behaviors into operational patterns.", + "title": "Graphs", + "description": "Behavior graphs that model behaviour over time as activity flows, state machines, or a mixture of the two.", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorFlow" + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorGraph" } } } @@ -838,19 +853,19 @@ "actors": { "type": "array", "title": "Actors", - "description": "References to objects that perform this behavior.", + "description": "References using bom-link or bom-ref to objects that perform this behavior.", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" } }, "targets": { "type": "array", "title": "Targets", - "description": "References to objects affected by this behavior.", + "description": "References using bom-link or bom-ref to objects affected by this behavior.", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" } } } @@ -889,25 +904,22 @@ "ordering": { "type": "string", "title": "Ordering", - "description": "Execution semantics for steps within a flow.", - "default": "sequential", + "description": "Execution semantics for the nodes of a graph when transitions do not fully specify the order.", "enum": [ "sequential", "unordered", - "parallel", - "conditional" + "parallel" ], "meta:enum": { - "sequential": "Steps execute in ordinal order. Each completes before the next begins.", - "unordered": "All steps execute, but order is not guaranteed.", - "parallel": "Steps may execute concurrently.", - "conditional": "Step execution is determined by runtime conditions." + "sequential": "Nodes execute in ordinal order. Each completes before the next begins.", + "unordered": "All nodes execute, but the order is not guaranteed.", + "parallel": "Nodes may execute concurrently." } }, "acknowledgment": { "type": "array", "title": "Acknowledgment", - "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", + "description": "Indicates how the behavior or graph was identified. Multiple values indicate the behavior was both declared and observed.", "uniqueItems": true, "items": { "type": "string", @@ -921,19 +933,49 @@ } } }, - "behaviorFlow": { + "behaviorGraph": { "type": "object", - "title": "Behavior Flow", - "description": "An organised collection of behaviors forming a coherent process.", + "title": "Behavior Graph", + "description": "A graph of nodes joined by transitions that models behaviour over time. A node may be an activity, a state, an event, a gateway, or a start or end point, so the same construct expresses an activity or process flow (where the nodes are activities), a state machine (where the nodes are states), or a mixture of the two.", "additionalProperties": false, "required": [ "bom-ref", - "steps" + "nodes" ], "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the graph." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the graph and the behaviour it models." + }, + "kind": { + "type": "string", + "title": "Kind", + "description": "An optional hint at the intent of the graph.", + "enum": [ + "activity", + "state-machine", + "mixed" + ], + "meta:enum": { + "activity": "The graph models a process or activity flow whose nodes are activities.", + "state-machine": "The graph models a state machine whose nodes are states.", + "mixed": "The graph mixes activity and state nodes." + } + }, + "subject": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Subject", + "description": "Reference using bom-link or bom-ref to the object whose behaviour this graph describes." + }, "acknowledgment": { "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment" }, @@ -943,42 +985,41 @@ "trigger": { "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" }, - "steps": { + "nodes": { "type": "array", - "title": "Steps", - "description": "The steps that comprise this flow.", + "title": "Nodes", + "description": "The nodes of the graph.", "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorNode" + } + }, + "transitions": { + "type": "array", + "title": "Transitions", + "description": "The transitions between nodes. Transitions express the ordering of an activity flow and the triggered, guarded moves of a state machine.", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/flowStep" + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/transition" } } }, "allOf": [ { "if": { - "anyOf": [ - { - "properties": { - "ordering": { - "const": "sequential" - } - }, - "required": [ - "ordering" - ] - }, - { - "not": { - "required": [ - "ordering" - ] - } + "properties": { + "ordering": { + "const": "sequential" } + }, + "required": [ + "ordering" ] }, "then": { "properties": { - "steps": { + "nodes": { "items": { "required": [ "ordinal" @@ -990,72 +1031,213 @@ } ] }, - "flowStep": { + "behaviorNode": { "type": "object", - "title": "Flow Step", - "description": "A single step within a behavior flow.", + "title": "Behavior Node", + "description": "A single node in a behavior graph. The kind determines what the node represents and which additional properties apply.", "additionalProperties": false, + "required": [ + "bom-ref", + "kind" + ], "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "kind": { + "type": "string", + "title": "Kind", + "description": "The kind of node.", + "enum": [ + "activity", + "state", + "event", + "gateway", + "initial", + "final" + ], + "meta:enum": { + "activity": "An action that is performed, identified by a behavior, a behavior-instance reference, or a nested graph. The activity-flow counterpart of a step.", + "state": "A durable condition the subject rests in until a transition fires. The state-machine counterpart of a node. A composite state references its nested region through 'graph'.", + "event": "An intermediate event that occurs during the graph.", + "gateway": "A branch or merge point whose outgoing transitions carry the guards.", + "initial": "The starting point of the graph or of a composite node.", + "final": "A completion point of the graph or of a composite node." + } + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the node." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the node." + }, "ordinal": { "type": "integer", "title": "Ordinal", - "description": "Position within the flow. Required when ordering is 'sequential' or omitted.", - "minimum": 1 + "minimum": 1, + "description": "Position within a sequential graph. Required when the graph ordering is 'sequential'. Ignored when transitions define the order." }, "behavior": { "$ref": "../behavior-taxonomy.schema.json", "title": "Behavior", - "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'." - }, - "trigger": { - "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + "description": "For an activity node, the behavior performed, drawn from the taxonomy. Mutually exclusive with 'ref' and 'graph'." }, "ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "Behavior Reference", - "description": "Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'." + "description": "For an activity node, a reference to a behavior instance. Mutually exclusive with 'behavior' and 'graph'." }, - "flow": { + "graph": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Flow Reference", - "description": "Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'." + "title": "Graph Reference", + "description": "A reference to a nested behavior graph. For an activity node it is the sub-process performed and is mutually exclusive with 'behavior' and 'ref'; for a composite node it is the nested region." }, "actors": { "type": "array", "title": "Actors", - "description": "References to objects that perform this step.", + "description": "References using bom-link or bom-ref to objects that perform this node.", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" } }, "targets": { "type": "array", "title": "Targets", - "description": "References to objects affected by this step.", + "description": "References using bom-link or bom-ref to objects affected by this node.", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "eventType": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger", + "title": "Event Type", + "description": "For an event node, the nature of the event, reusing the trigger vocabulary, such as signal, scheduled, or event-driven." + }, + "gatewayKind": { + "type": "string", + "title": "Gateway Kind", + "description": "For a gateway node, the branching semantics applied across its outgoing transitions.", + "enum": [ + "exclusive", + "inclusive", + "parallel", + "complex" + ], + "meta:enum": { + "exclusive": "Exactly one outgoing transition is taken, the first whose guard holds.", + "inclusive": "Every outgoing transition whose guard holds is taken.", + "parallel": "All outgoing transitions are taken concurrently, forking and later joining execution.", + "complex": "Branch selection follows a complex condition described in the transition guards." } + }, + "onEntry": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "On Entry", + "description": "For a state node, a reference to a behavior instance performed when the state is entered." + }, + "onExit": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "On Exit", + "description": "For a state node, a reference to a behavior instance performed when the state is exited." + }, + "doActivity": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Do Activity", + "description": "For a state node, a reference to a behavior instance performed while the subject remains in the state." } }, - "oneOf": [ + "allOf": [ { - "required": [ - "behavior" - ] + "if": { + "properties": { + "kind": { + "const": "activity" + } + }, + "required": [ + "kind" + ] + }, + "then": { + "oneOf": [ + { + "required": [ + "behavior" + ] + }, + { + "required": [ + "ref" + ] + }, + { + "required": [ + "graph" + ] + } + ] + } + } + ] + }, + "transition": { + "type": "object", + "title": "Transition", + "description": "A directed edge from one node to another. In an activity flow it expresses ordering; in a state machine it expresses a triggered, guarded move between states.", + "additionalProperties": false, + "required": [ + "source", + "target" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - { - "required": [ - "ref" - ] + "name": { + "type": "string", + "title": "Name", + "description": "The name of the transition." }, - { - "required": [ - "flow" - ] + "description": { + "type": "string", + "title": "Description", + "description": "A description of the transition." + }, + "source": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Source", + "description": "Reference to the source node." + }, + "target": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Target", + "description": "Reference to the target node." + }, + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + }, + "guard": { + "type": "string", + "title": "Guard", + "description": "A guard condition; the transition fires only when it evaluates to true." + }, + "default": { + "type": "boolean", + "title": "Default", + "description": "Whether this transition is taken when no other guard from the same source node holds." + }, + "effect": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Effect", + "description": "Reference to a behavior instance performed when the transition fires." } - ] + } } } }, @@ -1078,8 +1260,7 @@ "description": "A versatile, machine-readable model designed to support a wide range of analytical activities, from use case documentation and behavioural analysis to comprehensive system-level threat and risk modelling.", "required": [ "name", - "modelTypes", - "methodologies" + "modelTypes" ], "additionalProperties": false, "properties": { @@ -1105,20 +1286,11 @@ "title": "Model Types", "minItems": 1, "uniqueItems": true, - "description": "The types of models being represented", + "description": "The types of models being represented.", "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/modelType" } }, - "methodologies": { - "type": "array", - "title": "Methodologies", - "uniqueItems": true, - "description": "The modeling methodologies used", - "items": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/methodology" - } - }, "scope": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/scope" }, @@ -1129,7 +1301,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/asset" }, - "description": "The assets (components, services, data, actors) included in the model" + "description": "The assets (components, services, data, actors) included in the model." }, "behaviors": { "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviors" @@ -1141,7 +1313,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore" }, - "description": "Structured description of data stores used in the model" + "description": "Structured description of data stores used in the model." }, "dataSets": { "type": "array", @@ -1150,7 +1322,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet" }, - "description": "Datasets handled by the system, including placements and sensitivity" + "description": "Datasets handled by the system, including placements and sensitivity." }, "zones": { "type": "array", @@ -1159,7 +1331,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/zone" }, - "description": "Logical, physical, or trust zones that group assets with similar characteristics" + "description": "Logical, physical, or trust zones that group assets with similar characteristics." }, "boundaries": { "type": "array", @@ -1168,7 +1340,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" }, - "description": "Boundaries between zones" + "description": "Boundaries between zones." }, "flows": { "type": "array", @@ -1177,7 +1349,16 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/flow" }, - "description": "Data, control, or process flows between assets" + "description": "Data, control, or process flows between assets." + }, + "relationships": { + "type": "array", + "title": "Relationships", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationship" + }, + "description": "Static, structural relationships between elements of the model, complementing the runtime exchanges captured by flows." }, "actors": { "type": "array", @@ -1186,7 +1367,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/actor" }, - "description": "Human or system actors involved in the model, distinct from assets" + "description": "Human or system actors involved in the model, distinct from assets." }, "assumptions": { "type": "array", @@ -1195,7 +1376,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assumption" }, - "description": "Assumptions made during the modeling process" + "description": "Assumptions made during the modeling process." }, "visualizations": { "type": "array", @@ -1204,7 +1385,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualization" }, - "description": "Visual representations of the model" + "description": "Visual representations of the model." }, "useCases": { "type": "array", @@ -1212,51 +1393,50 @@ "uniqueItems": true, "items": { "type": "object", - "allOf": [ - { - "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/useCase" + "properties": { + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Use Case Reference", + "description": "A reference to a use case object defined in definitions." }, - { - "properties": { - "assets": { - "type": "array", - "title": "Assets", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "References to the blueprint assets that are involved in or exercised by this use case" - }, - "flows": { - "type": "array", - "title": "Flows", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "References to the blueprint flows that are triggered or traversed during the execution of this use case" - }, - "requirements": { - "type": "array", - "title": "Requirements", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "References to the requirements that are implemented, validated, or addressed by this use case" - } - } + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the blueprint assets that are involved in or exercised by this use case." + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the blueprint flows that are triggered or traversed during the execution of this use case." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case." } - ] + } }, "description": "Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements." }, "requirements": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirement" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Requirements derived from or related to the model" + "description": "References using bom-link or bom-ref to the requirements, declared in definitions, that are derived from or related to this model." }, "externalReferences": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" @@ -1267,188 +1447,57 @@ } }, "modelType": { - "type": "object", "title": "Model Type", - "description": "The type of model being represented, either a predefined type or a custom named type.", + "description": "The type of model being represented, either a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. Threat, risk, and privacy analyses are represented in their own models, which reference the blueprint, rather than as blueprint model types.", "oneOf": [ { + "type": "string", "title": "Predefined Model Type", - "description": "A model type selected from a predefined set of well-known modelling categories.", - "required": [ - "type" + "description": "A predefined model type from the enumeration.", + "enum": [ + "architecture", + "behavioral", + "conceptual", + "data-flow", + "deployment", + "logical", + "network", + "operational", + "physical", + "process" ], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "Pre-Defined Model Type", - "enum": [ - "architecture", - "behavioral", - "conceptual", - "dataFlow", - "deployment", - "logical", - "network", - "operational", - "physical", - "privacy", - "process", - "risk", - "structural", - "threat" - ], - "meta:enum": { - "architecture": "System or software architecture model", - "behavioral": "System behavior model", - "conceptual": "High-level conceptual model", - "dataFlow": "Data flow model showing how data moves through the system", - "deployment": "Deployment or infrastructure model", - "logical": "Logical system model", - "network": "Network topology or connectivity model", - "operational": "Operational model", - "physical": "Physical infrastructure model", - "privacy": "Privacy impact assessment model", - "process": "Business or system process model", - "risk": "Risk assessment model", - "structural": "System structure model", - "threat": "Security threat model" - } - } + "meta:enum": { + "architecture": "An architecture model of the system or software, capturing its major components, their responsibilities, and the interfaces and relationships between them. Broader than a single view, it frames the overall design.", + "behavioral": "A behavioural model, capturing how the system acts over time through its processes, state changes, interactions, and control flow, as opposed to its static structure.", + "conceptual": "A conceptual model at the highest level of abstraction, capturing the key entities, concepts, and relationships in technology-neutral terms without implementation detail. The first level of the conceptual, logical, and physical progression.", + "data-flow": "A data flow model showing how data moves between processes, data stores, and external entities. This is the substrate most commonly used for STRIDE per-element threat analysis.", + "deployment": "A deployment model showing how software is allocated to runtime and infrastructure, including nodes, containers, environments, and the artifacts placed on them.", + "logical": "A logical model detailing the structure and behaviour of the system independent of any specific implementation technology. The middle level of the conceptual, logical, and physical progression.", + "network": "A network model showing topology and connectivity, including segments, links, and the paths over which components communicate.", + "operational": "An operational model describing how the system is run and supported in production, including procedures, responsibilities, and operational dependencies.", + "physical": "A physical model at the implementation level, capturing the tangible realization of the system such as hardware, devices, infrastructure, topology, and physical locations. The most concrete level of the conceptual, logical, and physical progression.", + "process": "A process model describing a business or system process as an ordered set of activities and decisions and the actors that carry them out." } }, { + "type": "object", "title": "Custom Model Type", - "description": "A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.", + "description": "A custom model type not covered by the predefined enumeration, allowing organisations to define domain-specific model categories.", + "additionalProperties": false, "required": [ "name" ], - "additionalProperties": false, "properties": { "name": { "type": "string", "title": "Name", "minLength": 1, - "description": "Custom model type name" + "description": "The name of the custom model type." }, "description": { "type": "string", "title": "Description", - "description": "Description of the custom model type" - } - } - } - ] - }, - "methodology": { - "type": "object", - "title": "Methodology", - "description": "The modelling methodology used, either a predefined type or a custom named methodology.", - "oneOf": [ - { - "title": "Predefined Methodology", - "description": "A modelling methodology selected from a predefined set of well-known frameworks and standards.", - "required": [ - "type" - ], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "Pre-Defined Type", - "enum": [ - "4+1", - "Archimate", - "ATFAA", - "BPMN", - "C4", - "DFD", - "DODAF", - "ERD", - "IDEF", - "LINDDUN", - "MAESTRO", - "MITRE-ATTACK", - "MODAF", - "NAF", - "OWASP", - "PASTA", - "SABSA", - "STRIDE", - "SysML", - "TOGAF", - "TRIKE", - "UML", - "VAST", - "Zachman", - "attackTree" - ], - "meta:enum": { - "4+1": "4+1 Architectural View Model", - "Archimate": "Enterprise architecture modeling language", - "ATFAA": "Advanced Threat Framework for Autonomous AI Agents", - "BPMN": "Business Process Model and Notation", - "C4": "C4 Model for software architecture", - "DFD": "Data Flow Diagrams", - "DODAF": "Department of Defense Architecture Framework", - "ERD": "Entity Relationship Diagrams", - "IDEF": "Integration Definition Methods", - "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance", - "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome", - "MITRE-ATTACK": "MITRE ATT&CK adversarial tactics, techniques, and procedures framework", - "MODAF": "Ministry of Defence Architecture Framework", - "NAF": "NATO Architecture Framework", - "OWASP": "OWASP threat modelling methodology", - "PASTA": "Process for Attack Simulation and Threat Analysis", - "SABSA": "Sherwood Applied Business Security Architecture", - "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege", - "SysML": "Systems Modeling Language", - "TOGAF": "The Open Group Architecture Framework", - "TRIKE": "Risk-based threat modelling methodology", - "UML": "Unified Modeling Language", - "VAST": "Visual, Agile, and Simple Threat modelling", - "Zachman": "Zachman Framework", - "attackTree": "Attack tree methodology for structured threat analysis" - } - }, - "version": { - "type": "string", - "title": "Version", - "description": "Version of the methodology" - } - } - }, - { - "title": "Custom Methodology", - "description": "A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "minLength": 1, - "description": "Custom methodology name" - }, - "version": { - "type": "string", - "title": "Version", - "description": "Version of the methodology" - }, - "description": { - "type": "string", - "title": "Description", - "description": "Description of the custom methodology" - }, - "externalReferences": { - "type": "array", - "title": "External References", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } + "description": "A description of the custom model type." } } } @@ -1464,31 +1513,36 @@ "type": "string", "title": "Timestamp", "format": "date-time", - "description": "When the blueprint was created or last updated" + "description": "When the blueprint was created or last updated." }, "authors": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "The person(s) or organization(s) who created the blueprint" + "type": "array", + "title": "Authors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" + }, + "description": "The parties that created the blueprint. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `author`." }, "reviewer": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "The person(s) or organization(s) who reviewed the blueprint" + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party that reviewed the blueprint. The party's `roles` should include `reviewer`." }, "reviewDate": { "type": "string", "title": "Review Date", "format": "date-time", - "description": "When the blueprint was reviewed" + "description": "When the blueprint was reviewed." }, "approver": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "The person(s) or organization(s) who approved the blueprint" + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party that approved the blueprint. The party's `roles` should include `signatory` or a custom role identifying the approving authority." }, "approvalDate": { "type": "string", "title": "Approval Date", "format": "date-time", - "description": "When the blueprint was approved" + "description": "When the blueprint was approved." }, "ordinalVersion": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion" @@ -1511,19 +1565,19 @@ "type": "string", "title": "Start", "format": "date-time", - "description": "When the blueprint becomes valid" + "description": "When the blueprint becomes valid." }, "end": { "type": "string", "title": "End", "format": "date-time", - "description": "When the blueprint expires" + "description": "When the blueprint expires." }, "reviewFrequency": { "type": "string", "title": "Review Frequency", "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", - "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)." } } }, @@ -1543,12 +1597,12 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the scope" + "description": "Name of the scope." }, "description": { "type": "string", "title": "Description", - "description": "Description of what is included and excluded from the model" + "description": "Description of what is included and excluded from the model." }, "boundaries": { "type": "array", @@ -1558,25 +1612,25 @@ "type": "string", "minLength": 1 }, - "description": "Explicit boundaries of the model" + "description": "Explicit boundaries of the model." }, "includedComponents": { "type": "array", "title": "Included Components", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to components explicitly included" + "description": "References using bom-link or bom-ref to components explicitly included." }, "excludedComponents": { "type": "array", "title": "Excluded Components", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to components explicitly excluded" + "description": "References using bom-link or bom-ref to components explicitly excluded." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -1586,99 +1640,126 @@ "asset": { "type": "object", "title": "Asset", - "description": "A component, service, data store, or other element included in the blueprint model.", + "description": "A component, service, data store, actor, or other element included in the blueprint model. An actor asset references a party, since a party such as a person, persona, system, or organization may itself be an asset, including a person in the intelligence sense of a human source.", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Unique identifier for the asset" + "description": "Unique identifier for the asset." }, "componentRef": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the component this asset represents" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the component this asset represents." }, "serviceRef": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the service this asset represents" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the service this asset represents." + }, + "partyRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party this asset represents, such as a person, persona, system, or organization. Used when the asset is an actor." }, "type": { - "type": "string", "title": "Asset Type", - "enum": [ - "actor", - "agent", - "api", - "broker", - "cache", - "component", - "container", - "data", - "dataStore", - "device", - "endpoint", - "function", - "gateway", - "infrastructure", - "interface", - "model", - "module", - "network", - "other", - "process", - "queue", - "resource", - "service", - "stream", - "subsystem", - "system" - ], - "meta:enum": { - "actor": "User, system, or external entity", - "agent": "Autonomous AI or software agent", - "api": "API endpoint or interface", - "broker": "Message broker or event bus infrastructure", - "cache": "Caching layer or in-memory data store", - "component": "Software component or application", - "container": "Container or orchestration unit", - "data": "Dataset", - "dataStore": "Database, file system, or data repository", - "device": "Physical or IoT device", - "endpoint": "Service endpoint or URL", - "function": "Serverless function or lambda", - "gateway": "API gateway, load balancer, or proxy", - "infrastructure": "Infrastructure component", - "interface": "System interface or contract", - "model": "AI or machine learning model", - "module": "Software module or package", - "network": "Network segment or resource", - "other": "Asset type not covered by predefined values", - "process": "Business or system process", - "queue": "Message queue or task queue", - "resource": "Generic resource or artifact", - "service": "Service or microservice", - "stream": "Data stream or event stream", - "subsystem": "Part of a larger system", - "system": "Complete system or application" - } + "description": "The kind of asset. Use the custom option for kinds not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Asset Type", + "enum": [ + "actor", + "agent", + "api", + "broker", + "cache", + "component", + "container", + "data", + "data-store", + "device", + "endpoint", + "function", + "gateway", + "infrastructure", + "interface", + "model", + "module", + "network", + "process", + "queue", + "resource", + "service", + "stream", + "subsystem", + "system", + "tool" + ], + "meta:enum": { + "actor": "An actor that is an asset in its own right, referencing a party via partyRef. A party such as a system or organization is commonly an asset, and a person may be an asset in the intelligence sense of a human source.", + "agent": "Autonomous AI or software agent.", + "api": "API endpoint or interface.", + "broker": "Message broker or event bus infrastructure.", + "cache": "Caching layer or in-memory data store.", + "component": "Software component or application.", + "container": "Container or orchestration unit.", + "data": "Dataset.", + "data-store": "Database, file system, or data repository.", + "device": "Physical or IoT device.", + "endpoint": "Service endpoint or URL.", + "function": "Serverless function or lambda.", + "gateway": "API gateway, load balancer, or proxy.", + "infrastructure": "Infrastructure component.", + "interface": "System interface or contract.", + "model": "AI or machine learning model.", + "module": "Software module or package.", + "network": "Network segment or resource.", + "process": "Business or system process.", + "queue": "Message queue or task queue.", + "resource": "Generic resource or artifact.", + "service": "Service or microservice.", + "stream": "Data stream or event stream.", + "subsystem": "Part of a larger system.", + "system": "Complete system or application.", + "tool": "A tool or capability invoked by an agent, such as a function, API, or service exposed to an AI agent." + } + }, + { + "type": "object", + "title": "Custom Asset Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom asset type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom asset type." + } + } + } + ] }, "name": { "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the asset" + "description": "Name of the asset." }, "description": { "type": "string", "title": "Description", - "description": "Description of the asset's role and purpose" + "description": "Description of the asset's role and purpose." }, "zone": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the zone containing this asset" - }, - "parent": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to parent asset if this is a sub-component" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the zone containing this asset." }, "classification": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification" @@ -1694,7 +1775,7 @@ "type": "string", "minLength": 1 }, - "description": "Responsibilities or functions of this asset" + "description": "Responsibilities or functions of this asset." }, "interfaces": { "type": "array", @@ -1703,25 +1784,16 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/interface" }, - "description": "Interfaces exposed by this asset" - }, - "dependencies": { - "type": "array", - "title": "Dependencies", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "References to assets this asset depends on" + "description": "Interfaces exposed by this asset." }, "useCases": { "type": "array", "title": "Use Cases", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." + "description": "References using bom-link or bom-ref to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." }, "authentication": { "type": "array", @@ -1730,7 +1802,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" }, - "description": "Authentication methods supported/required" + "description": "Authentication methods supported/required." }, "authorization": { "type": "array", @@ -1739,7 +1811,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" }, - "description": "Authorization models supported/required" + "description": "Authorization models supported/required." }, "ownership": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/ownership" @@ -1768,6 +1840,14 @@ "serviceRef" ] }, + { + "title": "Party Reference Asset", + "description": "An asset defined by reference to a party declared elsewhere in the BOM, such as a person, persona, system, or organization that is itself an asset.", + "required": [ + "bom-ref", + "partyRef" + ] + }, { "title": "Inline Asset", "description": "An asset defined inline within the blueprint with an explicit type and name.", @@ -1797,93 +1877,122 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the data store" + "description": "Name of the data store." }, "description": { "type": "string", "title": "Description", - "description": "Purpose and contents of the store" + "description": "Purpose and contents of the store." }, "type": { - "type": "string", "title": "Type", - "enum": [ - "blob", - "blockchain", - "cache", - "columnFamily", - "custom", - "dataLake", - "dataWarehouse", - "document", - "eventLog", - "file", - "graph", - "inMemory", - "keyValue", - "messageQueue", - "object", - "other", - "registry", - "search", - "spatial", - "sql", - "timeSeries", - "vector" - ], - "meta:enum": { - "blob": "Binary/blob storage", - "blockchain": "Distributed ledger or blockchain storage", - "cache": "Caching tier", - "columnFamily": "Wide-column or column-family store (e.g., Cassandra, HBase)", - "custom": "Custom or mixed storage technology", - "dataLake": "Data lake or lakehouse for raw and semi-structured data", - "dataWarehouse": "Analytical data warehouse optimised for OLAP workloads", - "document": "Document database (e.g., MongoDB)", - "eventLog": "Event log or append-only streaming store (e.g., Kafka)", - "file": "File system or NAS", - "graph": "Graph database", - "inMemory": "In-memory data store used as a primary store", - "keyValue": "Key-value store", - "messageQueue": "Message queue or broker with persistent storage", - "object": "Object storage", - "other": "Other storage technology not listed", - "registry": "Configuration or service registry (e.g., etcd, Consul)", - "search": "Search index or full-text search engine (e.g., Elasticsearch)", - "spatial": "Spatial or geospatial database", - "sql": "Relational database", - "timeSeries": "Time-series database", - "vector": "Vector database for embeddings and similarity search" - } + "description": "The type of data store. Use the custom option for technologies not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Data Store Type", + "enum": [ + "block", + "blockchain", + "cache", + "column-family", + "data-lake", + "data-warehouse", + "document", + "event-log", + "file", + "graph", + "hierarchical", + "in-memory", + "key-value", + "ledger", + "message-queue", + "multi-model", + "object", + "registry", + "relational", + "search", + "spatial", + "time-series", + "vector" + ], + "meta:enum": { + "block": "Block storage exposing raw volumes.", + "blockchain": "Distributed ledger or blockchain storage.", + "cache": "Caching tier.", + "column-family": "Wide-column or column-family store.", + "data-lake": "Data lake or lakehouse for raw and semi-structured data.", + "data-warehouse": "Analytical data warehouse optimised for OLAP workloads.", + "document": "Document database.", + "event-log": "Event log or append-only streaming store.", + "file": "File system or network-attached storage.", + "graph": "Graph database.", + "hierarchical": "Hierarchical or tree-structured database, such as a directory store.", + "in-memory": "In-memory data store used as a primary store.", + "key-value": "Key-value store.", + "ledger": "Immutable, append-only ledger database.", + "message-queue": "Message queue or broker with persistent storage.", + "multi-model": "A store supporting multiple data models.", + "object": "Object storage.", + "registry": "Configuration or service registry.", + "relational": "Relational database.", + "search": "Search index or full-text search engine.", + "spatial": "Spatial or geospatial database.", + "time-series": "Time-series database.", + "vector": "Vector database for embeddings and similarity search." + } + }, + { + "type": "object", + "title": "Custom Data Store Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom data store type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom data store type." + } + } + } + ] }, "vendor": { "type": "string", "title": "Vendor", - "description": "The vendor or publisher of the data store product" + "description": "The vendor or publisher of the data store product." }, "product": { "type": "string", "title": "Product", - "description": "The name of the data store product" + "description": "The name of the data store product." }, "version": { "type": "string", "title": "Version", - "description": "The version of the data store product" + "description": "The version of the data store product." }, "environment": { "type": "string", "title": "Environment", - "description": "Deployment environment (prod, test, etc.)" + "description": "Deployment environment (prod, test, etc.)." }, "zone": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the zone where the asset resides" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the zone where the asset resides." }, "location": { "type": "string", "title": "Location", - "description": "Physical or logical hosting location" + "description": "Physical or logical hosting location." }, "technologies": { "type": "array", @@ -1892,16 +2001,16 @@ "items": { "type": "string" }, - "description": "Supporting technologies or services" + "description": "Supporting technologies or services." }, "dataSets": { "type": "array", "title": "Data Sets", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to data sets stored here" + "description": "References using bom-link or bom-ref to data sets stored here." }, "authorization": { "type": "array", @@ -1910,7 +2019,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" }, - "description": "Authorization models supported/required" + "description": "Authorization models supported/required." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -1935,30 +2044,45 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the dataset" + "description": "Name of the dataset." }, "description": { "type": "string", "title": "Description", "minLength": 1, - "description": "What information is contained and why it exists" + "description": "What information is contained and why it exists." }, - "dataProfile": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "Data profiles that govern the dataset. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile, typically declared in the root profiles catalogue.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice" + } + }, + "dataObjects": { + "type": "array", + "title": "Data Objects", + "description": "The specific data objects stored in the dataset. Each object names a payload and may reference one of the dataset's data profiles for its governing policy.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataObject" + } }, "recordCount": { "type": "integer", "title": "Record Count", - "description": "Approximate number of records" + "description": "Approximate number of records." }, "owners": { "type": "array", "title": "Owners", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact" + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" }, - "description": "Individuals or organizational entities that own the dataset" + "description": "Parties that own the dataset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." }, "authorization": { "type": "array", @@ -1967,7 +2091,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" }, - "description": "Authorization models supported/required" + "description": "Authorization models supported/required." }, "placements": { "type": "array", @@ -1983,27 +2107,27 @@ "additionalProperties": false, "properties": { "dataStore": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the store holding this dataset" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the store holding this dataset." }, "encrypted": { "type": "boolean", "title": "Encrypted", - "description": "Whether the dataset is encrypted at this location" + "description": "Whether the dataset is encrypted at this location." }, "retention": { "type": "string", "title": "Retention", - "description": "Retention policy for this placement" + "description": "Retention policy for this placement." }, "replicated": { "type": "boolean", "title": "Replicated", - "description": "Indicates if this placement is a replica" + "description": "Indicates if this placement is a replica." } } }, - "description": "Where the dataset resides" + "description": "Where the dataset resides." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -2020,41 +2144,68 @@ "properties": { "name": { "type": "string", - "description": "Name of the interface" + "description": "Name of the interface." }, "type": { - "type": "string", - "enum": [ - "rest", - "graphql", - "grpc", - "soap", - "messaging", - "file", - "database", - "cli", - "gui", - "api", - "event", - "stream" - ], - "description": "Type of interface" + "title": "Type", + "description": "The type of interface. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Interface Type", + "enum": [ + "rest", + "graphql", + "grpc", + "soap", + "messaging", + "file", + "database", + "cli", + "gui", + "api", + "event", + "stream" + ] + }, + { + "type": "object", + "title": "Custom Interface Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom interface type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom interface type." + } + } + } + ] }, "description": { "type": "string", - "description": "Description of the interface" + "description": "Description of the interface." }, "specification": { "type": "string", - "description": "Link or reference to interface specification" + "description": "Link or reference to interface specification." }, "protocol": { "type": "string", - "description": "Communication protocol used" + "description": "Communication protocol used." }, "dataFormat": { "type": "string", - "description": "Data format (e.g., JSON, XML, Protocol Buffers)" + "description": "Data format (e.g., JSON, XML, Protocol Buffers)." }, "authentication": { "type": "array", @@ -2067,14 +2218,14 @@ "items": { "type": "string" }, - "description": "Operations or methods exposed" + "description": "Operations or methods exposed." } } }, "zone": { "type": "object", "title": "Zone", - "description": "A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.", + "description": "A grouping of assets that share a common characteristic, security posture, or administrative control, so they can be reasoned about as a unit. A zone may be logical, physical, network, trust, or another kind, may nest within a parent zone, and is connected to or separated from other zones by boundaries.", "required": [ "bom-ref", "name", @@ -2089,40 +2240,77 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the zone" + "description": "Name of the zone." }, "description": { "type": "string", "title": "Description", - "description": "Description of the zone's characteristics" + "description": "Description of the zone's characteristics." }, "type": { - "type": "string", "title": "Type", - "enum": [ - "deployment", - "functional", - "logical", - "network", - "organizational", - "other", - "physical", - "trust" - ], - "meta:enum": { - "deployment": "Deployment environment (e.g., dev, staging, prod)", - "functional": "Functional grouping", - "logical": "Logical grouping or boundary", - "network": "Network segmentation zone", - "organizational": "Organizational or administrative boundary", - "other": "Other zone type not listed", - "physical": "Physical location or boundary", - "trust": "Security trust zone" - } + "description": "The type of zone. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Zone Type", + "enum": [ + "availability", + "compliance", + "data", + "deployment", + "functional", + "geographic", + "logical", + "network", + "organizational", + "physical", + "process", + "tenant", + "trust" + ], + "meta:enum": { + "availability": "An availability or fault-isolation zone, such as a cloud availability zone, used to bound the blast radius of failures and reason about redundancy and resilience.", + "compliance": "A compliance scope zone whose assets fall under a specific regulatory regime, such as PCI DSS, HIPAA, or FedRAMP, delineating what is in scope and the controls applied.", + "data": "A data classification zone grouping assets by the sensitivity of the data they hold or process, such as public, internal, confidential, or restricted.", + "deployment": "A deployment environment grouping assets by lifecycle stage, such as development, staging, or production.", + "functional": "A functional grouping of assets that serve a common purpose or capability, independent of where or how they are deployed.", + "geographic": "A geographic or data-residency zone bounding assets to a region, country, or jurisdiction, used to reason about sovereignty and cross-border data flows.", + "logical": "A logical grouping of assets defined by architecture or design rather than physical placement.", + "network": "A network segmentation zone, such as a subnet, VLAN, or security group, within which assets share network-level reachability and controls.", + "organizational": "An organizational or administrative zone grouping assets under a common owner, team, or authority.", + "physical": "A physical zone bounding assets to a tangible location, such as a data centre, building, or device enclosure.", + "process": "A process or execution isolation zone, such as a sandbox, container runtime, or trusted execution environment, within which code runs with a defined level of isolation.", + "tenant": "A tenancy isolation zone separating the assets and data of one tenant from another in a multi-tenant system.", + "trust": "A security trust zone whose assets share a common level of trust, so that movement between trust zones is where authentication, authorization, and validation are enforced." + } + }, + { + "type": "object", + "title": "Custom Zone Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom zone type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom zone type." + } + } + } + ] }, "parent": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to parent zone if this is a sub-zone" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the parent zone if this is a sub-zone." }, "characteristics": { "type": "array", @@ -2131,7 +2319,7 @@ "items": { "type": "string" }, - "description": "Key characteristics of this zone" + "description": "Key characteristics of this zone." }, "constraints": { "type": "array", @@ -2140,7 +2328,7 @@ "items": { "type": "string" }, - "description": "Constraints or limitations of this zone" + "description": "Constraints or limitations of this zone." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -2150,7 +2338,7 @@ "boundary": { "type": "object", "title": "Boundary", - "description": "Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.", + "description": "An edge that separates or connects two or more zones, marking a point where security controls, policies, or trust levels change. The controls expected when data or actors cross it are captured in crossingRequirements, and the threat model's trust boundary extends a boundary with trust semantics.", "required": [ "bom-ref", "zones" @@ -2164,31 +2352,56 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name of the boundary" + "description": "Name of the boundary." }, "type": { - "type": "string", "title": "Type", - "enum": [ - "data", - "functional", - "network", - "organizational", - "other", - "physical", - "process", - "trust" - ], - "meta:enum": { - "data": "Data classification boundary", - "functional": "Functional boundary", - "network": "Network boundary or firewall", - "organizational": "Organizational boundary", - "other": "A boundary type not covered by the predefined enumeration", - "physical": "Physical security boundary", - "process": "Process or execution boundary", - "trust": "Trust boundary between different security zones" - } + "description": "The type of boundary. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Boundary Type", + "enum": [ + "data", + "functional", + "network", + "organizational", + "physical", + "process", + "trust" + ], + "meta:enum": { + "data": "A data classification boundary, crossed when data moves between zones of differing sensitivity, where reclassification, masking, or validation may apply.", + "functional": "A functional boundary between areas of differing responsibility or capability.", + "network": "A network boundary, such as a firewall, gateway, or security group, controlling reachability between network zones.", + "organizational": "An organizational or administrative boundary between assets under different ownership or authority.", + "physical": "A physical security boundary, such as a facility perimeter or device enclosure, between physical zones.", + "process": "A process or execution boundary between isolation contexts, such as between a sandbox and its host.", + "trust": "A trust boundary between zones of differing trust, the primary point at which authentication, authorization, and input validation are enforced and a key trigger for threat analysis." + } + }, + { + "type": "object", + "title": "Custom Boundary Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom boundary type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom boundary type." + } + } + } + ] }, "zones": { "type": "array", @@ -2196,13 +2409,16 @@ "uniqueItems": true, "minItems": 2, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "The zones this boundary connects or separates" + "description": "References using bom-link or bom-ref to the zones this boundary connects or separates." }, "crossingRequirements": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements" }, + "sessionManagement": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/sessionManagement" + }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } @@ -2211,7 +2427,7 @@ "crossingRequirements": { "type": "object", "title": "Crossing Requirements", - "description": "Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.", + "description": "The security controls, policies, and constraints applied when data or actors cross a boundary between zones, such as the authentication and authorization enforced, the protocols permitted, and the validation, logging, and monitoring performed at the crossing.", "additionalProperties": false, "properties": { "authentication": { @@ -2221,7 +2437,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" }, - "description": "Authentication required to cross this boundary" + "description": "Authentication required to cross this boundary." }, "authorization": { "type": "array", @@ -2230,32 +2446,32 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" }, - "description": "Authorization models enforced at this boundary" + "description": "Authorization models enforced at this boundary." }, "dataValidation": { "type": "boolean", "title": "Data Validation", - "description": "Whether data is validated when crossing this boundary" + "description": "Whether data is validated when crossing this boundary." }, "dataTransformation": { "type": "boolean", "title": "Data Transformation", - "description": "Whether data is transformed when crossing this boundary" + "description": "Whether data is transformed when crossing this boundary." }, "logging": { "type": "boolean", "title": "Logging", - "description": "Whether crossings are logged" + "description": "Whether crossings are logged." }, "monitoring": { "type": "boolean", "title": "Monitoring", - "description": "Whether crossings are monitored" + "description": "Whether crossings are monitored." }, "rateLimit": { "type": "string", "title": "Rate Limit", - "description": "Rate limiting policy" + "description": "Rate limiting policy." }, "protocols": { "type": "array", @@ -2264,10 +2480,213 @@ "items": { "type": "string" }, - "description": "Allowed protocols for crossing" + "description": "Allowed protocols for crossing." + } + } + }, + "sessionManagement": { + "type": "object", + "title": "Session Management", + "description": "The lifecycle of the authenticated session established at this boundary, covering session timeouts, access and refresh token validity, and logout behaviour. These properties characterize the session that results from authenticating, independently of the authentication method used.", + "additionalProperties": false, + "properties": { + "accessTokenExpires": { + "type": "boolean", + "title": "Access Token Expires", + "description": "Whether access tokens issued for this boundary expire." + }, + "accessTokenTtl": { + "type": "integer", + "title": "Access Token Time To Live", + "minimum": 0, + "description": "Validity period of an access token, in seconds." + }, + "refreshToken": { + "type": "boolean", + "title": "Refresh Token", + "description": "Whether refresh tokens are issued for this boundary." + }, + "refreshTokenExpires": { + "type": "boolean", + "title": "Refresh Token Expires", + "description": "Whether refresh tokens expire." + }, + "refreshTokenTtl": { + "type": "integer", + "title": "Refresh Token Time To Live", + "minimum": 0, + "description": "Validity period of a refresh token, in seconds." + }, + "idleTimeout": { + "type": "integer", + "title": "Idle Timeout", + "minimum": 0, + "description": "Period of inactivity after which the session ends, in seconds." + }, + "absoluteTimeout": { + "type": "integer", + "title": "Absolute Timeout", + "minimum": 0, + "description": "Period after session creation after which the session ends regardless of activity, in seconds." + }, + "userLogout": { + "type": "boolean", + "title": "User Logout", + "description": "Whether a user can explicitly end the session." + }, + "systemLogout": { + "type": "boolean", + "title": "System Logout", + "description": "Whether the system can end the session without user action." + } + } + }, + "relationship": { + "type": "object", + "title": "Relationship", + "description": "A typed structural relationship from one element to one or more others, complementing the runtime exchanges captured by flows. The subject is `ref`, and the kind of relationship is expressed as a single typed property whose value lists the targets, mirroring the dependency graph for readability.", + "additionalProperties": false, + "required": [ + "ref" + ], + "oneOf": [ + { + "required": [ + "aggregates" + ] + }, + { + "required": [ + "associates" + ] + }, + { + "required": [ + "composes" + ] + }, + { + "required": [ + "contains" + ] + }, + { + "required": [ + "dependsOn" + ] + }, + { + "required": [ + "generalizes" + ] + }, + { + "required": [ + "realizes" + ] + }, + { + "required": [ + "serves" + ] + }, + { + "required": [ + "custom" + ] + } + ], + "properties": { + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to the subject element of the relationship." + }, + "aggregates": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Aggregates", + "description": "The subject is the whole in a whole-part relationship in which each target part may exist independently of the whole." + }, + "associates": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Associates", + "description": "The subject has a general association with each target." + }, + "composes": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Composes", + "description": "The subject is the whole in a whole-part relationship in which each target part cannot exist without the whole." + }, + "contains": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Contains", + "description": "The subject contains or nests each target." + }, + "dependsOn": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Depends On", + "description": "The subject depends on each target." + }, + "generalizes": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Generalizes", + "description": "The subject is a generalisation of each target, as in inheritance." + }, + "realizes": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Realizes", + "description": "The subject realises or implements each target." + }, + "serves": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Serves", + "description": "The subject provides a service to each target." + }, + "custom": { + "type": "array", + "title": "Custom Relationships", + "description": "Relationships whose kind is not covered by the predefined properties. Each entry names the kind and lists its targets.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Custom Relationship", + "additionalProperties": false, + "required": [ + "type", + "targets" + ], + "properties": { + "type": { + "type": "string", + "title": "Type", + "minLength": 1, + "description": "The name of the custom relationship kind." + }, + "targets": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/relationshipTargets", + "title": "Targets", + "description": "The targets of the custom relationship." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom relationship kind." + } + } + } } } }, + "relationshipTargets": { + "type": "array", + "title": "Relationship Targets", + "description": "References using bom-link or bom-ref to the target elements of a relationship.", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, "flow": { "type": "object", "title": "Flow", @@ -2288,69 +2707,99 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name or description of the flow" + "description": "Name or description of the flow." }, "description": { "type": "string", "title": "Description", - "description": "Detailed description of what flows and why" + "description": "Detailed description of what flows and why." }, "type": { - "type": "string", "title": "Type", - "enum": [ - "control", - "data", - "dependency", - "event", - "interaction", - "message", - "other", - "physical", - "process", - "signal" - ], - "meta:enum": { - "control": "Control or command flow", - "data": "Data or information flow", - "dependency": "Dependency relationship", - "event": "Event or notification flow", - "interaction": "User or system interaction", - "message": "Message or communication flow", - "other": "A flow type not covered by the predefined enumeration", - "physical": "Physical movement of goods or materials", - "process": "Business process flow", - "signal": "Hardware or system signal" - } + "description": "The type of flow. Use the custom option for types not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Flow Type", + "enum": [ + "control", + "data", + "energy", + "event", + "financial", + "message", + "physical", + "process", + "signal" + ], + "meta:enum": { + "control": "Control or command flow.", + "data": "Data or information flow.", + "energy": "Power or energy flow.", + "event": "Event or notification flow.", + "financial": "Financial, value, or payment flow.", + "message": "Message or communication flow.", + "physical": "Physical movement of goods or materials.", + "process": "Business process flow.", + "signal": "Hardware or system signal." + } + }, + { + "type": "object", + "title": "Custom Flow Type", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom flow type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom flow type." + } + } + } + ] }, "source": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the source asset" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the source of the flow. The source may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that originates the exchange." }, "destination": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the destination asset" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the destination of the flow. The destination may be either an asset (such as a component, service, data store, or other element in the blueprint) or an actor that receives the exchange." }, "bidirectional": { "type": "boolean", "title": "Bidirectional", "default": false, - "description": "Whether flow occurs in both directions" + "description": "Whether flow occurs in both directions." }, "synchronous": { "type": "boolean", "title": "Synchronous", - "description": "Whether the flow is synchronous or asynchronous" + "description": "Whether the flow is synchronous or asynchronous." + }, + "encrypted": { + "type": "boolean", + "title": "Encrypted", + "description": "Whether the data carried by this flow is encrypted in transit." }, "volume": { "type": "string", "title": "Volume", - "description": "Expected volume or frequency of flow" + "description": "Expected volume or frequency of flow." }, "timing": { "type": "string", "title": "Timing", - "description": "Timing characteristics (real-time, batch, scheduled)" + "description": "Timing characteristics (real-time, batch, scheduled)." }, "protocols": { "type": "array", @@ -2359,10 +2808,25 @@ "items": { "type": "string" }, - "description": "Communication protocols used by this flow" + "description": "Communication protocols used by this flow." }, - "dataProfile": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "Data profiles that govern the data carried by this flow. A flow may carry data governed by multiple profiles, for example a payment submission carrying both payment card data and customer personally identifiable information. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice" + } + }, + "dataObjects": { + "type": "array", + "title": "Data Objects", + "description": "The specific data objects carried by this flow. Each object names a payload and may reference one of the flow's data profiles for its governing policy.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataObject" + } }, "authentication": { "type": "array", @@ -2371,7 +2835,7 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" }, - "description": "Authentication required for this flow" + "description": "Authentication required for this flow." }, "authorization": { "type": "array", @@ -2380,13 +2844,13 @@ "items": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" }, - "description": "Authorization models enforced on this flow" + "description": "Authorization models enforced on this flow." }, "sequence": { "type": "integer", "title": "Sequence", "minimum": 0, - "description": "Ordering hint so flows can be assembled into sequence diagrams" + "description": "Ordering hint so flows can be assembled into sequence diagrams." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -2396,51 +2860,26 @@ "actor": { "type": "object", "title": "Actor", - "description": "Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.", + "description": "An actor is a contextual binding between a party and the modelled system. The party identifies who or what is acting (an organisation, person, system, or persona). The actor layer adds properties that are meaningful only within the blueprint, such as the permissions the actor holds in this system and the trust zone in which the actor operates. Identity, roles, archetype, and inter-party relations such as delegation are carried by the wrapped party and shall not be duplicated on the actor.", "required": [ "bom-ref", - "name", - "type" + "party" ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this actor binding. References to actors from other parts of the blueprint, such as use cases or flows, use this identifier." }, - "name": { - "type": "string", - "title": "Name", - "minLength": 1, - "description": "Name or title of the actor" + "party": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "title": "Party", + "description": "The party that this actor binds to the modelled system. May be an inline party object declaring identity and roles in place, or a bom-link or bom-ref to a party declared elsewhere in the document." }, "description": { "type": "string", "title": "Description", - "description": "Narrative describing the actor's role and context" - }, - "type": { - "type": "string", - "title": "Type", - "enum": [ - "administrator", - "agent", - "engineer", - "external", - "operator", - "other", - "system", - "user" - ], - "meta:enum": { - "administrator": "Administrative or privileged operator", - "agent": "Autonomous AI agent or intelligent software agent", - "engineer": "Developer or platform/DevOps engineer", - "external": "Third-party or external entity", - "operator": "Operational staff running the system", - "other": "An actor type not covered by the predefined enumeration", - "system": "Automated system actor or service account", - "user": "End user of a client application or service" - } + "description": "A narrative describing this actor's role within the modelled system, distinct from the party's identity-level description. Use to record context-specific framing such as why this actor is in scope or how it interacts with the assets in this blueprint." }, "permissions": { "type": "array", @@ -2449,15 +2888,12 @@ "items": { "type": "string" }, - "description": "Permissions, capabilities, or duties the actor holds" - }, - "delegatedBy": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity" + "description": "The permissions, capabilities, or duties this actor holds within the modelled system. Distinct from any innate party-level capabilities; these are scoped to the blueprint." }, "zone": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the zone where the actor resides" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Zone", + "description": "Reference using bom-link or bom-ref to the trust zone in which the actor operates." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -2480,85 +2916,110 @@ "type": "string", "title": "Description", "minLength": 1, - "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies" + "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies." }, "topic": { - "type": "string", "title": "Topic", - "enum": [ - "availability", - "business", - "compliance", - "operational", - "other", - "performance", - "security", - "technical" - ], - "meta:enum": { - "availability": "Assumption about system uptime, redundancy, or failover capabilities", - "business": "Assumption about business requirements, constraints, or organizational context", - "compliance": "Assumption about regulatory, legal, or policy compliance obligations", - "operational": "Assumption about operational procedures, staffing, or maintenance practices", - "other": "An assumption topic not covered by the predefined enumeration", - "performance": "Assumption about throughput, latency, capacity, or scalability characteristics", - "security": "Assumption about threat landscape, trust boundaries, or security controls", - "technical": "Assumption about technology choices, capabilities, or technical constraints" - } - }, - "relatedAssets": { - "type": "array", - "title": "Related Assets", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes" - }, - "validity": { - "type": "string", - "title": "Validity", - "enum": [ - "invalid", - "unknown", - "unverified", - "verified" + "description": "The topic of the assumption. Use the custom option for topics not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Assumption Topic", + "enum": [ + "availability", + "business", + "compliance", + "operational", + "performance", + "security", + "technical" + ], + "meta:enum": { + "availability": "Assumption about system uptime, redundancy, or failover capabilities.", + "business": "Assumption about business requirements, constraints, or organizational context.", + "compliance": "Assumption about regulatory, legal, or policy compliance obligations.", + "operational": "Assumption about operational procedures, staffing, or maintenance practices.", + "performance": "Assumption about throughput, latency, capacity, or scalability characteristics.", + "security": "Assumption about threat landscape, trust boundaries, or security controls.", + "technical": "Assumption about technology choices, capabilities, or technical constraints." + } + }, + { + "type": "object", + "title": "Custom Assumption Topic", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assumption topic." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assumption topic." + } + } + } + ] + }, + "relatedAssets": { + "type": "array", + "title": "Related Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes." + }, + "validity": { + "type": "string", + "title": "Validity", + "enum": [ + "invalid", + "unknown", + "unverified", + "verified" ], "meta:enum": { - "invalid": "The assumption has been disproven or is no longer applicable", - "unknown": "The validity of the assumption has not yet been assessed", - "unverified": "The assumption has been identified but not yet validated", - "verified": "The assumption has been confirmed as true through validation" + "invalid": "The assumption has been disproven or is no longer applicable.", + "unknown": "The validity of the assumption has not yet been assessed.", + "unverified": "The assumption has been identified but not yet validated.", + "verified": "The assumption has been confirmed as true through validation." }, "default": "unknown", - "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound" + "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound." }, "impact": { "type": "string", "title": "Impact", - "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components" + "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components." }, "owner": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model" + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." }, "validationMethod": { "type": "string", "title": "Validation Method", - "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement" + "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement." }, "validationDate": { "type": "string", "title": "Validation Date", "format": "date-time", - "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation" + "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation." } } }, "visualization": { "type": "object", "title": "Visualization", - "description": "A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.", + "description": "A visual representation of the model or a subset of its elements, capturing the diagram type, its content, and the elements depicted.", "required": [ "name", "type" @@ -2572,29 +3033,24 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "Name or title of the visualization" + "description": "Name or title of the visualization." }, "description": { "type": "string", "title": "Description", - "description": "Description of what the visualization shows" + "description": "Description of what the visualization shows." }, "type": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType" }, - "format": { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationFormat" - }, - "content": { - "type": "string", - "title": "Content", - "description": "The diagram content (source code or base64 encoded image)" + "attachment": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" }, "url": { "type": "string", "title": "URL", "format": "iri-reference", - "description": "URL to the diagram if stored externally" + "description": "URL to the diagram if stored externally." }, "level": { "type": "string", @@ -2606,26 +3062,26 @@ "overview" ], "meta:enum": { - "detailed": "Fine-grained view showing implementation-level specifics", - "high": "High-level view showing major components and relationships", - "medium": "Intermediate view balancing breadth and depth", - "overview": "Top-level summary providing a broad perspective of the system" + "detailed": "Fine-grained view showing implementation-level specifics.", + "high": "High-level view showing major components and relationships.", + "medium": "Intermediate view balancing breadth and depth.", + "overview": "Top-level summary providing a broad perspective of the system." }, - "description": "Level of detail in the visualization" + "description": "Level of detail in the visualization." }, "elements": { "type": "array", "title": "Elements", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to elements shown in this visualization" + "description": "References using bom-link or bom-ref to elements shown in this visualization." }, "interactive": { "type": "boolean", "title": "Interactive", - "description": "Whether the visualization is interactive" + "description": "Whether the visualization is interactive." }, "layers": { "type": "array", @@ -2634,7 +3090,7 @@ "items": { "type": "string" }, - "description": "Layers or views available in the visualization" + "description": "Layers or views available in the visualization." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -2660,38 +3116,50 @@ "enum": [ "activity", "architecture", + "attack-tree", + "block", "class", "code", - "collaboration", + "communication", "component", "container", "context", - "dataFlow", + "data-flow", "deployment", "entity", + "flowchart", + "matrix", + "mind-map", "network", "process", "sequence", "state", - "useCase" + "timing", + "use-case" ], "meta:enum": { - "activity": "Activity or workflow diagram", - "architecture": "System architecture diagram", - "class": "Class or object diagram", - "code": "Code structure diagram", - "collaboration": "Collaboration diagram", - "component": "Component diagram", - "container": "Container diagram (C4)", - "context": "Context diagram", - "dataFlow": "Data flow diagram (DFD)", - "deployment": "Deployment or infrastructure diagram", - "entity": "Entity relationship diagram", - "network": "Network topology diagram", - "process": "Business process diagram", - "sequence": "Sequence or interaction diagram", - "state": "State machine diagram", - "useCase": "Use case diagram" + "activity": "Activity or workflow diagram.", + "architecture": "System architecture diagram.", + "attack-tree": "Attack tree diagram showing alternative paths to a goal.", + "block": "Block diagram, including SysML block definition and internal block diagrams.", + "class": "Class or object diagram.", + "code": "Code structure diagram.", + "communication": "Communication diagram, formerly known as the collaboration diagram.", + "component": "Component diagram.", + "container": "Container diagram, as in C4.", + "context": "Context diagram.", + "data-flow": "Data flow diagram, or DFD.", + "deployment": "Deployment or infrastructure diagram.", + "entity": "Entity relationship diagram.", + "flowchart": "Flowchart depicting steps or decision logic.", + "matrix": "Matrix diagram, such as a dependency structure or traceability matrix.", + "mind-map": "Mind map diagram for decomposition or brainstorming.", + "network": "Network topology diagram.", + "process": "Business process diagram.", + "sequence": "Sequence or interaction diagram.", + "state": "State machine diagram.", + "timing": "Timing diagram showing state changes over time.", + "use-case": "Use case diagram." } } } @@ -2708,240 +3176,261 @@ "type": "string", "title": "Name", "minLength": 1, - "description": "The name of the custom visualization type" + "description": "The name of the custom visualization type." }, "description": { "type": "string", "title": "Description", - "description": "A description of the custom visualization type" + "description": "A description of the custom visualization type." } } } ] }, - "visualizationFormat": { + "assetClassification": { "type": "object", - "title": "Visualization Format", - "description": "The rendering format or toolchain used to produce the visualization.", + "additionalProperties": false, + "properties": { + "criticality": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/criticality" + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "categories": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Business or technical categories." + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tags for classification and search." + } + } + }, + "ownership": { + "type": "array", + "title": "Ownership", + "description": "Parties responsible for the asset. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the relationship (`owner`, `steward`, `custodian`, `end-user`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" + } + }, + "authenticationType": { + "title": "Authentication Type", + "description": "The authentication method or protocol used to verify identity, either a predefined value from the enumeration or a custom object describing a method not covered by the enumeration.", "oneOf": [ { - "title": "Predefined Visualization Format", - "description": "A visualization format selected from a predefined set of well-known diagram formats and tools.", - "required": [ - "format" + "type": "string", + "title": "Predefined Authentication Type", + "description": "A predefined authentication method from the enumeration.", + "enum": [ + "api-key", + "basic", + "bearer", + "biometric", + "certificate", + "digest", + "eap", + "fido2", + "form", + "hmac", + "jwt", + "kerberos", + "ldap", + "magic-link", + "mtls", + "none", + "ntlm", + "oauth1", + "oauth2", + "oidc", + "pin", + "psk", + "push", + "radius", + "saml", + "scram", + "session-cookie", + "ssh", + "totp" ], - "additionalProperties": false, - "properties": { - "format": { - "type": "string", - "title": "Format", - "enum": [ - "archimate", - "cytoscape", - "d3", - "drawio", - "graphviz", - "jpeg", - "mermaid", - "plantuml", - "png", - "svg", - "visio" - ], - "meta:enum": { - "archimate": "ArchiMate model format", - "cytoscape": "Cytoscape graph format", - "d3": "D3.js visualization", - "drawio": "Draw.io/diagrams.net format", - "graphviz": "GraphViz DOT language", - "jpeg": "JPEG image format", - "mermaid": "Mermaid diagram language", - "plantuml": "PlantUML diagram language", - "png": "Portable Network Graphics", - "svg": "Scalable Vector Graphics", - "visio": "Microsoft Visio format" - } - } + "meta:enum": { + "api-key": "API key authentication.", + "basic": "HTTP Basic authentication (RFC 7617), where the browser presents a native credential dialog and the username and password are sent on each request.", + "bearer": "Bearer token authentication.", + "biometric": "Biometric authentication, such as fingerprint or face recognition.", + "certificate": "Certificate-based authentication.", + "digest": "Digest authentication.", + "eap": "Extensible Authentication Protocol, commonly used with IEEE 802.1X.", + "fido2": "FIDO2 or WebAuthn passwordless authentication.", + "form": "Form-based authentication, where credentials such as a username and password are submitted through an application login form rather than the browser-native HTTP Basic dialog.", + "hmac": "HMAC request signing using a shared secret key.", + "jwt": "JSON Web Token authentication.", + "kerberos": "Kerberos authentication.", + "ldap": "LDAP directory authentication.", + "magic-link": "Passwordless authentication using a single-use link.", + "mtls": "Mutual TLS authentication.", + "none": "No authentication required.", + "ntlm": "NTLM authentication.", + "oauth1": "OAuth 1.0 authentication.", + "oauth2": "OAuth 2.0 authentication.", + "oidc": "OpenID Connect authentication.", + "pin": "Personal identification number, a short secret used as a knowledge factor, such as a device or application unlock PIN.", + "psk": "Pre-shared key authentication.", + "push": "Out-of-band push approval, where a prompt is sent to a registered device or application for the user to approve or deny, optionally confirmed by matching a displayed number.", + "radius": "RADIUS authentication.", + "saml": "SAML authentication.", + "scram": "Salted Challenge Response Authentication Mechanism.", + "session-cookie": "Session authentication using a server-side session identified by a cookie.", + "ssh": "SSH key authentication.", + "totp": "Time-based one-time password authentication." } }, { - "title": "Custom Visualization Format", - "description": "A custom visualization format not covered by the predefined enumeration.", + "type": "object", + "title": "Custom Authentication Type", + "description": "A custom authentication method not covered by the predefined enumeration, allowing organisations to describe proprietary, emerging, or composite authentication approaches.", + "additionalProperties": false, "required": [ "name" ], - "additionalProperties": false, "properties": { "name": { "type": "string", "title": "Name", "minLength": 1, - "description": "The name of the custom visualization format" + "description": "The name of the custom authentication method." }, "description": { "type": "string", "title": "Description", - "description": "A description of the custom visualization format" + "description": "A description of the custom authentication method, including how identity is verified and any relevant constraints." } } } ] }, - "assetClassification": { - "type": "object", - "additionalProperties": false, - "properties": { - "criticality": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/criticality" - }, - "sensitivity": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity" - }, - "dataClassification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" - }, - "tier": { + "authorizationType": { + "title": "Authorization Type", + "description": "The authorization model used to determine and enforce access permissions, either a predefined value from the enumeration or a custom object describing a model not covered by the enumeration.", + "oneOf": [ + { "type": "string", + "title": "Predefined Authorization Type", + "description": "A predefined authorization model from the enumeration.", "enum": [ - "tier0", - "tier1", - "tier2", - "tier3", - "tier4" + "abac", + "acl", + "capability", + "dac", + "mac", + "none", + "pbac", + "radac", + "rbac", + "rebac" ], "meta:enum": { - "tier0": "Mission critical - highest priority", - "tier1": "Business critical - high priority", - "tier2": "Business important - medium priority", - "tier3": "Business supporting - low priority", - "tier4": "Non-critical - minimal priority" + "abac": "Attribute-Based Access Control.", + "acl": "Access Control Lists.", + "capability": "Capability-Based Access Control.", + "dac": "Discretionary Access Control.", + "mac": "Mandatory Access Control.", + "none": "No authorization controls.", + "pbac": "Policy-Based Access Control.", + "radac": "Risk-Adaptive Access Control.", + "rbac": "Role-Based Access Control.", + "rebac": "Relationship-Based Access Control." } }, - "categories": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Business or technical categories" - }, - "tags": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Tags for classification and search" + { + "type": "object", + "title": "Custom Authorization Type", + "description": "A custom authorization model not covered by the predefined enumeration, allowing organisations to describe proprietary, domain-specific, or composite access control models.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom authorization model." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom authorization model, including how access decisions are made and any relevant constraints." + } + } } - } - }, - "dataProfile": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + ] + } + } + }, + "cyclonedx-business-objective-2.0": { + "type": "null", + "title": "CycloneDX Business Objective Model", + "$defs": { + "businessObjectives": { + "type": "array", + "title": "Business Objectives", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-business-objective-2.0/$defs/businessObjective" + }, + "description": "A collection of reusable business objectives that other elements may reference." }, - "ownership": { + "businessObjective": { "type": "object", - "title": "Ownership", - "description": "Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.", + "title": "Business Objective", + "description": "A business goal that a subject supports and that threats, risks, use cases, and requirements can be traced back to. Business objectives anchor risk-centric analysis, such as the first stage of PASTA, where threats and risks are evaluated against what the organization is trying to achieve.", + "required": [ + "bom-ref", + "name" + ], "additionalProperties": false, "properties": { - "owner": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "Primary owner of the asset" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the business objective." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the business objective." }, - "steward": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "Steward responsible for the asset" + "criticality": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/criticality", + "description": "The business criticality of the objective." }, - "custodian": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "Custodian responsible for protecting the asset" + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for this objective. May be an inline party object or a reference to a previously declared party." }, - "users": { + "externalReferences": { "type": "array", - "title": "Users", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact" - }, - "description": "Primary users of the asset" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } - }, - "authenticationType": { - "type": "string", - "title": "Authentication Type", - "description": "The authentication method or protocol used to verify identity.", - "enum": [ - "apiKey", - "basic", - "bearer", - "certificate", - "custom", - "digest", - "fido2", - "jwt", - "kerberos", - "ldap", - "mfa", - "mTLS", - "none", - "ntlm", - "oauth1", - "oauth2", - "oidc", - "saml", - "ssh" - ], - "meta:enum": { - "apiKey": "API key authentication", - "basic": "Basic authentication (username/password)", - "bearer": "Bearer token authentication", - "certificate": "Certificate-based authentication", - "custom": "Custom authentication method", - "digest": "Digest authentication", - "fido2": "FIDO2/WebAuthn passwordless authentication", - "jwt": "JSON Web Token authentication", - "kerberos": "Kerberos authentication", - "ldap": "LDAP directory authentication", - "mfa": "Multi-factor authentication", - "mTLS": "Mutual TLS authentication", - "none": "No authentication required", - "ntlm": "NTLM authentication", - "oauth1": "OAuth 1.0 authentication", - "oauth2": "OAuth 2.0 authentication", - "oidc": "OpenID Connect authentication", - "saml": "SAML authentication", - "ssh": "SSH key authentication" - } - }, - "authorizationType": { - "type": "string", - "title": "Authorization Type", - "description": "The authorization model used to determine and enforce access permissions.", - "enum": [ - "abac", - "acl", - "cbac", - "custom", - "dac", - "mac", - "none", - "other", - "pbac", - "rbac", - "rebac" - ], - "meta:enum": { - "abac": "Attribute-Based Access Control", - "acl": "Access Control Lists", - "cbac": "Claims-Based Access Control", - "custom": "Custom authorization model", - "dac": "Discretionary Access Control", - "mac": "Mandatory Access Control", - "none": "No authorization controls", - "other": "Other authorization model not listed", - "pbac": "Policy-Based Access Control", - "rbac": "Role-Based Access Control", - "rebac": "Relationship-Based Access Control" - } } } }, @@ -4031,6 +4520,14 @@ "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions", "title": "Component Patent(s)" }, + "requirementAssertions": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirementAssertions", + "title": "Component Requirement(s)" + }, + "useCaseAssertions": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/useCaseAssertions", + "title": "Component Use Case(s)" + }, "identifiers": { "$ref": "#/$defs/cyclonedx-component-2.0/$defs/identifiers" }, @@ -4890,45 +5387,271 @@ } } }, - "cyclonedx-cryptography-2.0": { + "cyclonedx-control-2.0": { "type": "null", - "title": "CycloneDX Cryptography Model", + "title": "CycloneDX Control Model", "$defs": { - "cryptoProperties": { + "controls": { + "type": "array", + "title": "Controls", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/control" + }, + "description": "The safeguards and countermeasures that are recommended or in place. Controls may be declared on their own for governance, risk, and compliance use cases, or referenced from threats, trust boundaries, and risk responses." + }, + "control": { "type": "object", - "title": "Cryptographic Properties", - "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", - "additionalProperties": false, + "title": "Control", + "description": "A safeguard or countermeasure that protects systems, data, or operations. A control binds the elements that implement it to the requirements it satisfies, and records its implementation status and assessed effectiveness.", "required": [ - "assetType" + "bom-ref", + "name" ], + "additionalProperties": false, "properties": { - "assetType": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the control elsewhere using a bom-ref or bom-link." + }, + "name": { "type": "string", - "title": "Asset Type", - "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", - "enum": [ - "algorithm", - "certificate", - "protocol", - "related-crypto-material" - ], - "meta:enum": { - "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", - "certificate": "An electronic document that is used to provide the identity or validate a public key.", - "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", - "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." - } + "minLength": 1, + "title": "Name", + "description": "The name of the control." }, - "algorithmProperties": { - "type": "object", - "title": "Algorithm Properties", - "description": "Additional properties specific to a cryptographic algorithm.", - "additionalProperties": false, - "properties": { - "primitive": { - "type": "string", - "title": "primitive", + "description": { + "type": "string", + "title": "Description", + "description": "A description of the control." + }, + "category": { + "title": "Category", + "description": "The category of the control. Use the custom option for a category specific to an organization's taxonomy.", + "oneOf": [ + { + "title": "Predefined Control Category", + "type": "string", + "enum": [ + "preventive", + "detective", + "corrective", + "compensating", + "deterrent", + "recovery" + ], + "meta:enum": { + "preventive": "Prevents an unwanted event from occurring.", + "detective": "Identifies and records that an unwanted event has occurred or is occurring.", + "corrective": "Remedies the condition that allowed an unwanted event.", + "compensating": "Provides an alternative safeguard where a primary control is not feasible.", + "deterrent": "Discourages an actor from attempting an unwanted action.", + "recovery": "Restores operations after an unwanted event." + } + }, + { + "title": "Custom Control Category", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom category." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom category." + } + } + } + ] + }, + "status": { + "title": "Status", + "description": "The implementation status of the control.", + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/implementationStatus" + }, + "appliesTo": { + "type": "array", + "title": "Applies To", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the elements the control protects, such as components, services, zones, or boundaries. A control without this property applies to the organization or system as a whole." + }, + "implementedBy": { + "type": "array", + "title": "Implemented By", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the components, services, formulation workflows, or parties that implement the control." + }, + "satisfies": { + "type": "array", + "title": "Satisfies", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the requirements the control satisfies, including requirements defined within standards." + }, + "effectiveness": { + "title": "Effectiveness", + "description": "The assessed effectiveness of the control.", + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/effectiveness" + }, + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for the control. May be an inline party object or a reference to a previously declared party." + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "implementationStatus": { + "title": "Implementation Status", + "description": "The implementation status of a control or response. Use the custom option for a status specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Implementation Status", + "type": "string", + "enum": [ + "recommended", + "proposed", + "approved", + "rejected", + "planned", + "in-progress", + "implemented", + "verified", + "decommissioned" + ], + "meta:enum": { + "recommended": "Suggested by a producer, standard, or assessor. Not yet entered into the adopting organization's decision process.", + "proposed": "Entered into the adopting organization's decision process but not yet approved.", + "approved": "Approved for implementation.", + "rejected": "Considered and declined, with no intent to implement.", + "planned": "Implementation is planned.", + "in-progress": "Implementation is in progress.", + "implemented": "Implemented and in effect.", + "verified": "Implemented and verified as effective.", + "decommissioned": "Removed from service." + } + }, + { + "title": "Custom Implementation Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] + }, + "effectiveness": { + "type": "object", + "title": "Effectiveness", + "description": "The measured or assessed effectiveness of a control or response.", + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Percentage", + "description": "Effectiveness as a decimal from 0 to 1." + }, + "rating": { + "type": "string", + "title": "Rating", + "enum": [ + "ineffective", + "marginal", + "adequate", + "good", + "excellent" + ], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk.", + "marginal": "Slightly reduces risk.", + "adequate": "Adequately reduces risk.", + "good": "Significantly reduces risk.", + "excellent": "Nearly eliminates risk." + }, + "description": "Effectiveness as a qualitative rating." + } + } + } + } + }, + "cyclonedx-cryptography-2.0": { + "type": "null", + "title": "CycloneDX Cryptography Model", + "$defs": { + "cryptoProperties": { + "type": "object", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", + "additionalProperties": false, + "required": [ + "assetType" + ], + "properties": { + "assetType": { + "type": "string", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", + "enum": [ + "algorithm", + "certificate", + "protocol", + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + } + }, + "algorithmProperties": { + "type": "object", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", "enum": [ "drbg", @@ -6085,10 +6808,19 @@ "type": "null", "title": "CycloneDX Data Model", "$defs": { + "dataProfiles": { + "type": "array", + "title": "Data Profiles", + "description": "A catalogue of reusable data profile definitions. Each entry is a complete inline data profile carrying its own bom-ref so other objects may reference it.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + } + }, "dataProfile": { "type": "object", "title": "Data Profile", - "description": "Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", + "description": "Captures the classification, information types, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", "required": [ "name" ], @@ -6096,13 +6828,13 @@ "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Unique identifier for this data profile" + "description": "Unique identifier for this data profile." }, "name": { "type": "string", "title": "Name", "minLength": 1, - "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes.", + "description": "The name or label that identifies this data profile, such as the name of the dataset, information asset, or data domain it describes.", "examples": [ "Customer PII Dataset", "Transaction Logs", @@ -6114,92 +6846,32 @@ "title": "Description", "description": "A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system." }, - "sensitivity": { - "type": "string", - "title": "Sensitivity", - "enum": [ - "confidential", - "internal", - "public", - "restricted", - "classified" - ], - "description": "Data sensitivity classification.", - "meta:enum": { - "confidential": "Confidential information requiring protection", - "internal": "Internal use only within the organization", - "public": "Public information that can be freely shared", - "restricted": "Highly restricted information with limited access and special protection measures", - "classified": "Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations" - } - }, "classification": { - "title": "Classification", - "description": "Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.", - "oneOf": [ - { - "title": "Predefined Classification", - "description": "A predefined data classification from the enumeration.", - "type": "object", - "additionalProperties": false, - "required": [ - "type" - ], - "properties": { - "type": { - "type": "string", - "title": "Type", - "enum": [ - "credentials", - "financial", - "intellectualProperty", - "logs", - "operational", - "other", - "pci", - "phi", - "pii", - "safety", - "telemetry" - ], - "meta:enum": { - "credentials": "Secrets, tokens, or credentials", - "financial": "Financial statements or transaction data", - "intellectualProperty": "Intellectual property or trade secrets", - "logs": "Operational or security log data", - "operational": "Operational or process data", - "other": "Other data classification not listed", - "pci": "Payment card industry data", - "phi": "Protected health information", - "pii": "Personally identifiable information", - "safety": "Safety critical data or signals", - "telemetry": "System or product telemetry data" - } - } - } - }, - { - "title": "Custom Classification", - "description": "A custom data classification not covered by the predefined enumeration.", - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string", - "title": "Name", - "minLength": 1, - "description": "The name of a custom data classification not covered by the predefined enumeration" - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the custom data classification" - } + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification", + "description": "The classification of the data, indicating the level of protection required. A data profile carries a single classification reflecting the highest applicable level for the data it describes." + }, + "informationTypes": { + "type": "array", + "title": "Information Types", + "description": "The types of information contained in the data. A data profile may contain multiple information types, for example a profile may carry both personally identifiable information and financial data. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/informationType" + }, + "examples": [ + [ + "pii", + "financial" + ], + [ + "phi", + "biometric", + { + "name": "minor-health-data", + "description": "Health information for individuals under 18, subject to COPPA and HIPAA." } - } + ] ] }, "subjects": { @@ -6285,22 +6957,6 @@ ] ] }, - "dataTypes": { - "type": "array", - "title": "Data Types", - "uniqueItems": true, - "items": { - "type": "string" - }, - "description": "The specific types of data elements contained within this dataset.", - "examples": [ - [ - "email address", - "date of birth", - "IP address" - ] - ] - }, "schema": { "type": "array", "title": "Schema", @@ -6321,7 +6977,7 @@ "title": "Access", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, "description": "References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures." }, @@ -6330,7 +6986,7 @@ "title": "Collection", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, "description": "References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations." }, @@ -6339,7 +6995,7 @@ "title": "Disposal", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, "description": "References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction." }, @@ -6348,7 +7004,7 @@ "title": "Handling", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, "description": "References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations." }, @@ -6357,7 +7013,7 @@ "title": "Processing", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, "description": "References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions." }, @@ -6366,16 +7022,26 @@ "title": "Retention", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, "description": "References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation." }, + "ttl": { + "type": "integer", + "title": "Time to Live", + "minimum": 1, + "description": "The time-to-live in seconds for transient data that is not persisted, such as protected health information carried inside a short-lived JSON Web Token or sensitive material held in memory for the duration of a single request. Distinct from retention, which applies to persisted data and is governed by requirement objects.", + "examples": [ + 300, + 3600 + ] + }, "sharing": { "type": "array", "title": "Sharing", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, "description": "References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions." }, @@ -6384,15 +7050,299 @@ } } }, - "subject": { + "dataProfileChoice": { + "title": "Data Profile Choice", + "description": "A data profile represented either as a complete inline object or as a reference to a previously declared profile. References use bom-link or bom-ref to point at a profile declared in the root profiles catalogue or elsewhere in the document.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + }, + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to a previously declared data profile." + } + ] + }, + "dataObject": { "type": "object", - "title": "Subject", - "description": "An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. Subjects may include named individuals, organizations, demographic groups, protected classes, technologies, devices, locations, or any other identifiable topic of the data.", + "title": "Data Object", + "description": "A specific data payload such as a message, record, or document. Distinct from a data profile, which is a policy template; a data object is an instance whose name, schema, format, and field-level attributes describe a concrete payload. The governing policy is supplied by an optional reference to a data profile. A single profile may govern many data objects; each data object refers to at most one profile.", "required": [ - "name", - "type" + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this data object." + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the data object, such as the name of the message, record, document, or table row it represents.", + "examples": [ + "user_registration", + "payment_request", + "audit_event" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the data object, including its purpose, origin, and any context relevant to interpreting its attributes." + }, + "profile": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfileChoice", + "title": "Profile", + "description": "The data profile that governs this object's classification, information types, and lifecycle requirements. May be an inline profile object or a reference using bom-link or bom-ref to a previously declared profile." + }, + "informationTypes": { + "type": "array", + "title": "Information Types", + "description": "The types of information contained in this object. May refine or extend the information types declared on the referenced profile. Each entry is either a predefined value from the enumeration or a custom object describing an information type not covered by the enumeration.", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/informationType" + } + }, + "schema": { + "type": "object", + "title": "Schema", + "description": "The structural contract describing this object's shape, such as a JSON Schema, XSD, Avro schema, or Protobuf descriptor.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL or URN pointing to the schema document." + }, + "mediaType": { + "type": "string", + "title": "Media Type", + "description": "Media type of the schema, for example application/schema+json, application/xml, or application/vnd.apache.avro+json.", + "examples": [ + "application/schema+json", + "application/xml", + "application/vnd.apache.avro+json" + ] + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "Additional notes about the schema, such as its version or compatibility expectations." + } + } + }, + "format": { + "type": "object", + "title": "Format", + "description": "The serialisation or encoding format of this object, such as application/json, text/csv, or application/hl7-v2.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL or URN pointing to the format specification." + }, + "mediaType": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/mediaType" + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "Additional notes about the format." + } + } + }, + "attributes": { + "type": "array", + "title": "Attributes", + "description": "The fields, columns, or properties contained in this object. Each attribute may carry a typed information type to support field-level classification and compliance analysis.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataAttribute" + } + }, + "relationships": { + "type": "array", + "title": "Relationships", + "description": "Relationships from this data object to other data objects, such as the associations between entities in a logical or conceptual data model.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataRelationship" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "dataAttribute": { + "type": "object", + "title": "Data Attribute", + "description": "A single field, column, or property within a data object. Carries an optional information type so that producers and consumers can classify and reason about data at field granularity rather than only at the object level.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this attribute, enabling it to be referenced as a key target." + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the attribute as it appears in the data object, such as a field name, column name, or property key.", + "examples": [ + "email", + "dateOfBirth", + "panToken", + "amount" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of the attribute, such as its semantics, expected values, or constraints." + }, + "informationType": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/informationType", + "title": "Information Type", + "description": "The information type carried by this attribute. Field-level typing enables compliance analysis at finer granularity than the object-level information types." + }, + "required": { + "type": "boolean", + "title": "Required", + "description": "Indicates whether the attribute is required for the data object to be valid." + }, + "sensitive": { + "type": "boolean", + "title": "Sensitive", + "description": "Indicates whether the attribute carries sensitive content that warrants extra protection beyond the object-level classification, such as masking in logs or stricter access controls." + }, + "key": { + "type": "string", + "title": "Key", + "enum": [ + "primary", + "foreign", + "unique" + ], + "meta:enum": { + "primary": "The attribute is part of the primary key that uniquely identifies the data object.", + "foreign": "The attribute is a foreign key referencing another data object.", + "unique": "The attribute carries a uniqueness constraint." + }, + "description": "The key role of the attribute within the data object." + }, + "references": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "References", + "description": "For a foreign key, a reference using bom-link or bom-ref to the data object or attribute it refers to." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "dataRelationship": { + "type": "object", + "title": "Data Relationship", + "description": "A relationship from one data object to another, such as an association between entities in a logical or conceptual data model, carrying its cardinality and optionally the attributes that participate.", + "additionalProperties": false, + "required": [ + "target", + "cardinality" ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the relationship, such as the role or verb that describes it." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the relationship." + }, + "target": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Target", + "description": "Reference using bom-link or bom-ref to the related data object." + }, + "cardinality": { + "type": "string", + "title": "Cardinality", + "enum": [ + "one-to-one", + "one-to-many", + "many-to-one", + "many-to-many" + ], + "meta:enum": { + "one-to-one": "Each record of the source relates to at most one record of the target, and the reverse.", + "one-to-many": "Each record of the source relates to many records of the target.", + "many-to-one": "Many records of the source relate to one record of the target.", + "many-to-many": "Many records of the source relate to many records of the target." + }, + "description": "The cardinality of the relationship." + }, + "sourceAttributes": { + "type": "array", + "title": "Source Attributes", + "description": "References using bom-link or bom-ref to the attributes on this data object that participate in the relationship, such as the foreign key columns.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "targetAttributes": { + "type": "array", + "title": "Target Attributes", + "description": "References using bom-link or bom-ref to the attributes on the target data object that the relationship refers to, such as the primary key columns.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "subject": { + "type": "object", + "title": "Subject", + "description": "An entity, group, category, or thing that the data is about or pertains to. Subjects identify who or what the data describes, which is critical for determining applicable regulations, privacy obligations, and handling requirements. A subject is identified in one of three ways: inline by `name` and `type`, by an inline `party` object, or by `ref` pointing at any bom-ref'd element declared elsewhere in the document (a party, component, service, asset, dataset, or other element). At least one of these forms shall be supplied. Subject-context attributes such as protected-class status, applicable jurisdictions, and applicable regulations are carried here regardless of which identification form is used.", "additionalProperties": false, + "anyOf": [ + { + "required": [ + "name", + "type" + ] + }, + { + "required": [ + "party" + ] + }, + { + "required": [ + "ref" + ] + } + ], "examples": [ { "name": "EU Residents", @@ -6407,8 +7357,7 @@ ] }, { - "name": "Pediatric Patients", - "type": "group", + "ref": "party-pediatric-patients", "protectedClass": true, "jurisdictions": [ "US" @@ -6419,8 +7368,18 @@ ] }, { - "name": "GPT-4 Model", - "type": "technology", + "party": { + "roles": [ + { + "role": "data-subject" + } + ], + "persona": { + "archetype": "customer", + "scope": "external", + "description": "Fleet vehicle owners enrolled in the connected-services platform." + } + }, "protectedClass": false } ], @@ -6428,7 +7387,7 @@ "name": { "type": "string", "title": "Name", - "description": "The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor.", + "description": "The name identifying the subject of the data, such as a specific entity name, group label, or category descriptor. Optional when `party` or `ref` is supplied.", "minLength": 1, "examples": [ "EU Residents", @@ -6439,7 +7398,7 @@ "type": { "type": "string", "title": "Type", - "description": "A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices.", + "description": "A free-form category describing the kind of subject. Organizations should establish consistent terminology within their data governance practices. Optional when `party` or `ref` is supplied.", "minLength": 1, "examples": [ "individual", @@ -6447,6 +7406,16 @@ "technology" ] }, + "party": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/party", + "title": "Party", + "description": "An inline party object identifying the subject. Use this when the subject is best modelled as a party (organization, person, system, or persona) and has not been declared elsewhere in the document. The party's `roles` should include `data-subject`." + }, + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "Reference using bom-link or bom-ref to any element declared elsewhere in the document that identifies the subject, such as a party, component, service, asset, dataset, or other bom-ref'd element. Use this when the subject is already represented elsewhere and you want to point at it rather than redeclare it." + }, "protectedClass": { "type": "boolean", "title": "Protected Class", @@ -6570,92 +7539,132 @@ } }, "dataClassification": { - "type": "string", "title": "Data Classification", - "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." - }, - "dataSensitivity": { - "type": "string", - "title": "Data Sensitivity", - "description": "Classifies the sensitivity of data to indicate the level of protection required.", - "enum": [ - "confidential", - "internal", - "public", - "restricted" - ], - "meta:enum": { - "confidential": "Confidential information requiring protection", - "internal": "Internal use only within the organization", - "public": "Public information that can be freely shared", - "restricted": "Highly restricted information with limited access" - } - }, - "dataGovernance": { - "type": "object", - "title": "Data Governance", - "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", - "additionalProperties": false, - "properties": { - "custodians": { - "type": "array", - "title": "Data Custodians", - "uniqueItems": true, - "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", - "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" - } - }, - "stewards": { - "type": "array", - "title": "Data Stewards", - "uniqueItems": true, - "description": "Data stewards are responsible for data content, context, and associated business rules.", - "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" - } - }, - "owners": { - "type": "array", - "title": "Data Owners", - "uniqueItems": true, - "description": "Data owners are concerned with risk and appropriate access to data.", - "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" - } - } - } - }, - "dataGovernanceResponsibleParty": { - "type": "object", - "title": "Data Governance Responsible Party", - "description": "An organizational entity or individual responsible for a specific data governance role.", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Organization", - "description": "The organization that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "contact": { - "title": "Individual", - "description": "The individual that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, + "description": "Classifies data by the level of protection it requires, either using a predefined classification level or a custom level not covered by the enumeration. Classification drives protection requirements such as access control, encryption, disclosure restrictions, and statutory handling obligations.", "oneOf": [ { - "required": [ - "organization" - ] + "type": "string", + "title": "Predefined Classification", + "description": "A predefined classification level from the enumeration.", + "enum": [ + "confidential", + "internal", + "public", + "restricted", + "classified" + ], + "meta:enum": { + "confidential": "Confidential information requiring protection.", + "internal": "Internal use only within the organisation.", + "public": "Public information that can be freely shared.", + "restricted": "Highly restricted information with limited access and special protection measures.", + "classified": "Government or defence classified information subject to national security controls, clearance requirements, and statutory handling obligations." + } }, { + "type": "object", + "title": "Custom Classification", + "description": "A custom classification level not covered by the predefined enumeration.", + "additionalProperties": false, "required": [ - "contact" - ] + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom classification level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of what this custom classification level means and the protections it implies." + } + } + } + ] + }, + "informationType": { + "title": "Information Type", + "description": "Identifies a type of information contained in the data, either using a predefined value from the enumeration or a custom name and description for types not covered by the enumeration. A single dataset can contain multiple information types and is captured as an array on the data profile.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Information Type", + "description": "A predefined information type from the enumeration.", + "enum": [ + "authentication", + "behavioral", + "biometric", + "communication", + "credentials", + "device", + "financial", + "genetic", + "intellectual-property", + "location", + "logs", + "operational", + "pci", + "phi", + "pii", + "safety", + "telemetry" + ], + "meta:enum": { + "authentication": "Authentication data such as passwords, PINs, or security questions.", + "behavioral": "Behavioural data such as browsing history, usage patterns, or profiling data.", + "biometric": "Biometric data such as fingerprints, facial recognition, or voice patterns.", + "communication": "Communication content such as messages, emails, or call records.", + "credentials": "Secrets, tokens, or credentials.", + "device": "Device identifiers or hardware-level data.", + "financial": "Financial statements or transaction data.", + "genetic": "Genetic or genomic data.", + "intellectual-property": "Intellectual property or trade secrets.", + "location": "Precise or inferred geographic location data.", + "logs": "Operational or security log data.", + "operational": "Operational or process data.", + "pci": "Payment card industry data.", + "phi": "Protected health information.", + "pii": "Personally identifiable information.", + "safety": "Safety critical data or signals.", + "telemetry": "System or product telemetry data." + } + }, + { + "type": "object", + "title": "Custom Information Type", + "description": "A custom information type not covered by the predefined enumeration.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom information type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom information type and any handling implications it carries." + } + } } ] }, + "dataGovernance": { + "type": "array", + "title": "Data Governance", + "description": "Parties responsible for the data throughout its lifecycle. Each entry is either an inline party object or a reference to a previously declared party. The party's `roles` carry the governance relationship (`owner` for ownership and risk accountability, `steward` for content and business rules, `custodian` for safe custody, transport, and storage, `data-controller`, `data-processor`, `data-recipient`, or a custom role). Multiple parties may share the same role; preference among them is expressed via `role.order`.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" + } + }, "dataFlowDirection": { "type": "string", "title": "Data Flow Direction", @@ -6783,7 +7792,7 @@ "mitigationStrategies": { "type": "array", "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "description": "References using bom-link or bom-ref to the controls that mitigate identified gaps in conformance with the requirement. Each mitigation strategy should be substantiated by evidence.", "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" } @@ -6836,7 +7845,7 @@ "target": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", "title": "Target", - "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + "description": "Reference using bom-link or bom-ref to the target of the claim, such as a control, system, application, module, team, person, process, or business unit." }, "predicate": { "type": "string", @@ -6846,7 +7855,7 @@ "mitigationStrategies": { "type": "array", "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "description": "References using bom-link or bom-ref to the controls that mitigate identified weaknesses in the evidence supporting the claim. Each mitigation strategy should be substantiated by evidence.", "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" } @@ -7109,6 +8118,9 @@ }, "requirements": { "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirements" + }, + "businessObjectives": { + "$ref": "#/$defs/cyclonedx-business-objective-2.0/$defs/businessObjectives" } } } @@ -10587,6 +11599,26 @@ } } }, + "cyclonedx-profile-2.0": { + "type": "null", + "title": "CycloneDX Profile Model", + "$defs": { + "profiles": { + "type": "object", + "title": "Profiles", + "description": "A registry of reusable, named characterizations of how a subject behaves or is governed within a domain. Profiles separate characterization from identity: identity describes who or what the subject is; the profile describes the durable attributes that characterize it. A profile is referenced by its bom-ref from the elements it characterizes, so a single profile can be reused by many subjects.", + "additionalProperties": false, + "properties": { + "dataProfiles": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfiles" + }, + "threatProfiles": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatProfiles" + } + } + } + } + }, "cyclonedx-release-notes-2.0": { "type": "null", "title": "CycloneDX Release Notes Model", @@ -10721,6 +11753,9 @@ "type": "object", "title": "Requirement", "description": "A requirement represents a specific need, constraint, or capability that must be met.", + "required": [ + "bom-ref" + ], "additionalProperties": false, "properties": { "bom-ref": { @@ -10775,7 +11810,8 @@ "description": "The individuals or groups who have an interest in the requirement.", "items": { "type": "string" - } + }, + "uniqueItems": true }, "acceptanceCriteria": { "type": "array", @@ -10783,7 +11819,8 @@ "description": "Criteria that must be met for the requirement to be considered satisfied.", "items": { "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion" - } + }, + "uniqueItems": true }, "dependencies": { "type": "array", @@ -10791,12 +11828,13 @@ "description": "Other requirements that this requirement depends on.", "items": { "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/dependency" - } + }, + "uniqueItems": true }, "parent": { - "type": "string", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", "title": "Parent BOM Reference", - "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + "description": "Optional reference using bom-link or bom-ref to a parent requirement. Establishes a hierarchy of requirements." }, "rationale": { "type": "string", @@ -10830,7 +11868,8 @@ "description": "Files or documents attached to the requirement.", "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - } + }, + "uniqueItems": true }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -10977,57 +12016,111 @@ "description": "A description of the dependency relationship." } } + }, + "requirementAssertions": { + "type": "array", + "title": "Requirement Assertions", + "description": "A list of assertions describing how a component relates to specific requirements.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Requirement Assertion", + "description": "An assertion linking one or more requirements to a component, specifying the nature of the relationship.", + "required": [ + "assertionType", + "requirementRefs" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the relationship between the component and the requirement.", + "enum": [ + "conflicts", + "not-applicable", + "not-assessed", + "other", + "partially-satisfies", + "satisfies", + "violates" + ], + "meta:enum": { + "conflicts": "The component is in tension with the requirement but a definitive determination of violation has not been made. This may indicate partial incompatibility, competing constraints, or an unresolved evaluation.", + "not-applicable": "The requirement does not pertain to this component. The evaluator has reviewed the requirement and determined it is irrelevant.", + "not-assessed": "The relationship between the component and the requirement has not yet been evaluated.", + "other": "A relationship that does not fit into the other predefined assertion types.", + "partially-satisfies": "The component partially meets the requirement but does not fully satisfy all of its conditions or acceptance criteria.", + "satisfies": "The component fully satisfies the requirement, meeting all of its conditions and acceptance criteria.", + "violates": "The component has been evaluated and conclusively determined to not meet the requirement, breaching one or more of its conditions or acceptance criteria." + } + }, + "requirementRefs": { + "type": "array", + "title": "Requirement References", + "description": "A list of BOM references linking to requirement objects defined in the BOM.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "Additional context or clarification regarding the assertion." + } + } + } } } }, "cyclonedx-risk-2.0": { "type": "null", "title": "CycloneDX Risk Model", - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "An optional identifier which can be used to reference the risk assessment elsewhere in the BOM" - }, - "domains": { - "type": "array", - "description": "Risk domains covered by this assessment", - "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" - } - }, - "scenarios": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/scenario" - }, - "description": "Risk scenarios identified" - }, + "$defs": { "risks": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/risk" - }, - "description": "Documented risks derived from scenarios" - }, - "mitigations": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigation" - }, - "description": "Controls, countermeasures, or mitigations to address identified risks" - }, - "assessments": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/assessment" - }, - "description": "Risk assessments and evaluations" + "type": "object", + "title": "Risks", + "description": "A collection of risks identified through risk analysis, together with the assessments that evaluate them. The model is framework-neutral and can document risk regardless of the risk management framework in use, including [ISO 31000](https://www.iso.org/iso-31000-risk-management.html), [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final), the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework), [COSO ERM](https://www.coso.org/), [ISO/IEC 27005](https://www.iso.org/standard/80585.html), and OCTAVE. It accommodates qualitative, semi-quantitative, and quantitative assessment, and each rating records the scoring methodology used, such as [FAIR](https://www.fairinstitute.org/), [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), DREAD, [FMEA](https://asq.org/quality-resources/fmea), NIST SP 800-30, or OCTAVE Allegro. Each risk separates inherent, residual, and target ratings so risk reduction is explicit.", + "additionalProperties": false, + "properties": { + "risks": { + "type": "array", + "title": "Risks", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/risk" + }, + "description": "The documented risks identified through risk analysis." + }, + "assessments": { + "type": "array", + "title": "Assessments", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/assessment" + }, + "description": "Point-in-time risk assessment events, each evaluating one or more of the documented risks." + }, + "riskAppetites": { + "type": "array", + "title": "Risk Appetites", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAppetite" + }, + "description": "The risk appetites that apply to this collection. Multiple entries support a document covering more than one party." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - }, - "$defs": { "riskDomain": { "type": "object", "required": [ @@ -11036,95 +12129,160 @@ "additionalProperties": false, "properties": { "type": { - "type": "string", - "enum": [ - "security", - "privacy", - "operational", - "financial", - "compliance", - "strategic", - "reputational", - "safety", - "environmental", - "supply_chain", - "technical", - "project" - ], - "meta:enum": { - "security": "Information security and cybersecurity risks", - "privacy": "Data protection and privacy risks", - "operational": "Business operations and continuity risks", - "financial": "Financial loss and economic impact risks", - "compliance": "Regulatory and legal compliance risks", - "strategic": "Strategic business and market risks", - "reputational": "Brand and reputation damage risks", - "safety": "Human safety and physical security risks", - "environmental": "Environmental impact and sustainability risks", - "supply_chain": "Supply chain and third-party risks", - "technical": "Technical and technology risks", - "project": "Project delivery and execution risks" - } + "title": "Type", + "description": "The domain or category of risk. Use the custom option for domains specific to an organization's risk taxonomy.", + "oneOf": [ + { + "title": "Predefined Risk Domain", + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply-chain", + "technical", + "project", + "ethical", + "societal", + "human-rights", + "health", + "legal" + ], + "meta:enum": { + "security": "Information security and cybersecurity risks.", + "privacy": "Data protection and privacy risks.", + "operational": "Business operations and continuity risks.", + "financial": "Financial loss and economic impact risks.", + "compliance": "Regulatory and legal compliance risks.", + "strategic": "Strategic business and market risks.", + "reputational": "Brand and reputation damage risks.", + "safety": "Human safety and physical security risks.", + "environmental": "Environmental impact and sustainability risks.", + "supply-chain": "Supply chain and third-party risks.", + "technical": "Technical and technology risks.", + "project": "Project delivery and execution risks.", + "ethical": "Ethical risks, including the responsible use of automated decision-making and artificial intelligence.", + "societal": "Risks to society, communities, or democratic and civic processes.", + "human-rights": "Risks to fundamental human rights, including discrimination and loss of autonomy.", + "health": "Risks to physical or mental health and wellbeing.", + "legal": "Legal exposure, including liability and contractual risks." + } + }, + { + "title": "Custom Risk Domain", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk domain." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk domain." + } + } + } + ] }, "priority": { "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" }, "description": { "type": "string", - "description": "Additional context for this risk domain" + "description": "Additional context for this risk domain." } } }, "riskAttribute": { - "type": "string", - "description": "A classification of security and privacy attributes that represent potential impact areas when a risk is realized", - "enum": [ - "accountability", - "authentication", - "authorization", - "authenticity", - "availability", - "compliance", - "confidentiality", - "connectivity", - "control", - "data_subject_rights", - "integrity", - "minimisation", - "non-repudiation", - "possession", - "privacy", - "purpose_limitation", - "transparency", - "utility" - ], - "meta:enum": { - "accountability": "Assigning responsibility for actions and decisions to individuals or entities", - "authentication": "Verifying the identity of users, devices, or systems before granting access", - "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources", - "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified", - "availability": "Ensuring systems, data, and services are accessible and operational when needed", - "compliance": "Adherence to applicable laws, regulations, policies, and standards", - "confidentiality": "Preventing unauthorised access to or disclosure of information", - "connectivity": "Maintaining secure and reliable communication between systems or components", - "control": "Enabling individuals to manage how their personal data is used and shared", - "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", - "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", - "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", - "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", - "possession": "Ensuring control or custody over data or assets, regardless of ownership", - "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", - "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", - "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", - "utility": "Ensuring data is usable and in a format suitable for the intended purpose" - } - }, - "scenario": { + "title": "Risk Attribute", + "description": "A security or privacy attribute representing a potential impact area when a risk is realized. Use the custom option for attributes specific to an organization's risk taxonomy.", + "oneOf": [ + { + "title": "Predefined Risk Attribute", + "type": "string", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data-subject-rights", + "integrity", + "minimization", + "non-repudiation", + "possession", + "privacy", + "purpose-limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities.", + "authentication": "Verifying the identity of users, devices, or systems before granting access.", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources.", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified.", + "availability": "Ensuring systems, data, and services are accessible and operational when needed.", + "compliance": "Adherence to applicable laws, regulations, policies, and standards.", + "confidentiality": "Preventing unauthorized access to or disclosure of information.", + "connectivity": "Maintaining secure and reliable communication between systems or components.", + "control": "Enabling individuals to manage how their personal data is used and shared.", + "data-subject-rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data.", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorized actors.", + "minimization": "Limiting data collection and retention to what is strictly necessary for the intended purpose.", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications.", + "possession": "Ensuring control or custody over data or assets, regardless of ownership.", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards.", + "purpose-limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection.", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing.", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose." + } + }, + { + "title": "Custom Risk Attribute", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk attribute." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk attribute." + } + } + } + ] + }, + "risk": { "type": "object", "required": [ "bom-ref", "name", - "type" + "statement" ], "additionalProperties": false, "properties": { @@ -11133,203 +12291,208 @@ }, "name": { "type": "string", - "description": "Name of the risk scenario" + "description": "A human-readable name for the risk." }, - "description": { + "statement": { "type": "string", - "description": "Detailed description of the scenario" + "description": "Structured risk statement describing source, event, and impact." }, - "type": { + "description": { "type": "string", - "enum": [ - "threat", - "vulnerability", - "weakness", - "risk", - "incident", - "opportunity", - "hazard" - ], - "meta:enum": { - "threat": "Threat scenario", - "vulnerability": "Exploitable vulnerability", - "weakness": "System or design weakness", - "risk": "General risk scenario", - "incident": "Potential incident scenario", - "opportunity": "Positive risk (opportunity)", - "hazard": "Safety hazard scenario" - } + "description": "Additional narrative about the risk." }, - "domain": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" - }, - "likelihood": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" - }, - "impact": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" - }, - "riskScore": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" - }, - "riskAttributes": { + "domains": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" }, - "description": "Risk attributes affected by this scenario" + "description": "The risk domains this risk affects." }, - "affectedAssets": { + "affects": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to affected assets" + "description": "References using bom-link or bom-ref to the subjects this risk concerns. A subject may be a component, service, dataset, or model, or a party such as a person, persona, or organization, including a group at risk of being systematically disadvantaged." }, - "mitigations": { + "relatedThreats": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to mitigations that address this scenario" + "description": "References using bom-link or bom-ref to the threats or threat scenarios from a threat model that inform this risk. A reference may point to a discrete threat or to a threat scenario." }, - "externalReferences": { + "relatedVulnerabilities": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities that inform this risk." }, - "compliance": { + "relatedWeaknesses": { "type": "array", + "uniqueItems": true, "items": { - "type": "object", - "required": [ - "framework", - "controlId" - ], - "additionalProperties": false, - "properties": { - "framework": { - "type": "string", - "description": "Name of the compliance program or framework" - }, - "controlId": { - "type": "string", - "description": "Identifier of the control within the framework" - }, - "reference": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference", - "description": "Link or citation to the requirement or control documentation" - }, - "description": { - "type": "string", - "description": "Optional notes describing the mapping" - } - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Compliance frameworks and control references this mitigation supports" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "risk": { - "type": "object", - "required": [ - "bom-ref", - "name", - "statement" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "name": { - "type": "string", - "description": "Name or identifier for the risk" - }, - "statement": { - "type": "string", - "description": "Structured risk statement describing source, event, and impact" - }, - "description": { - "type": "string", - "description": "Additional narrative about the risk" + "description": "References using bom-link or bom-ref to the weaknesses that inform this risk." }, - "domains": { + "relatedRequirements": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Risk domains impacted" + "description": "References using bom-link or bom-ref to the requirements whose absence or non-conformance gives rise to this risk, such as a requirement that is unmet or only partially met." }, - "scenarios": { + "relatedStandards": { "type": "array", - "minItems": 1, + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to scenarios this risk addresses" - }, - "likelihood": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" - }, - "impact": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" - }, - "riskScore": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + "description": "References using bom-link or bom-ref to the standards whose non-conformance gives rise to this risk." }, - "riskAttributes": { + "relatedClaims": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the conformance claims that give rise to this risk, such as a [CycloneDX Attestations](https://cyclonedx.org/capabilities/attestations/) claim recording that a requirement is unmet or only partially met. The degree of conformance is carried by the claim, not by the risk." }, - "responses": { + "relatedBusinessObjectives": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskResponse" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Risk responses or mitigation plans applied to this risk" + "description": "References using bom-link or bom-ref to the business objectives this risk threatens." }, - "relatedThreats": { + "inherentRisk": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/rating", + "description": "The assessed risk before any responses are applied." + }, + "residualRisk": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/rating", + "description": "The assessed risk remaining after responses are applied." + }, + "targetRisk": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/rating", + "description": "The risk level the organization aims to reach for this risk. The overall risk appetite is recorded separately on the risks collection or assessment." + }, + "responses": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatScenario" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskResponse" }, - "description": "Related threat scenarios informing this risk" + "description": "The responses applied to this risk." }, "status": { - "type": "string", - "enum": [ - "identified", - "assessed", - "mitigated", - "accepted", - "transferred", - "retired" - ], - "meta:enum": { - "identified": "Risk has been identified but not yet evaluated", - "assessed": "Risk has been assessed and prioritized", - "mitigated": "Mitigations are in place reducing this risk", - "accepted": "Risk has been formally accepted", - "transferred": "Risk has been transferred to another party", - "retired": "Risk no longer applies" - } + "title": "Status", + "description": "The lifecycle status of the risk. Use the custom option for a status specific to an organization's risk process.", + "oneOf": [ + { + "title": "Predefined Risk Status", + "type": "string", + "enum": [ + "identified", + "assessed", + "mitigated", + "accepted", + "transferred", + "retired" + ], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated.", + "assessed": "Risk has been assessed and prioritized.", + "mitigated": "Responses are in place reducing this risk.", + "accepted": "Risk has been formally accepted.", + "transferred": "Risk has been transferred to another party.", + "retired": "Risk no longer applies." + } + }, + { + "title": "Custom Risk Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] }, "owner": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "Owner or accountable party for this risk" + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for this risk. May be an inline party object or a reference to a previously declared party. The party's `roles` should include `owner`." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, + "rating": { + "type": "object", + "title": "Rating", + "description": "A methodology-neutral assessment of risk along likelihood and impact, with an overall score. The same shape expresses inherent, residual, and target risk so reductions can be compared. A rating can be qualitative (a `level`), semi-quantitative (a numeric `score` on a bounded scale), or quantitative (for example a probable monetary loss under [FAIR](https://www.fairinstitute.org/)). For a catalogue of assessment techniques, see [IEC 31010](https://www.iso.org/standard/72140.html).", + "additionalProperties": false, + "properties": { + "likelihood": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" + }, + "score": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "detectability": { + "type": "object", + "title": "Detectability", + "additionalProperties": false, + "description": "The ease or likelihood of detecting the event before or as it is realized, used as a third axis by methodologies such as [FMEA](https://asq.org/quality-resources/fmea), whose risk priority number multiplies severity, occurrence, and detection.", + "properties": { + "score": { + "type": "number", + "minimum": 0, + "description": "The detection value on the scale defined by the methodology. For FMEA, a higher value indicates that the event is harder to detect and therefore riskier." + }, + "description": { + "type": "string", + "description": "A narrative explanation of the detectability assessment." + } + } + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "Confidence in this rating, expressed as a decimal from 0 to 1, where 1 is full confidence. Supports quantitative methods that reason over uncertainty." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The justification for this rating, including the method and the evidence considered." + } + } + }, "likelihood": { "type": "object", "required": [ @@ -11342,51 +12505,65 @@ "title": "Level", "description": "The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.", "enum": [ - "certain", - "high", + "very-low", "low", "medium", - "veryHigh", - "veryLow" + "high", + "very-high", + "certain" ], "meta:enum": { - "certain": "Almost certain to occur (> 90% probability).", - "high": "Likely to occur (60-90% probability).", - "low": "Unlikely to occur (10-30% probability).", - "medium": "Possible to occur (30-60% probability).", - "veryHigh": "Very likely to occur (75-90% probability).", - "veryLow": "Very unlikely to occur (< 10% probability)." + "very-low": "Very unlikely to occur (less than 10% probability).", + "low": "Unlikely to occur (10 to 30% probability).", + "medium": "Possible to occur (30 to 60% probability).", + "high": "Likely to occur (60 to 85% probability).", + "very-high": "Very likely to occur (85 to 99% probability).", + "certain": "Almost certain to occur (greater than 99% probability)." } }, "score": { "type": "number", "minimum": 0, - "maximum": 5, - "description": "Numeric likelihood score" + "description": "Numeric likelihood score on the scale defined by the methodology." }, "probability": { "type": "number", "minimum": 0, "maximum": 1, - "description": "Probability as a decimal (0-1)" + "description": "Probability as a decimal from 0 to 1." + }, + "frequency": { + "type": "number", + "minimum": 0, + "title": "Frequency", + "description": "The expected number of events within the timeframe, for frequency-based methods such as the [FAIR](https://www.fairinstitute.org/) loss event frequency. Unlike a probability, a frequency may exceed 1." + }, + "timeframe": { + "type": "string", + "title": "Timeframe", + "description": "The period over which the probability or frequency is assessed, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year." + }, + "range": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/estimateRange", + "description": "A range for the probability or frequency, supporting quantitative methods that reason over distributions." }, "factors": { "type": "array", "items": { "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor" }, - "description": "Factors considered when determining the likelihood level" + "description": "The factors considered when determining the likelihood level." }, "rationale": { "type": "string", - "description": "Justification for the likelihood rating" + "description": "The justification for the likelihood rating." } } }, "likelihoodFactor": { "type": "object", "title": "Likelihood Factor", - "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", + "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment. It is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", "required": [ "name", "type" @@ -11405,29 +12582,34 @@ "oneOf": [ { "title": "Predefined Likelihood Factor Type", - "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.", + "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", "type": "string", - "additionalProperties": false, "enum": [ - "attackVector", - "controlEffectiveness", - "exploitMaturity", + "attack-vector", + "contact-frequency", + "control-effectiveness", + "detectability", + "discoverability", + "exploit-maturity", "exposure", "motivation", "opportunity", - "other", - "threatCapability", + "targeting", + "threat-capability", "vulnerability" ], "meta:enum": { - "attackVector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", - "controlEffectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.", - "exploitMaturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", + "attack-vector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", + "contact-frequency": "How often the threat actor comes into contact with the target asset, independent of any intent to act. Aligns with the FAIR contact frequency factor.", + "control-effectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation. Corresponds to resistance strength in FAIR.", + "detectability": "Likelihood that the activity is detected before the risk is realized. Lower detectability increases the chance of a successful action. Aligns with the OWASP Risk Rating intrusion detection factor and the FMEA detection axis.", + "discoverability": "Ease with which the weakness or opportunity can be found by a potential actor. Aligns with the OWASP Risk Rating ease of discovery factor.", + "exploit-maturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", "exposure": "Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.", "motivation": "Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.", "opportunity": "Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.", - "other": "A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.", - "threatCapability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", + "targeting": "Degree to which the threat actor specifically selects this asset or organization rather than acting opportunistically. Aligns with the NIST SP 800-30 targeting factor.", + "threat-capability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", "vulnerability": "Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor." } }, @@ -11460,28 +12642,27 @@ "title": "Level", "description": "The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.", "enum": [ - "certain", - "high", + "very-low", "low", "medium", - "veryHigh", - "veryLow" + "high", + "very-high", + "certain" ], "meta:enum": { - "certain": "This factor almost certainly contributes to risk realization (> 90% influence).", - "high": "This factor strongly contributes to risk realization (60-90% influence).", - "low": "This factor has limited contribution to risk realization (10-30% influence).", - "medium": "This factor moderately contributes to risk realization (30-60% influence).", - "veryHigh": "This factor very strongly contributes to risk realization (75-90% influence).", - "veryLow": "This factor has minimal contribution to risk realization (< 10% influence)." + "very-low": "This factor has minimal contribution to risk realization (less than 10% influence).", + "low": "This factor has limited contribution to risk realization (10 to 30% influence).", + "medium": "This factor moderately contributes to risk realization (30 to 60% influence).", + "high": "This factor strongly contributes to risk realization (60 to 85% influence).", + "very-high": "This factor very strongly contributes to risk realization (85 to 99% influence).", + "certain": "This factor almost certainly contributes to risk realization (greater than 99% influence)." } }, "score": { "type": "number", "title": "Score", - "description": "A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.", - "minimum": 0, - "maximum": 5 + "description": "A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to likelihood.", + "minimum": 0 }, "weight": { "type": "number", @@ -11516,103 +12697,250 @@ "major", "catastrophic" ], - "description": "Impact severity level", + "description": "The qualitative impact severity level.", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences.", + "low": "Minor impact with limited consequences.", + "moderate": "Moderate impact affecting some operations.", + "major": "Significant impact with serious consequences.", + "catastrophic": "Catastrophic impact with existential consequences." + } + }, + "polarity": { + "type": "string", + "title": "Polarity", + "description": "Whether the impact represents a harm or a benefit. Benefits support modeling opportunities and positive risk.", + "enum": [ + "harm", + "benefit" + ], "meta:enum": { - "negligible": "Minimal impact with no significant consequences", - "low": "Minor impact with limited consequences", - "moderate": "Moderate impact affecting some operations", - "major": "Significant impact with serious consequences", - "catastrophic": "Catastrophic impact with existential consequences" + "harm": "A negative impact or downside.", + "benefit": "A positive impact or upside." } }, "score": { "type": "number", "minimum": 0, - "maximum": 10, - "description": "Numeric impact score" + "description": "Numeric impact score on the scale defined by the methodology." }, "categories": { "type": "array", + "uniqueItems": true, "items": { - "type": "string", - "enum": [ - "confidentiality", - "integrity", - "availability", - "financial", - "reputation", - "regulatory", - "safety", - "privacy", - "operational", - "strategic" - ], - "meta:enum": { - "confidentiality": "Impact on data confidentiality", - "integrity": "Impact on data or system integrity", - "availability": "Impact on service availability", - "financial": "Financial loss or impact", - "reputation": "Reputational damage", - "regulatory": "Regulatory compliance impact", - "safety": "Human safety impact", - "privacy": "Privacy violation impact", - "operational": "Operational disruption", - "strategic": "Strategic business impact" - } + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactCategory" + }, + "description": "The categories of impact, including harms relevant to AI and societal risk." + }, + "factors": { + "type": "array", + "title": "Factors", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactFactor" }, - "description": "Categories of impact" + "description": "The factors considered when determining the impact, allowing methodologies that derive impact from multiple weighted dimensions to record the breakdown." + }, + "range": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/estimateRange", + "description": "A range for the impact score, supporting quantitative methods that reason over distributions." }, "riskAttributes": { "type": "array", "items": { "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" }, - "description": "Risk attributes affected" + "description": "The risk attributes affected." }, "quantification": { "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification" }, "description": { "type": "string", - "description": "Description of the potential impact" + "description": "A description of the potential impact." } } }, - "impactQuantification": { + "impactCategory": { + "title": "Impact Category", + "description": "A category of impact, including harms relevant to AI and societal risk. Use the custom option for categories specific to an organization's risk taxonomy.", + "oneOf": [ + { + "title": "Predefined Impact Category", + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic", + "bias", + "discrimination", + "fairness", + "human-rights", + "environmental", + "societal", + "psychological", + "physical", + "health" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality.", + "integrity": "Impact on data or system integrity.", + "availability": "Impact on service availability.", + "financial": "Financial loss or impact.", + "reputation": "Reputational damage.", + "regulatory": "Regulatory compliance impact.", + "safety": "Human safety impact.", + "privacy": "Privacy violation impact.", + "operational": "Operational disruption.", + "strategic": "Strategic business impact.", + "bias": "Systematic bias in automated outputs or decisions.", + "discrimination": "Unfair treatment of individuals or groups, including on the basis of protected attributes.", + "fairness": "Impact on the fair and equitable treatment of affected groups.", + "human-rights": "Impact on fundamental human rights, including autonomy and dignity.", + "environmental": "Environmental impact, including energy use and carbon emissions.", + "societal": "Impact on society, communities, or civic processes.", + "psychological": "Psychological or emotional harm.", + "physical": "Physical harm to people or property.", + "health": "Impact on physical or mental health." + } + }, + { + "title": "Custom Impact Category", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom impact category." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom impact category." + } + } + } + ] + }, + "impactFactor": { "type": "object", + "title": "Impact Factor", + "description": "An individual contributing factor used to determine the overall impact of a risk or scenario. Methodologies such as OWASP Risk Rating, DREAD, and OCTAVE Allegro derive impact from several weighted dimensions, and each factor captures one dimension with its own rating.", + "required": [ + "name" + ], "additionalProperties": false, "properties": { - "financialLoss": { - "type": "number", - "description": "Estimated financial loss in currency units" - }, - "currency": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the impact factor being evaluated, such as 'Financial damage' or 'Reputation damage'." + }, + "category": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactCategory", + "description": "The impact dimension this factor measures." + }, + "score": { + "type": "number", + "minimum": 0, + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on the scale defined by the methodology, where a higher value indicates a greater contribution to impact." + }, + "weight": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Weight", + "description": "The relative importance of this factor in the overall impact calculation, expressed as a decimal from 0 to 1. OCTAVE Allegro, for example, ranks impact areas and multiplies the ranking by the factor value." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated and how it contributes to the overall impact assessment." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "estimateRange": { + "type": "object", + "title": "Estimate Range", + "description": "A three-point estimate, supporting quantitative methods such as FAIR that reason over distributions rather than single values.", + "additionalProperties": false, + "properties": { + "minimum": { + "type": "number", + "description": "The minimum, or lower bound, estimate." + }, + "mostLikely": { + "type": "number", + "description": "The most likely estimate." + }, + "maximum": { + "type": "number", + "description": "The maximum, or upper bound, estimate." + } + } + }, + "impactQuantification": { + "type": "object", + "additionalProperties": false, + "properties": { + "financialLoss": { + "type": "number", + "description": "The estimated financial loss, in the units given by currency." + }, + "currency": { "type": "string", "pattern": "^[A-Z]{3}$", - "description": "ISO 4217 currency code" + "description": "The currency of the financial values, as an [ISO 4217](https://www.iso.org/iso-4217-currency-codes.html) code." }, "affectedUsers": { "type": "integer", - "description": "Number of affected users" + "description": "The number of affected users." }, "downtime": { "type": "string", "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", - "description": "Expected downtime as ISO 8601 duration" + "description": "The expected downtime, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration." }, "dataRecords": { "type": "integer", - "description": "Number of data records affected" + "description": "The number of data records affected." }, "recovery": { "type": "string", "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", - "description": "Recovery time as ISO 8601 duration" + "description": "The recovery time, as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration." + }, + "financialLossRange": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/estimateRange", + "description": "A distribution of estimated financial loss, supporting quantitative methods such as FAIR that reason over ranges." + }, + "affectedGroups": { + "type": "integer", + "minimum": 0, + "description": "The number of distinct groups or populations affected." } } }, "riskScore": { "type": "object", + "title": "Risk Score", + "description": "The overall risk score, expressed as a qualitative `level`, a numeric `score`, or both, with `vector` and `methodology` recording how it was derived. The scale of `score` is defined by the methodology, since rating systems differ. For example, [OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) averages factors from 0 to 9, [DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) averages five 1 to 10 ratings, [FMEA](https://asq.org/quality-resources/fmea) multiplies three 1 to 10 axes into a 1 to 1000 risk priority number, and [FAIR](https://www.fairinstitute.org/) expresses probable loss in monetary terms.", "required": [ "level" ], @@ -11627,128 +12955,134 @@ "high", "critical" ], - "description": "Overall risk level", + "description": "The overall qualitative risk level.", "meta:enum": { - "info": "Informational - no immediate action required", - "low": "Low risk - monitor and address in normal cycle", - "medium": "Medium risk - plan mitigation activities", - "high": "High risk - prioritize mitigation efforts", - "critical": "Critical risk - immediate action required" + "info": "Informational.", + "low": "Low risk.", + "medium": "Medium risk.", + "high": "High risk.", + "critical": "Critical risk." } }, "score": { "type": "number", - "minimum": 1, - "description": "Numeric risk score" + "minimum": 0, + "description": "Numeric risk score on the scale defined by the methodology." }, "vector": { "type": "string", - "description": "Risk scoring vector (e.g., L:H/I:M)" + "description": "A textual representation of the metric values used to derive the score, in the format defined by the methodology." }, "methodology": { - "type": "string", - "description": "Risk scoring methodology used" + "title": "Methodology", + "description": "The risk rating methodology used to derive this score. Only methodologies that define a scoring calculation are listed; governance frameworks such as [ISO 31000](https://www.iso.org/iso-31000-risk-management.html) are recorded as standards rather than as a score methodology. Use the custom option for methodologies not listed.", + "oneOf": [ + { + "title": "Predefined Risk Methodology", + "type": "string", + "enum": [ + "dread", + "fair", + "fmea", + "nist-sp-800-30", + "octave", + "owasp-risk-rating", + "qualitative-matrix" + ], + "meta:enum": { + "dread": "[DREAD](https://en.wikipedia.org/wiki/DREAD_%28risk_assessment_model%29) risk rating model, the average of five ratings (damage, reproducibility, exploitability, affected users, discoverability) each scored 1 to 10.", + "fair": "[Factor Analysis of Information Risk (FAIR)](https://www.fairinstitute.org/), a quantitative methodology expressing risk as loss event frequency multiplied by loss magnitude.", + "fmea": "[Failure Mode and Effects Analysis (FMEA)](https://asq.org/quality-resources/fmea), using a risk priority number of severity multiplied by occurrence multiplied by detection.", + "nist-sp-800-30": "[NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final) guide for conducting risk assessments, using its exemplary likelihood and impact scales.", + "octave": "[OCTAVE Allegro](https://www.sei.cmu.edu/documents/786/2007_005_001_14885.pdf), using its relative risk score.", + "owasp-risk-rating": "[OWASP Risk Rating](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology), averaging likelihood and impact factors each scored 0 to 9.", + "qualitative-matrix": "A qualitative risk matrix that derives a risk level by plotting a likelihood band against an impact band, such as a five by five matrix producing a score from 1 to 25." + } + }, + { + "title": "Custom Risk Methodology", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom risk methodology." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom risk methodology." + } + } + } + ] } } }, "riskResponse": { "type": "object", + "title": "Risk Response", + "description": "An action taken to modify a risk, pairing the chosen strategy with the controls that implement it. Covers the full set of dispositions, from avoiding or reducing a risk to accepting it or, for a positive risk, pursuing it.", "required": [ "bom-ref", - "mitigations", - "mitigationPlan" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "mitigations": { - "type": "array", - "minItems": 1, - "items": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigation" - }, - "description": "Mitigations applied to this risk response" - }, - "mitigationPlan": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigationPlan" - } - } - }, - "mitigation": { - "type": "object", - "required": [ - "bom-ref", - "reference" + "strategy" ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Unique identifier for this mitigation entry so it can be referenced by a plan" - }, - "reference": { - "description": "Reference to a mitigation/control implementing the response.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "description": "An identifier which can be used to reference this response elsewhere using a bom-ref or bom-link." }, "strategy": { "type": "string", + "title": "Strategy", + "description": "The disposition chosen for the risk.", "enum": [ - "prevent", - "detect", - "respond", - "recover" + "avoid", + "reduce", + "transfer", + "accept", + "exploit", + "enhance" ], "meta:enum": { - "prevent": "Prevents the risk from occurring", - "detect": "Detects when the risk occurs", - "respond": "Responds to the risk when detected", - "recover": "Recovers from the impact" + "avoid": "Eliminate the risk by removing its source or not proceeding with the activity.", + "reduce": "Lower the likelihood or impact of the risk through controls.", + "transfer": "Shift the risk to another party, for example through insurance or contract.", + "accept": "Take no further action and retain the risk.", + "exploit": "Pursue an opportunity so that a positive risk occurs.", + "enhance": "Increase the likelihood or benefit of a positive risk." } }, - "type": { + "description": { "type": "string", - "enum": [ - "control", - "countermeasure", - "procedure", - "removal" - ], - "meta:enum": { - "control": "Protective, preventive or detective control", - "countermeasure": "Reactive measure to counter risks", - "procedure": "Documented procedure", - "removal": "Removing a risky component or asset" - } + "title": "Description", + "description": "A description of the response." }, - "status": { - "type": "string", - "enum": [ - "proposed", - "approved", - "planned", - "inProgress", - "implemented", - "verified" - ], - "meta:enum": { - "proposed": "Mitigation has been proposed", - "approved": "Mitigation has been approved", - "planned": "Implementation is planned", - "inProgress": "Implementation is in progress", - "implemented": "Mitigation has been implemented", - "verified": "Effectiveness has been verified" - } + "controls": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that implement this response." }, - "priority": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" + "status": { + "title": "Status", + "description": "The implementation status of the response.", + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/implementationStatus" }, "effectiveness": { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/effectiveness" + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/effectiveness" }, "cost": { "type": "string", + "title": "Cost", "enum": [ "trivial", "low", @@ -11757,26 +13091,33 @@ "extreme" ], "meta:enum": { - "trivial": "Minimal cost and effort", - "low": "Low cost and effort", - "medium": "Moderate cost and effort", - "high": "High cost and significant effort", - "extreme": "Extreme cost and major effort" + "trivial": "Minimal cost and effort.", + "low": "Low cost and effort.", + "medium": "Moderate cost and effort.", + "high": "High cost and significant effort.", + "extreme": "Extreme cost and major effort." } }, - "addresses": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "References to scenarios this plan addresses" + "priority": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" }, - "implementedBy": { + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for this response. May be an inline party object or a reference to a previously declared party." + }, + "targetDate": { + "type": "string", + "format": "date-time", + "title": "Target Date", + "description": "The date by which this response is targeted to be implemented." + }, + "addresses": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to assets that implement this plan" + "description": "References using bom-link or bom-ref to the items this response addresses, such as a threat, vulnerability, weakness, or another risk." }, "externalReferences": { "type": "array", @@ -11789,162 +13130,216 @@ } } }, - "mitigationPlan": { + "assessment": { "type": "object", "required": [ - "name", + "bom-ref", "type", - "status", - "mitigations" + "cadence", + "timestamp" ], "additionalProperties": false, "properties": { - "name": { - "type": "string", - "description": "Name of the mitigation plan" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "description": { + "name": { "type": "string", - "description": "Description of what the plan covers" + "title": "Name", + "description": "A human-readable name for the assessment." }, "type": { - "type": "string", - "enum": [ - "avoid", - "reduce", - "transfer", - "accept", - "control", - "countermeasure", - "safeguard", - "practice", - "procedure" - ], - "meta:enum": { - "avoid": "Avoid the risk entirely", - "reduce": "Reduce likelihood or impact", - "transfer": "Transfer risk to another party", - "accept": "Accept the risk", - "control": "Protective, preventive or detective control", - "countermeasure": "Reactive measure to counter risks", - "safeguard": "Safeguards mitigating adverse events", - "practice": "Operational or governance practice", - "procedure": "Documented procedure" - } - }, - "status": { - "type": "string", - "enum": [ - "proposed", - "approved", - "planned", - "inProgress", - "implemented", - "verified" - ], - "meta:enum": { - "proposed": "Mitigation has been proposed", - "approved": "Mitigation has been approved", - "planned": "Implementation is planned", - "inProgress": "Implementation is in progress", - "implemented": "Mitigation has been implemented", - "verified": "Effectiveness has been verified" - } - }, - "externalReferences": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "mitigations": { "type": "array", + "title": "Type", "minItems": 1, + "uniqueItems": true, + "description": "The kinds of assessment performed, given as one or more named exercises or instruments. The type classifies the assessment exercise; the domains of risk evaluated are carried by the referenced risks rather than restated here. Use the custom option for kinds specific to an organization's process.", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "List of mitigation bom-refs chosen for this plan" - } - } - }, - "effectiveness": { - "type": "object", - "additionalProperties": false, - "properties": { - "percentage": { - "type": "number", - "minimum": 0, - "maximum": 1, - "description": "Effectiveness as decimal" - }, - "rating": { - "type": "string", - "enum": [ - "ineffective", - "marginal", - "adequate", - "good", - "excellent" - ], - "meta:enum": { - "ineffective": "Does not meaningfully reduce risk", - "marginal": "Slightly reduces risk", - "adequate": "Adequately reduces risk", - "good": "Significantly reduces risk", - "excellent": "Nearly eliminates risk" + "oneOf": [ + { + "title": "Predefined Assessment Type", + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "safety", + "financial", + "environmental", + "supply-chain", + "compliance", + "data-protection-impact", + "fundamental-rights-impact", + "ai-impact", + "business-impact", + "third-party", + "threat", + "vulnerability", + "model-risk", + "fraud" + ], + "meta:enum": { + "security": "Security risk assessment, evaluating threats to the confidentiality, integrity, and availability of a subject.", + "privacy": "Privacy risk assessment, evaluating risks to individuals arising from the processing of personal data.", + "operational": "Operational risk assessment, evaluating risks to ongoing operations and continuity.", + "safety": "Safety risk assessment, evaluating risks of harm to people or property.", + "financial": "Financial risk assessment, evaluating exposure to financial loss, such as credit, market, or liquidity risk.", + "environmental": "Environmental risk assessment, evaluating the effect of an activity on the natural environment, including energy use and emissions.", + "supply-chain": "Supply chain risk assessment, evaluating risks across the chain that delivers a product or service, including software and hardware provenance, for example following [NIST SP 800-161](https://csrc.nist.gov/pubs/sp/800/161/r1/final).", + "compliance": "Compliance assessment, evaluating conformance with applicable laws, regulations, policies, or standards.", + "data-protection-impact": "Data protection impact assessment (DPIA), assessing high-risk processing of personal data, for example as described under Article 35 of the [GDPR](https://gdpr-info.eu/art-35-gdpr/).", + "fundamental-rights-impact": "Fundamental rights impact assessment (FRIA), evaluating the effect of a system on fundamental rights, for example as introduced for certain high-risk AI systems by the [EU AI Act](https://artificialintelligenceact.eu/).", + "ai-impact": "Artificial intelligence impact assessment, evaluating the risks and impacts of an AI system, for example following the [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework).", + "business-impact": "Business impact analysis (BIA), evaluating the operational and financial consequences of disruption to a business function.", + "third-party": "Third-party risk assessment, evaluating the risk arising from a specific external party relationship, such as a vendor, supplier, or service provider, as distinct from the broader supply chain.", + "threat": "Threat assessment, evaluating the threats and threat actors relevant to a subject.", + "vulnerability": "Vulnerability assessment, evaluating weaknesses that could be exploited.", + "model-risk": "Model risk assessment, evaluating the risk that a decision or quantitative model is incorrect or misused, including model validation.", + "fraud": "Fraud risk assessment, evaluating exposure to fraudulent activity and the controls that detect or prevent it." + } + }, + { + "title": "Custom Assessment Type", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assessment type." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assessment type." + } + } + } + ] } - } - } - }, - "assessment": { - "type": "object", - "required": [ - "bom-ref", - "type", - "timestamp" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "type": { - "type": "string", - "enum": [ - "initial", - "periodic", - "continuous", - "triggered" - ], - "meta:enum": { - "initial": "Initial risk assessment", - "periodic": "Scheduled periodic assessment", - "continuous": "Continuous monitoring assessment", - "triggered": "Event-triggered assessment" - } + "cadence": { + "title": "Cadence", + "description": "The temporal cadence or occasion on which the assessment is performed. Use the custom option for patterns specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Assessment Cadence", + "type": "string", + "enum": [ + "initial", + "periodic", + "continuous", + "triggered", + "ad-hoc" + ], + "meta:enum": { + "initial": "Initial, baseline assessment performed once at the outset.", + "periodic": "Scheduled, recurring assessment.", + "continuous": "Continuous, automated monitoring, as in a GRC engineering or continuous controls monitoring practice.", + "triggered": "Assessment triggered by a specific event, such as a change or an incident.", + "ad-hoc": "Unplanned, one-off assessment, neither scheduled nor triggered by a defined event." + } + }, + { + "title": "Custom Assessment Cadence", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom assessment cadence." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom assessment cadence." + } + } + } + ] }, "timestamp": { "type": "string", "format": "date-time", - "description": "When the assessment was performed" + "description": "When the assessment was performed." + }, + "scope": { + "type": "string", + "title": "Scope", + "description": "The scope of the assessment, including the systems, boundaries, and what is in or out of scope." + }, + "status": { + "title": "Status", + "description": "The lifecycle status of the assessment. Use the custom option for a status specific to an organization's process.", + "oneOf": [ + { + "title": "Predefined Assessment Status", + "type": "string", + "enum": [ + "draft", + "in-progress", + "completed", + "approved", + "superseded" + ], + "meta:enum": { + "draft": "The assessment is being prepared.", + "in-progress": "The assessment is underway.", + "completed": "The assessment is finished.", + "approved": "The assessment has been reviewed and approved.", + "superseded": "The assessment has been replaced by a later one." + } + }, + { + "title": "Custom Assessment Status", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom status." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom status." + } + } + } + ] }, - "assessor": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", - "description": "Who performed the assessment" + "assessors": { + "type": "array", + "title": "Assessors", + "items": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice" + }, + "description": "The parties that performed the assessment. Each may be an inline party or a reference to a previously declared party, and may be a person or an automated system, agent, or tool. Automated assessors support continuous and automated assessment, as in a GRC engineering practice. A party's `roles` should include `auditor` or `assessor`." }, "summary": { "type": "string", - "description": "Executive summary of the assessment" + "description": "An executive summary of the assessment." }, "risks": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to risk entries evaluated in this assessment" + "description": "References using bom-link or bom-ref to risk entries evaluated in this assessment." }, "overallRisk": { "type": "object", @@ -11955,35 +13350,91 @@ "additionalProperties": false, "properties": { "method": { - "type": "string", - "enum": [ - "sum", - "average", - "custom" - ], - "description": "Aggregation method used to derive the overall risk" + "title": "Method", + "description": "The aggregation method used to derive the overall risk from the assessed risks. Use the custom option for methods not listed, such as a quantitative roll-up of loss distributions under FAIR.", + "oneOf": [ + { + "title": "Predefined Aggregation Method", + "type": "string", + "enum": [ + "maximum", + "sum", + "average", + "weighted-average" + ], + "meta:enum": { + "maximum": "The overall risk equals the highest individual risk.", + "sum": "The overall risk is the sum of the individual risks, representing total exposure.", + "average": "The overall risk is the mean of the individual risks.", + "weighted-average": "The overall risk is a weighted mean of the individual risks." + } + }, + { + "title": "Custom Aggregation Method", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom aggregation method." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom aggregation method." + } + } + } + ] }, "score": { "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" }, "description": { "type": "string", - "description": "Optional explanation for custom aggregation approaches" + "description": "An optional explanation for custom aggregation approaches." } }, - "description": "Aggregated risk result for this assessment" + "description": "The aggregated risk result for this assessment." + }, + "assumptions": { + "type": "array", + "title": "Assumptions", + "items": { + "type": "string" + }, + "description": "The assumptions, constraints, and limitations under which the assessment was made, to be re-evaluated when they change." }, "recommendations": { "type": "array", "items": { "type": "string" }, - "description": "Recommendations from the assessment" + "description": "Recommendations from the assessment." }, "nextReview": { "type": "string", "format": "date-time", - "description": "When the next review should occur" + "description": "When the next review should occur." + }, + "riskAppetites": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the risk appetites, declared under the risks collection, that applied for this assessment." + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" @@ -11999,49 +13450,125 @@ "high", "critical" ], - "description": "Priority level", + "description": "Priority level.", "meta:enum": { - "none": "No priority assigned", - "low": "Low priority - address when convenient", - "medium": "Medium priority - address in normal cycle", - "high": "High priority - address soon", - "critical": "Critical priority - address immediately" + "none": "No priority.", + "low": "Low priority.", + "medium": "Medium priority.", + "high": "High priority.", + "critical": "Critical priority." } }, - "severity": { + "criticality": { "type": "string", "enum": [ - "info", + "minimal", "low", - "medium", + "moderate", "high", "critical" ], - "description": "Severity level", + "description": "Business criticality level.", "meta:enum": { - "info": "Informational finding", - "low": "Low severity issue", - "medium": "Medium severity issue", - "high": "High severity issue", - "critical": "Critical severity issue" + "minimal": "Minimal impact on business operations.", + "low": "Low impact with minor inconvenience.", + "moderate": "Moderate impact affecting some operations.", + "high": "High impact affecting critical operations.", + "critical": "Critical impact with severe business consequences." } }, - "criticality": { + "appetiteLevel": { "type": "string", + "description": "A qualitative risk appetite level, ranging from risk-averse to risk-seeking.", "enum": [ + "averse", "minimal", - "low", - "moderate", - "high", - "critical" + "cautious", + "open", + "hungry" ], - "description": "Business criticality level", "meta:enum": { - "minimal": "Minimal impact on business operations", - "low": "Low impact with minor inconvenience", - "moderate": "Moderate impact affecting some operations", - "high": "High impact affecting critical operations", - "critical": "Critical impact with severe business consequences" + "averse": "Avoidance of risk is the priority, and only the lowest-risk options are acceptable.", + "minimal": "A preference for very low risk, accepting risk only where it is unavoidable.", + "cautious": "A preference for safe options, accepting limited and well-understood risk for reward.", + "open": "A willingness to accept higher risk where the potential reward justifies it.", + "hungry": "An active willingness to seek risk in pursuit of greater reward, within defined control limits." + } + }, + "riskAppetite": { + "type": "object", + "title": "Risk Appetite", + "description": "The amount and type of risk a party is willing to pursue or retain, stated explicitly so that it is not left implicit in individual target ratings. An appetite may be attributed to a specific party through `party`, so a single document can record the appetites of more than one party, and it may be stated overall and refined per risk domain. Quantitative tolerances for a specific risk are expressed through that risk's target rating, and measurement of actual risk against the appetite is recorded through assessments.", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference this risk appetite elsewhere, such as from an assessment." + }, + "party": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party whose risk appetite this is. Set this when a single document captures the appetites of more than one party. May be an inline party object or a reference to a previously declared party." + }, + "level": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/appetiteLevel", + "description": "The overall risk appetite level." + }, + "statement": { + "type": "string", + "title": "Statement", + "description": "A narrative statement of the overall risk appetite, including any qualifications or context." + }, + "rationale": { + "type": "string", + "description": "The justification for this appetite, such as the strategic objective or regulatory obligation that informs it." + }, + "owner": { + "$ref": "#/$defs/cyclonedx-party-2.0/$defs/partyChoice", + "description": "The party accountable for setting and approving this appetite, such as a board or risk committee. May be an inline party object or a reference to a previously declared party." + }, + "horizon": { + "type": "string", + "description": "The time horizon over which this appetite applies, expressed as an [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) duration, for example P1Y for one year." + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When this appetite is next due for review, since appetite changes with strategy, market conditions, and the threat landscape." + }, + "categories": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "domain", + "level" + ], + "additionalProperties": false, + "properties": { + "domain": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain", + "description": "The risk domain this appetite entry applies to." + }, + "level": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/appetiteLevel", + "description": "The appetite level for this risk domain." + }, + "statement": { + "type": "string", + "description": "A narrative statement of the appetite for this risk domain." + }, + "rationale": { + "type": "string", + "description": "The justification for the appetite for this risk domain." + } + } + }, + "description": "Per-domain appetite, refining the overall appetite for specific risk domains such as security, privacy, or financial." + } } } } @@ -12423,162 +13950,699 @@ "type": "null", "title": "CycloneDX Threat Model", "$defs": { - "threatScenario": { + "threats": { "type": "object", - "allOf": [ + "title": "Threats", + "description": "Threat-modelling content, including the documented threats, the scenarios that realize them, the attack patterns and attack trees that describe how they are carried out, and the trust boundaries they cross.", + "additionalProperties": false, + "properties": { + "threats": { + "type": "array", + "title": "Threats", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threat" + }, + "description": "The documented threats. Each describes what can go wrong, independent of any specific actor or occurrence." + }, + "scenarios": { + "type": "array", + "title": "Scenarios", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatScenario" + }, + "description": "The threat scenarios, each realizing one or more documented threats in a specific way." + }, + "attackPatterns": { + "type": "array", + "title": "Attack Patterns", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPattern" + }, + "description": "A library of attack patterns, typically aligned with CAPEC, that threats and scenarios can reference." + }, + "attackTrees": { + "type": "array", + "title": "Attack Trees", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackTree" + }, + "description": "Attack trees that decompose attacker goals into sub-goals and techniques." + }, + "attackPaths": { + "type": "array", + "title": "Attack Paths", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPath" + }, + "description": "Attack paths that describe the ordered progression of an attack across elements and trust boundaries, including lateral movement." + }, + "abuseCases": { + "type": "array", + "title": "Abuse Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that describe how the system can be exercised by an adversary." + }, + "trustBoundaries": { + "type": "array", + "title": "Trust Boundaries", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/trustBoundary" + }, + "description": "The trust boundaries of the system, extending the architectural boundaries defined in a blueprint with trust semantics." + }, + "methodologies": { + "type": "array", + "title": "Methodologies", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/methodology" + }, + "description": "The threat modeling methodologies applied to produce this threat model, such as STRIDE, LINDDUN, PASTA, or attack trees." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "methodology": { + "title": "Threat Modeling Methodology", + "description": "A threat modeling methodology applied to produce this threat model. Use the custom option for methodologies not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Threat Modeling Methodology", + "enum": [ + "STRIDE", + "LINDDUN", + "PASTA", + "MAESTRO", + "OWASP", + "TRIKE", + "VAST", + "ATFAA", + "attack-tree" + ], + "meta:enum": { + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance.", + "PASTA": "Process for Attack Simulation and Threat Analysis.", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome.", + "OWASP": "OWASP threat modelling methodology.", + "TRIKE": "Risk-based threat modelling methodology.", + "VAST": "Visual, Agile, and Simple Threat modelling.", + "ATFAA": "Advanced Threat Framework for Autonomous AI Agents.", + "attack-tree": "Attack tree methodology, decomposing attacker goals into sub-goals and techniques." + } + }, { - "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/scenario" + "type": "object", + "title": "Custom Threat Modeling Methodology", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom threat modeling methodology." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom threat modeling methodology." + } + } + } + ] + }, + "threat": { + "type": "object", + "title": "Threat", + "description": "A documented threat, describing what can go wrong independent of any specific actor or occurrence. A threat can be catalogued on its own; a threat scenario references it to describe a specific realization.", + "additionalProperties": false, + "required": [ + "bom-ref", + "name" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the threat elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the threat." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the threat." + }, + "source": { + "type": "string", + "title": "Source", + "description": "The source of the threat, such as a threat intelligence feed, a threat catalogue, or an analysis activity." + }, + "origin": { + "title": "Origin", + "description": "The nature of the threat source that gives rise to this threat, following the threat source types of [NIST SP 800-30](https://csrc.nist.gov/pubs/sp/800/30/r1/final). Use the custom option for an origin not covered by the enumeration.", + "oneOf": [ + { + "type": "string", + "title": "Predefined Origin", + "enum": [ + "adversarial", + "accidental", + "structural", + "environmental" + ], + "meta:enum": { + "adversarial": "An adversary acting with intent, such as an individual, group, organization, or nation state.", + "accidental": "An erroneous action taken without malicious intent, such as a mistake by a privileged user or administrator.", + "structural": "A failure of equipment, software, or environmental controls, such as resource exhaustion or expiry of a component.", + "environmental": "A natural or human-made event outside the control of the organization, such as a fire, flood, or wide-area infrastructure outage." + } + }, + { + "type": "object", + "title": "Custom Origin", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom origin." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom origin." + } + } + } + ] + }, + "categories": { + "type": "array", + "title": "Categories", + "uniqueItems": true, + "description": "The methodology-specific categories that this threat falls under. A threat may be categorized under more than one methodology, for example STRIDE and MAESTRO. The methodology is one of the supported threat-modelling methodologies, and it determines which category values are permitted.", + "items": { + "type": "object", + "title": "Threat Category", + "description": "A threat category. The taxonomy determines the permitted category values.", + "additionalProperties": false, + "required": [ + "taxonomy", + "category" + ], + "properties": { + "taxonomy": { + "type": "string", + "title": "Taxonomy", + "description": "The threat classification taxonomy that the category is drawn from.", + "enum": [ + "STRIDE", + "LINDDUN", + "MAESTRO", + "MITRE-ATTACK" + ], + "meta:enum": { + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome, whose categories are its seven architectural layers.", + "MITRE-ATTACK": "The MITRE ATT&CK framework, whose categories are its Enterprise tactics." + } + }, + "category": { + "type": "string", + "minLength": 1, + "title": "Category", + "description": "The category within the taxonomy. The permitted values are determined by the taxonomy." + } + }, + "allOf": [ + { + "if": { + "required": [ + "taxonomy" + ], + "properties": { + "taxonomy": { + "const": "STRIDE" + } + } + }, + "then": { + "properties": { + "category": { + "enum": [ + "spoofing", + "tampering", + "repudiation", + "information-disclosure", + "denial-of-service", + "elevation-of-privilege" + ], + "meta:enum": { + "spoofing": "Impersonating something or someone, violating authenticity.", + "tampering": "Modifying data or code, violating integrity.", + "repudiation": "Denying having performed an action, violating non-repudiation.", + "information-disclosure": "Exposing information to unauthorized parties, violating confidentiality.", + "denial-of-service": "Denying or degrading service to legitimate users, violating availability.", + "elevation-of-privilege": "Gaining capabilities without proper authorization, violating authorization." + } + } + } + } + }, + { + "if": { + "required": [ + "taxonomy" + ], + "properties": { + "taxonomy": { + "const": "LINDDUN" + } + } + }, + "then": { + "properties": { + "category": { + "enum": [ + "linkability", + "identifiability", + "non-repudiation", + "detectability", + "disclosure-of-information", + "unawareness", + "non-compliance" + ], + "meta:enum": { + "linkability": "Linking data items to learn more about an individual.", + "identifiability": "Identifying an individual from data.", + "non-repudiation": "Being unable to deny a claim, harming plausible deniability.", + "detectability": "Detecting that an item of interest exists.", + "disclosure-of-information": "Revealing personal data, violating confidentiality.", + "unawareness": "Individuals being unaware of the processing of their data.", + "non-compliance": "Deviating from policy, regulation, or best practice." + } + } + } + } + }, + { + "if": { + "required": [ + "taxonomy" + ], + "properties": { + "taxonomy": { + "const": "MAESTRO" + } + } + }, + "then": { + "properties": { + "category": { + "enum": [ + "foundation-models", + "data-operations", + "agent-frameworks", + "deployment-and-infrastructure", + "evaluation-and-observability", + "security-and-compliance", + "agent-ecosystem" + ], + "meta:enum": { + "foundation-models": "Layer 1. The core models that provide the agent's capabilities.", + "data-operations": "Layer 2. Storage, retrieval, and processing of the agent's data.", + "agent-frameworks": "Layer 3. The frameworks and tools that build and run agents.", + "deployment-and-infrastructure": "Layer 4. The infrastructure on which agents are deployed and scaled.", + "evaluation-and-observability": "Layer 5. Evaluation, monitoring, and observability of agent behaviour.", + "security-and-compliance": "Layer 6. The cross-cutting security and compliance controls.", + "agent-ecosystem": "Layer 7. The applications and marketplace where agents deliver value to end-users." + } + } + } + } + }, + { + "if": { + "required": [ + "taxonomy" + ], + "properties": { + "taxonomy": { + "const": "MITRE-ATTACK" + } + } + }, + "then": { + "properties": { + "category": { + "enum": [ + "reconnaissance", + "resource-development", + "initial-access", + "execution", + "persistence", + "privilege-escalation", + "defense-evasion", + "credential-access", + "discovery", + "lateral-movement", + "collection", + "command-and-control", + "exfiltration", + "impact" + ] + } + } + } + } + ] + } + }, + "weaknesses": { + "$ref": "#/$defs/cyclonedx-weakness-2.0/$defs/weaknesses", + "description": "The weaknesses, such as CWE classifications, that this threat exploits." + }, + "relatedVulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities that this threat exploits or that inform it." + }, + "attackPatterns": { + "type": "array", + "title": "Attack Patterns", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the attack patterns by which this threat is carried out." + }, + "attackTrees": { + "type": "array", + "title": "Attack Trees", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the attack trees that decompose this threat." + }, + "abuseCases": { + "type": "array", + "title": "Abuse Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the abuse cases that illustrate how this threat can be exercised." + }, + "killChainPhase": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/killChainPhase", + "description": "The phase of the cyber kill chain at which this threat operates." + }, + "behaviors": { + "type": "array", + "title": "Behaviors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the declared behaviors that constitute the intent of this threat, drawn from the behavior taxonomy." + }, + "indicators": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/indicators" + }, + "affectedAssets": { + "type": "array", + "title": "Affected Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the kinds of assets this threat affects." + }, + "relatedBusinessObjectives": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this threat endangers." }, - { - "properties": { - "threatCategory": { - "type": "string", - "description": "Threat category based on methodology (e.g., STRIDE category)" - }, - "threatActor": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile" - }, - "attackVector": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackVector" - }, - "attackPattern": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference" - }, - "abuseCases": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/abuseCase" - }, - "description": "Abuse or misuse cases that illustrate how this threat can be exercised" - }, - "weakness": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference" - }, - "exploitability": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/exploitability" - }, - "indicators": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/indicators" - }, - "killChainPhase": { - "type": "string", - "enum": [ - "reconnaissance", - "weaponization", - "delivery", - "exploitation", - "installation", - "command-and-control", - "actions-on-objectives" - ], - "meta:enum": { - "reconnaissance": "Gathering information about the target", - "weaponization": "Creating malicious payloads", - "delivery": "Transmitting weapon to target", - "exploitation": "Exploiting vulnerabilities", - "installation": "Installing malware or backdoors", - "command-and-control": "Establishing C2 channel", - "actions-on-objectives": "Achieving attack goals" - } - }, - "technicalImpact": { - "type": "array", - "items": { - "type": "string", - "enum": [ - "unauthorized-access", - "data-breach", - "data-corruption", - "service-disruption", - "privilege-escalation", - "code-execution", - "information-disclosure", - "denial-of-service" - ] - } - } - } + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this threat." + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } - ] + } }, - "threatActor": { + "threatScenario": { "type": "object", + "title": "Threat Scenario", + "description": "A specific realization of a threat, in which an actor seeks to cause harm. The scenario references the threat it realizes, supplies the actor by reference to a party, and carries the scenario-specific traits and risk assessment, such as motivation, intent, access level, likelihood, and impact.", + "additionalProperties": false, "required": [ "bom-ref", "name", - "type" + "threats" ], - "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the threat scenario elsewhere using a bom-ref or bom-link." }, "name": { "type": "string", - "description": "Name or identifier of the threat actor" + "minLength": 1, + "title": "Name", + "description": "The name of the threat scenario." }, "description": { "type": "string", - "description": "Description of the threat actor" + "title": "Description", + "description": "A description of the threat scenario." }, - "type": { + "threats": { + "type": "array", + "title": "Threats", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this scenario realizes. A scenario realizes one or more threats." + }, + "actor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party that is the actor in this scenario. Named adversary groups are organizations and abstract attacker classes are personas." + }, + "threatProfile": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to a reusable threat profile that describes the durable capabilities of the actor." + }, + "motivation": { + "type": "array", + "title": "Motivation", + "uniqueItems": true, + "description": "The motivations of the actor in this scenario.", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ], + "meta:enum": { + "financial": "Motivated by financial gain.", + "political": "Motivated by political objectives.", + "personal": "Motivated by personal reasons.", + "ideological": "Motivated by ideology or belief.", + "espionage": "Motivated by intelligence gathering.", + "destruction": "Motivated by the desire to destroy.", + "disruption": "Motivated by the desire to disrupt operations.", + "reputation": "Motivated by reputational gain or harm.", + "curiosity": "Motivated by curiosity.", + "competitive": "Motivated by competitive advantage.", + "revenge": "Motivated by revenge.", + "activism": "Motivated by activism." + } + } + }, + "intent": { "type": "string", + "title": "Intent", + "description": "The intent of the actor in this scenario.", "enum": [ - "individual", - "group", - "organization", - "nation-state", - "unknown" + "accidental", + "opportunistic", + "targeted", + "persistent" ], "meta:enum": { - "individual": "Individual threat actor", - "group": "Organized group or collective", - "organization": "Corporate or criminal organization", - "nation-state": "Nation-state sponsored actor", - "unknown": "Unknown threat actor type" + "accidental": "The harm is caused without intent.", + "opportunistic": "The actor takes advantage of an opportunity as it arises.", + "targeted": "The actor deliberately targets the subject.", + "persistent": "The actor pursues the target persistently over time." } }, - "aliases": { + "accessLevel": { + "type": "string", + "title": "Access Level", + "description": "The level of access the actor is assumed to have in this scenario.", + "enum": [ + "none", + "external", + "internal", + "privileged", + "physical" + ], + "meta:enum": { + "none": "No access.", + "external": "External access only.", + "internal": "Internal access, such as that of an ordinary user.", + "privileged": "Privileged or administrative access.", + "physical": "Physical access to the target." + } + }, + "attackVector": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackVector" + }, + "exploitability": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/exploitability" + }, + "likelihood": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "riskAttributes": { "type": "array", + "title": "Risk Attributes", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" }, - "description": "Known aliases or alternative names" - }, - "profile": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile" + "description": "The security and privacy attributes that this threat would compromise if realized." }, - "observedTTPs": { + "affectedAssets": { "type": "array", + "title": "Affected Assets", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/ttp" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Observed tactics, techniques, and procedures" + "description": "References using bom-link or bom-ref to the assets affected in this scenario." }, - "attributedAttacks": { + "relatedRisks": { "type": "array", + "title": "Related Risks", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Attacks attributed to this actor" + "description": "References using bom-link or bom-ref to the risks that this scenario contributes to." }, - "targeting": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/targeting" - }, - "externalReferences": { + "relatedVulnerabilities": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the vulnerabilities exploited in this scenario." + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "threatActorProfile": { + "threatProfiles": { + "type": "array", + "title": "Threat Profiles", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatProfile" + }, + "description": "Reusable threat profiles, each describing the durable characteristics of an actor that may pose a threat." + }, + "threatProfile": { "type": "object", + "title": "Threat Profile", + "description": "A durable, actor-level characterization of the capability to pose a threat, capturing attributes that persist across scenarios. Scenario-specific attributes, such as motivation, intent, and access level, belong on a threat scenario rather than on this profile.", "additionalProperties": false, + "required": [ + "bom-ref" + ], "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference this threat profile elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the threat profile." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the threat profile." + }, "sophistication": { "type": "string", + "title": "Sophistication", + "description": "The level of technical sophistication an actor characterized by this profile is assumed to possess.", "enum": [ "none", "minimal", @@ -12587,46 +14651,17 @@ "expert" ], "meta:enum": { - "none": "No technical sophistication", - "minimal": "Script kiddie level", - "intermediate": "Intermediate technical skills", - "advanced": "Advanced persistent threat", - "expert": "Nation-state level capabilities" + "none": "No technical sophistication.", + "minimal": "Minimal sophistication, relying on readily available tools and techniques.", + "intermediate": "Intermediate technical skills.", + "advanced": "Advanced skills consistent with a persistent and well-resourced actor.", + "expert": "Expert skills consistent with the most capable actors." } }, - "motivation": { - "type": "array", - "items": { - "type": "string", - "enum": [ - "financial", - "political", - "personal", - "ideological", - "espionage", - "destruction", - "disruption", - "reputation", - "curiosity", - "competitive", - "revenge", - "activism" - ] - }, - "description": "Primary motivations" - }, - "intent": { - "type": "string", - "enum": [ - "accidental", - "opportunistic", - "targeted", - "persistent" - ], - "description": "Intent level" - }, "resources": { "type": "string", + "title": "Resources", + "description": "The level of resources an actor characterized by this profile is assumed to have available.", "enum": [ "minimal", "limited", @@ -12634,34 +14669,38 @@ "substantial", "unlimited" ], - "description": "Resource availability" - }, - "accessLevel": { - "type": "string", - "enum": [ - "none", - "external", - "internal", - "privileged", - "physical" - ], - "description": "Level of access to target systems" + "meta:enum": { + "minimal": "Minimal resources.", + "limited": "Limited resources.", + "moderate": "Moderate resources.", + "substantial": "Substantial resources.", + "unlimited": "Effectively unlimited resources." + } }, "skillSet": { "type": "array", + "title": "Skill Set", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Specific skills possessed" + "description": "The specific skills an actor characterized by this profile is assumed to possess." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, "attackVector": { "type": "object", + "title": "Attack Vector", + "description": "The conditions under which an attack is possible, following the convention of common vulnerability scoring systems.", "additionalProperties": false, "properties": { "type": { "type": "string", + "title": "Type", + "description": "The context by which an attack is possible.", "enum": [ "network", "adjacent", @@ -12669,289 +14708,421 @@ "physical" ], "meta:enum": { - "network": "Remotely exploitable via network", - "adjacent": "Exploitable from adjacent network", - "local": "Requires local access", - "physical": "Requires physical access" + "network": "Remotely exploitable via a network.", + "adjacent": "Exploitable from an adjacent network.", + "local": "Requires local access.", + "physical": "Requires physical access." } }, "complexity": { "type": "string", + "title": "Complexity", + "description": "The complexity of the attack.", "enum": [ "low", "high" ], - "description": "Attack complexity" + "meta:enum": { + "low": "The attack has low complexity.", + "high": "The attack has high complexity." + } }, "privileges": { "type": "string", + "title": "Privileges", + "description": "The level of privileges required to carry out the attack.", "enum": [ "none", "low", "high" ], - "description": "Privileges required" + "meta:enum": { + "none": "No privileges are required.", + "low": "Low privileges are required.", + "high": "High privileges are required." + } }, "userInteraction": { "type": "string", + "title": "User Interaction", + "description": "Whether the attack requires interaction from a user other than the attacker.", "enum": [ "none", "required" ], - "description": "User interaction requirement" + "meta:enum": { + "none": "No user interaction is required.", + "required": "User interaction is required." + } }, "scope": { "type": "string", + "title": "Scope", + "description": "Whether a successful attack affects resources beyond the vulnerable component.", "enum": [ "unchanged", "changed" ], - "description": "Scope impact" - } - } - }, - "abuseCase": { - "type": "object", - "required": [ - "bom-ref", - "name" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "name": { - "type": "string", - "description": "Name of the abuse case" - }, - "description": { - "type": "string", - "description": "Narrative describing how the system can be misused or abused" - }, - "abuser": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference (bom-ref) to a threat actor involved in the abuse case" - }, - "targets": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "References (bom-refs) to assets or flows targeted in this abuse case" - }, - "steps": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Ordered steps the abuser follows" + "meta:enum": { + "unchanged": "The attack affects only the vulnerable component.", + "changed": "The attack affects resources beyond the vulnerable component." + } } } }, "attackPattern": { "type": "object", + "title": "Attack Pattern", + "description": "A description of the common attributes and approach of an attack, typically aligned with CAPEC. Techniques are aligned with MITRE ATT&CK.", + "additionalProperties": false, "required": [ "bom-ref", "name" ], - "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the attack pattern elsewhere using a bom-ref or bom-link." }, "capecId": { "type": "integer", - "description": "CAPEC (Common Attack Pattern Enumeration and Classification) ID" + "minimum": 1, + "title": "CAPEC Identifier", + "description": "The Common Attack Pattern Enumeration and Classification (CAPEC) identifier for this attack pattern." }, "name": { "type": "string", - "description": "Name of the attack pattern" + "minLength": 1, + "title": "Name", + "description": "The name of the attack pattern." }, "description": { "type": "string", - "description": "Description of the attack pattern" + "title": "Description", + "description": "A description of the attack pattern." }, "prerequisites": { "type": "array", + "title": "Prerequisites", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Prerequisites for the attack" + "description": "The conditions that must hold for the attack to be possible." }, "techniques": { "type": "array", + "title": "Techniques", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique" }, - "description": "Techniques used in the attack" + "description": "The techniques used to carry out the attack, typically aligned with MITRE ATT&CK." }, "mitigations": { "type": "array", + "title": "Mitigations", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to mitigations" + "description": "References using bom-link or bom-ref to the controls that mitigate this attack pattern." }, "examples": { "type": "array", + "title": "Examples", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Real-world examples" + "description": "Real-world examples of the attack pattern." } } }, - "attackPatternReference": { + "technique": { "type": "object", + "title": "Technique", + "description": "A specific technique used to carry out an attack, typically aligned with MITRE ATT&CK.", "additionalProperties": false, "properties": { - "patternRef": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to attack pattern" + "id": { + "type": "string", + "title": "Identifier", + "description": "The identifier of the technique, such as a MITRE ATT&CK technique identifier." }, - "capecId": { - "type": "integer", - "description": "CAPEC ID if not referencing internal pattern" + "name": { + "type": "string", + "title": "Name", + "description": "The name of the technique." }, - "customization": { + "tactic": { + "type": "string", + "title": "Tactic", + "description": "The tactic that the technique supports, such as a MITRE ATT&CK tactic." + }, + "procedure": { "type": "string", - "description": "How this pattern is customized for the specific scenario" + "title": "Procedure", + "description": "The specific procedure by which the technique is carried out." } } }, - "technique": { + "attackTree": { "type": "object", + "title": "Attack Tree", + "description": "A decomposition of an attacker goal into sub-goals and techniques, expressed as a flat collection of nodes. Each node lists its child nodes by reference together with an operator that says how those children combine, so the tree is expressed without nesting. One node is the root, representing the attacker goal.", "additionalProperties": false, + "required": [ + "bom-ref", + "nodes" + ], "properties": { - "id": { - "type": "string", - "description": "Technique ID (e.g., MITRE ATT&CK ID)" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the attack tree elsewhere using a bom-ref or bom-link." }, "name": { "type": "string", - "description": "Name of the technique" + "title": "Name", + "description": "The name of the attack tree." }, - "tactic": { + "description": { "type": "string", - "description": "Associated tactic" + "title": "Description", + "description": "A description of the attack tree." }, - "procedure": { - "type": "string", - "description": "Specific procedure" + "root": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Root BOM Reference", + "description": "Optional reference using bom-link or bom-ref to the root node within nodes, representing the attacker goal. When omitted, the root is the node that no other node lists as a child." }, - "tools": { + "nodes": { "type": "array", + "title": "Nodes", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackTreeNode" }, - "description": "Tools used with this technique" + "description": "The nodes of the attack tree. Each node references its child nodes, which are themselves entries in this array, forming the hierarchy without nesting." } } }, - "weakness": { + "attackTreeNode": { "type": "object", + "title": "Attack Tree Node", + "description": "A node in an attack tree, representing an attacker goal, sub-goal, or technique. A node references its child nodes and carries an operator that says how those children combine. The hierarchy is expressed by these references rather than by nesting.", + "additionalProperties": false, "required": [ - "bom-ref" + "bom-ref", + "name" ], - "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "cweId": { - "type": "integer", - "description": "CWE (Common Weakness Enumeration) ID" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the node elsewhere using a bom-ref or bom-link." }, "name": { "type": "string", - "description": "Name of the weakness" + "minLength": 1, + "title": "Name", + "description": "The goal, sub-goal, or technique that the node represents." }, "description": { "type": "string", - "description": "Description of the weakness" + "title": "Description", + "description": "A description of the node." }, - "abstraction": { + "operator": { "type": "string", + "title": "Operator", + "description": "Specifies how the nodes listed in 'children' combine to achieve this node. A value of 'and' requires every child node; a value of 'or' requires any single child node. For example, a node whose children are a phishing node and a credential-stuffing node uses 'or' when either alone achieves it, or 'and' when both are needed together. A node with no children is a leaf and omits this property.", "enum": [ - "pillar", - "class", - "base", - "variant", - "compound" + "and", + "or" ], "meta:enum": { - "pillar": "Most abstract type of weakness", - "class": "Weakness described in generic terms", - "base": "Weakness described in abstract terms", - "variant": "Weakness specific to a resource/technology", - "compound": "Combination of two or more weaknesses" + "and": "All child nodes are required to achieve this node.", + "or": "Any one child node is sufficient to achieve this node." } }, - "ordinality": { + "children": { + "type": "array", + "title": "Children", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the child nodes that decompose this node. Each child node is a separate entry in the same nodes array, so the hierarchy is expressed without nesting. A child node may be shared by more than one parent." + }, + "attackPattern": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the attack pattern that this node represents." + }, + "weakness": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the weakness that this node exploits." + }, + "cost": { "type": "string", + "title": "Cost", + "description": "The relative cost to an attacker of achieving this node.", "enum": [ - "primary", - "resultant", - "indirect" + "negligible", + "low", + "moderate", + "high", + "prohibitive" ], "meta:enum": { - "primary": "Weakness exists independent of other weaknesses", - "resultant": "Weakness is caused by another weakness", - "indirect": "Weakness is indirectly caused by another weakness" + "negligible": "Negligible cost.", + "low": "Low cost.", + "moderate": "Moderate cost.", + "high": "High cost.", + "prohibitive": "Prohibitive cost." } }, - "affectedAssets": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "Assets affected by this weakness" + "skill": { + "type": "string", + "title": "Skill", + "description": "The skill level required to achieve this node.", + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" + ], + "meta:enum": { + "none": "No special skill is required.", + "basic": "Basic skill is required.", + "intermediate": "Intermediate skill is required.", + "advanced": "Advanced skill is required.", + "expert": "Expert skill is required." + } }, - "exploitationDifficulty": { + "detectability": { "type": "string", + "title": "Detectability", + "description": "How readily an attempt to achieve this node can be detected.", "enum": [ - "trivial", - "easy", + "undetectable", + "low", "moderate", - "difficult", - "impractical" + "high" ], - "description": "Difficulty of exploiting this weakness" + "meta:enum": { + "undetectable": "The attempt is effectively undetectable.", + "low": "The attempt is difficult to detect.", + "moderate": "The attempt is moderately detectable.", + "high": "The attempt is readily detectable." + } }, - "detectionMethods": { + "mitigations": { "type": "array", + "title": "Mitigations", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Methods for detecting this weakness" + "description": "References using bom-link or bom-ref to the controls that mitigate this node." } } }, - "weaknessReference": { + "abuseCase": { "type": "object", + "title": "Abuse Case", + "description": "A description of how an adversary can misuse the system to achieve a malicious goal. An abuse case is the security counterpart of a use case and reuses its flow structure.", "additionalProperties": false, + "required": [ + "bom-ref", + "name" + ], "properties": { - "weaknessRef": { + "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to weakness" + "description": "An identifier which can be used to reference the abuse case elsewhere using a bom-ref or bom-link." }, - "cweId": { - "type": "integer", - "description": "CWE ID if not referencing internal weakness" + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the abuse case, typically expressed as a malicious goal." }, - "instance": { + "description": { "type": "string", - "description": "Specific instance or manifestation of the weakness" + "title": "Description", + "description": "A narrative describing how the system can be misused or abused." + }, + "abuser": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the party that abuses the system, typically an attacker persona." + }, + "realizes": { + "type": "array", + "title": "Realizes", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the threats that this abuse case realizes." + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The conditions that must hold before the abuse case can begin." + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" + }, + "description": "The ordered steps the abuser follows." + }, + "targets": { + "type": "array", + "title": "Targets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the assets or flows targeted in this abuse case." + }, + "detectionOpportunities": { + "type": "array", + "title": "Detection Opportunities", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "The signals, logs, or controls that present an opportunity to detect the abuse." + }, + "mitigations": { + "type": "array", + "title": "Mitigations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that mitigate this abuse case." } } }, "exploitability": { "type": "object", + "title": "Exploitability", + "description": "The degree to which a threat can be exploited in practice.", "additionalProperties": false, "properties": { "level": { "type": "string", + "title": "Level", + "description": "The maturity of available exploitation capability.", "enum": [ "theoretical", "proof-of-concept", @@ -12959,14 +15130,16 @@ "weaponized" ], "meta:enum": { - "theoretical": "Theoretically possible but not demonstrated", - "proof-of-concept": "Proof of concept exists", - "functional": "Functional exploit exists", - "weaponized": "Weaponized exploit in the wild" + "theoretical": "Exploitation is theoretically possible but has not been demonstrated.", + "proof-of-concept": "A proof of concept exists.", + "functional": "A functional exploit exists.", + "weaponized": "A weaponized exploit is in use." } }, "complexity": { "type": "string", + "title": "Complexity", + "description": "The complexity of exploitation.", "enum": [ "trivial", "low", @@ -12974,10 +15147,18 @@ "high", "very-high" ], - "description": "Complexity to exploit" + "meta:enum": { + "trivial": "Exploitation is trivial.", + "low": "Exploitation has low complexity.", + "medium": "Exploitation has medium complexity.", + "high": "Exploitation has high complexity.", + "very-high": "Exploitation has very high complexity." + } }, "skillRequired": { "type": "string", + "title": "Skill Required", + "description": "The skill level required to exploit the threat.", "enum": [ "none", "basic", @@ -12985,79 +15166,70 @@ "advanced", "expert" ], - "description": "Skill level required" - }, - "toolsRequired": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Tools required for exploitation" - }, - "timeRequired": { - "type": "string", - "description": "Estimated time to develop exploit" - }, - "reliability": { - "type": "string", - "enum": [ - "unreliable", - "occasional", - "reliable", - "highly-reliable" - ], - "description": "Reliability of exploitation" + "meta:enum": { + "none": "No special skill is required.", + "basic": "Basic skill is required.", + "intermediate": "Intermediate skill is required.", + "advanced": "Advanced skill is required.", + "expert": "Expert skill is required." + } }, "automatable": { "type": "boolean", - "description": "Whether exploitation can be automated" + "title": "Automatable", + "description": "Whether exploitation can be automated." } } }, "indicators": { "type": "object", + "title": "Indicators", + "description": "The observable indicators associated with a threat.", "additionalProperties": false, "properties": { "compromise": { "type": "array", + "title": "Indicators of Compromise", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Indicators of compromise" + "description": "The indicators that a compromise has occurred." }, "attack": { "type": "array", + "title": "Indicators of Attack", + "uniqueItems": true, "items": { "type": "string" }, - "description": "Indicators of attack" - }, - "behavioral": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Behavioral indicators" + "description": "The indicators that an attack is under way." }, "signatures": { "type": "array", + "title": "Signatures", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/signature" }, - "description": "Detection signatures" + "description": "The detection signatures associated with the threat." } } }, "signature": { "type": "object", + "title": "Signature", + "description": "A detection signature for a threat.", + "additionalProperties": false, "required": [ "type", "value" ], - "additionalProperties": false, "properties": { "type": { "type": "string", + "title": "Type", + "description": "The type of signature.", "enum": [ "yara", "snort", @@ -13065,175 +15237,209 @@ "hash", "behavior" ], - "description": "Type of signature" + "meta:enum": { + "yara": "A YARA rule.", + "snort": "A Snort rule.", + "regex": "A regular expression.", + "hash": "A cryptographic hash.", + "behavior": "A behavioural signature." + } }, "value": { "type": "string", - "description": "Signature value or pattern" + "minLength": 1, + "title": "Value", + "description": "The signature value or pattern." }, "description": { "type": "string", - "description": "Description of what the signature detects" + "title": "Description", + "description": "A description of what the signature detects." }, "confidence": { "type": "string", + "title": "Confidence", + "description": "The confidence level of a detection by this signature.", "enum": [ "low", "medium", "high" ], - "description": "Confidence level of detection" + "meta:enum": { + "low": "Low confidence.", + "medium": "Medium confidence.", + "high": "High confidence." + } } } }, - "ttp": { + "trustBoundary": { "type": "object", + "title": "Trust Boundary", + "description": "A security annotation marking an architectural boundary as one across which trust changes. It references a boundary defined in a blueprint, where the zones, type, and crossing requirements already live, and adds only the trust differential and the threats and controls at that boundary.", "additionalProperties": false, + "required": [ + "bom-ref", + "boundary" + ], "properties": { - "tactic": { - "type": "string", - "description": "High-level tactic" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An identifier which can be used to reference the trust boundary elsewhere using a bom-ref or bom-link." }, - "technique": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique" + "boundary": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the blueprint boundary that this trust boundary annotates." }, - "procedure": { + "name": { "type": "string", - "description": "Specific implementation" - }, - "tools": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/tool" - }, - "description": "Tools used" + "title": "Name", + "description": "The name of the trust boundary." }, - "infrastructure": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Infrastructure used" - } - } - }, - "tool": { - "type": "object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { + "description": { "type": "string", - "description": "Tool name" + "title": "Description", + "description": "A description of the trust boundary." }, - "type": { + "trustLevel": { "type": "string", + "title": "Trust Level", + "description": "The trust level differential across the boundary.", "enum": [ - "exploit", - "scanner", - "fuzzer", - "proxy", - "framework", - "custom" + "untrusted", + "semi-trusted", + "trusted", + "highly-trusted" ], - "description": "Type of tool" - }, - "version": { - "type": "string", - "description": "Tool version" - }, - "capabilities": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Tool capabilities" - } - } - }, - "targeting": { - "type": "object", - "additionalProperties": false, - "properties": { - "sectors": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Targeted sectors or industries" - }, - "regions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Targeted geographic regions" + "meta:enum": { + "untrusted": "The boundary separates an untrusted zone.", + "semi-trusted": "The boundary separates a semi-trusted zone.", + "trusted": "The boundary separates a trusted zone.", + "highly-trusted": "The boundary separates a highly trusted zone." + } }, - "technologies": { + "threatsAtBoundary": { "type": "array", + "title": "Threats At Boundary", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Targeted technologies or platforms" + "description": "References using bom-link or bom-ref to the threats that could exploit this boundary." }, - "dataTypes": { + "controlsAtBoundary": { "type": "array", + "title": "Controls At Boundary", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Types of data targeted" + "description": "References using bom-link or bom-ref to the controls in place at this boundary. Intended primarily for referencing externally defined controls. Where the control and boundary are declared together, prefer the control's appliesTo property." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "detectionMethod": { + "killChainPhase": { + "type": "string", + "title": "Kill Chain Phase", + "description": "A phase of the cyber kill chain.", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target.", + "weaponization": "Creating a malicious payload.", + "delivery": "Transmitting the payload to the target.", + "exploitation": "Exploiting a vulnerability or weakness.", + "installation": "Installing malicious software or establishing a foothold.", + "command-and-control": "Establishing a command and control channel.", + "actions-on-objectives": "Achieving the goals of the attack." + } + }, + "attackPathStep": { "type": "object", + "title": "Attack Path Step", + "description": "A single step in an attack path, describing one action in the progression of an attack.", "required": [ - "method" + "description" ], "additionalProperties": false, "properties": { - "method": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { "type": "string", - "enum": [ - "static-analysis", - "dynamic-analysis", - "penetration-test", - "code-review", - "architecture-review", - "automated-scan" - ], - "description": "Detection method type" + "title": "Name", + "description": "A short name for the step." }, "description": { "type": "string", - "description": "Description of the detection method" + "minLength": 1, + "title": "Description", + "description": "The action the adversary performs in this step." }, - "effectiveness": { - "type": "string", - "enum": [ - "low", - "medium", - "high" - ], - "description": "Effectiveness of the method" + "technique": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique", + "description": "The technique used in this step, typically aligned with MITRE ATT&CK." }, - "tools": { + "attackPattern": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the attack pattern applied in this step." + }, + "killChainPhase": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/killChainPhase", + "description": "The phase of the cyber kill chain at which this step operates." + }, + "source": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the element or zone from which this step originates." + }, + "destination": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the element or zone this step reaches." + }, + "boundaryCrossed": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the trust boundary this step crosses." + }, + "exploits": { "type": "array", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the weaknesses or vulnerabilities this step exploits." + }, + "mitigations": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Tools that implement this method" + "description": "References using bom-link or bom-ref to the controls that detect or prevent this step." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "securityPolicy": { + "attackPath": { "type": "object", + "title": "Attack Path", + "description": "An ordered sequence of steps that an adversary follows to progress from initial access toward an objective, crossing elements and trust boundaries. An attack path complements an attack tree: the tree decomposes a goal into alternatives, whereas the path expresses the temporal progression of a single attack, including lateral movement.", "required": [ "bom-ref", "name", - "type" + "steps" ], "additionalProperties": false, "properties": { @@ -13242,144 +15448,54 @@ }, "name": { "type": "string", - "description": "Policy name" + "minLength": 1, + "title": "Name", + "description": "A human-readable name for the attack path." }, - "type": { + "description": { "type": "string", - "enum": [ - "access-control", - "data-protection", - "network-security", - "application-security", - "operational-security", - "compliance" - ], - "description": "Type of security policy" + "title": "Description", + "description": "A description of the attack path." }, - "description": { + "objective": { "type": "string", - "description": "Policy description" + "title": "Objective", + "description": "The attacker objective that the path works toward, such as exfiltrating data or achieving code execution." }, - "requirements": { + "actor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the adversary that follows this path." + }, + "steps": { "type": "array", + "title": "Steps", + "minItems": 1, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPathStep" }, - "description": "Policy requirements" - }, - "enforcement": { - "type": "string", - "enum": [ - "mandatory", - "recommended", - "optional" - ], - "description": "Enforcement level" + "description": "The ordered steps of the path, from the initial action to the objective. The order of the array is significant." }, - "appliesTo": { + "realizes": { "type": "array", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Assets this policy applies to" + "description": "References using bom-link or bom-ref to the threats that this path realizes." }, - "exceptions": { + "relatedRisks": { "type": "array", + "uniqueItems": true, "items": { - "type": "string" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "Policy exceptions" - } - } - }, - "trustBoundary": { - "type": "object", - "allOf": [ - { - "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" - }, - { - "properties": { - "trustLevel": { - "type": "string", - "enum": [ - "untrusted", - "semi-trusted", - "trusted", - "highly-trusted" - ], - "description": "Trust level differential" - }, - "securityRequirements": { - "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements" - }, - "threatsAtBoundary": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "Threats that could exploit this boundary" - }, - "controlsAtBoundary": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "description": "Controls implemented at this boundary" - } - } - } - ] - }, - "boundarySecurityRequirements": { - "type": "object", - "additionalProperties": false, - "properties": { - "authenticationStrength": { - "type": "string", - "enum": [ - "none", - "weak", - "moderate", - "strong", - "very-strong" - ], - "description": "Required authentication strength" - }, - "authorizationGranularity": { - "type": "string", - "enum": [ - "coarse", - "medium", - "fine", - "very-fine" - ], - "description": "Authorization granularity required" + "description": "References using bom-link or bom-ref to the risks that this path contributes to." }, - "integrityVerification": { - "type": "boolean", - "description": "Whether integrity verification is required" - }, - "confidentialityProtection": { - "type": "boolean", - "description": "Whether confidentiality protection is required" - }, - "auditingLevel": { - "type": "string", - "enum": [ - "none", - "basic", - "detailed", - "comprehensive" - ], - "description": "Level of auditing required" + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" }, - "dataValidationRules": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Data validation rules at boundary" + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } } @@ -13403,6 +15519,7 @@ "title": "Use Case", "description": "A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.", "required": [ + "bom-ref", "name" ], "additionalProperties": false, @@ -13426,9 +15543,9 @@ "title": "Actors", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." + "description": "References using bom-link or bom-ref to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." }, "preconditions": { "type": "array", @@ -13451,6 +15568,7 @@ "mainFlow": { "type": "array", "title": "Main Flow", + "uniqueItems": true, "items": { "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" }, @@ -13488,9 +15606,18 @@ "title": "Requirements", "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, - "description": "References to the requirements that are implemented, validated, or addressed by this use case" + "description": "References using bom-link or bom-ref to the requirements that are implemented, validated, or addressed by this use case." + }, + "businessObjectives": { + "type": "array", + "title": "Business Objectives", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the business objectives this use case supports." }, "notes": { "type": "array", @@ -13529,8 +15656,8 @@ "description": "A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'." }, "actor": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "description": "Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "description": "Reference using bom-link or bom-ref to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." } } }, @@ -13604,6 +15731,72 @@ "description": "The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support." } } + }, + "useCaseAssertions": { + "type": "array", + "title": "Use Case Assertions", + "description": "A list of assertions describing how a component relates to use cases defined in the BOM.", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Use Case Assertion", + "description": "An assertion linking one or more use cases to a component, specifying the nature of the relationship.", + "required": [ + "assertionType", + "useCaseRefs" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the relationship between the component and the use case.", + "enum": [ + "extends", + "implements", + "inhibits", + "not-applicable", + "not-assessed", + "other", + "participates-in", + "supports", + "triggers", + "validates" + ], + "meta:enum": { + "extends": "The component adds optional or conditional behavior to the use case, augmenting its primary flow with additional capability.", + "implements": "The component implements or realises the use case, providing the primary capability that makes the use case functional.", + "inhibits": "The component is known to interfere with or block the correct execution of the use case.", + "not-applicable": "The use case does not pertain to this component. The evaluator has reviewed the use case and determined it is irrelevant.", + "not-assessed": "The relationship between the component and the use case has not yet been evaluated.", + "other": "A relationship that does not fit into the other predefined assertion types.", + "participates-in": "The component participates in the use case but is not solely responsible for its implementation.", + "supports": "The component provides enabling infrastructure for the use case without directly implementing or participating in it.", + "triggers": "The component initiates or kicks off the use case without being responsible for its implementation.", + "validates": "The component validates, tests, or verifies the correct execution of the use case." + } + }, + "useCaseRefs": { + "type": "array", + "title": "Use Case References", + "description": "A list of BOM references linking to use case objects defined in the BOM.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "Additional context or clarification regarding the assertion." + } + } + } } } }, @@ -13682,16 +15875,9 @@ "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/rating" } }, - "cwes": { - "type": "array", - "title": "CWEs", - "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", - "examples": [ - 399 - ], - "items": { - "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe" - } + "weaknesses": { + "$ref": "#/$defs/cyclonedx-weakness-2.0/$defs/weaknesses", + "description": "The weaknesses, such as CWE classifications, that give rise to this vulnerability." }, "description": { "type": "string", @@ -13832,6 +16018,16 @@ "justification": { "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification" }, + "mitigatingControls": { + "type": "array", + "title": "Mitigating Controls", + "uniqueItems": true, + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "description": "References using bom-link or bom-ref to the controls that prevent or reduce the exploitability or impact of the vulnerability. Substantiates justifications such as protected_by_mitigating_control, protected_at_perimeter, and protected_at_runtime." + }, "response": { "type": "array", "title": "Response", @@ -13968,12 +16164,6 @@ } } }, - "cwe": { - "type": "integer", - "minimum": 1, - "title": "CWE", - "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" - }, "severity": { "type": "string", "title": "Severity", @@ -14065,7 +16255,7 @@ "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", "protected_at_runtime": "Exploits are prevented at runtime.", "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", - "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." + "protected_by_mitigating_control": "Preventive measures have been implemented that reduce the likelihood or impact of the vulnerability, or both. The controls may be referenced using the mitigatingControls property." } }, "rating": { @@ -14146,6 +16336,74 @@ } } }, + "cyclonedx-weakness-2.0": { + "type": "null", + "title": "CycloneDX Weakness Model", + "$defs": { + "weaknesses": { + "type": "array", + "title": "Weaknesses", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-weakness-2.0/$defs/weakness" + }, + "description": "A collection of weaknesses, such as CWE classifications, that classify an underlying flaw." + }, + "weakness": { + "title": "Weakness", + "description": "A classification of an underlying weakness, given either by a Common Weakness Enumeration (CWE) identifier or by a free-text name with an optional description. The exploitability and the affected scope are expressed by the vulnerability or threat that references the weakness, not on the weakness itself.", + "oneOf": [ + { + "type": "object", + "title": "CWE Weakness", + "description": "A weakness identified by its CWE identifier.", + "additionalProperties": false, + "required": [ + "cweId" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link." + }, + "cweId": { + "type": "integer", + "minimum": 1, + "title": "CWE Identifier", + "description": "The Common Weakness Enumeration (CWE) identifier that classifies this weakness." + } + } + }, + { + "type": "object", + "title": "Named Weakness", + "description": "A weakness identified by a free-text name, used where no CWE classification applies.", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An optional identifier which can be used to reference the weakness elsewhere using a bom-ref or bom-link." + }, + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the weakness." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the weakness." + } + } + } + ] + } + } + }, "cyclonedx-2.0": { "type": "object", "title": "CycloneDX Transparency Expression Language", @@ -14158,6 +16416,9 @@ "$schema": { "type": "string" }, + "$comment": { + "type": "string" + }, "specFormat": { "type": "string", "title": "Specification Format", @@ -14209,6 +16470,15 @@ "vulnerabilities": { "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities" }, + "threats": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threats" + }, + "risks": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/risks" + }, + "controls": { + "$ref": "#/$defs/cyclonedx-control-2.0/$defs/controls" + }, "annotations": { "$ref": "#/$defs/cyclonedx-annotation-2.0/$defs/annotations" }, @@ -14224,6 +16494,9 @@ "blueprints": { "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints" }, + "profiles": { + "$ref": "#/$defs/cyclonedx-profile-2.0/$defs/profiles" + }, "citations": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations" },