@cyclonedx/cdxgen

{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", "type": "object", "title": "CycloneDX Transparency Expression Language", "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "required": [ "specFormat", "specVersion" ], "additionalProperties": false, "properties": { "$schema": { "type": "string" }, "specFormat": { "type": "string", "title": "Specification Format", "description": "Specifies the format. This value shall be \"CycloneDX\".", "enum": [ "CycloneDX" ] }, "specVersion": { "type": "string", "title": "Specification Version", "description": "The version of the CycloneDX specification the BOM conforms to.", "examples": [ "2.0" ] }, "serialNumber": { "type": "string", "title": "BOM Serial Number", "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.", "examples": [ "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" ], "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" }, "version": { "type": "integer", "title": "BOM Version", "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.", "minimum": 1, "default": 1 }, "metadata": { "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/metadata" }, "components": { "$ref": "#/$defs/cyclonedx-component-2.0/$defs/components", "description": "A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship." }, "services": { "$ref": "#/$defs/cyclonedx-service-2.0/$defs/services" }, "dependencies": { "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependencies" }, "compositions": { "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/compositions" }, "vulnerabilities": { "$ref": "#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities" }, "annotations": { "$ref": "#/$defs/cyclonedx-annotation-2.0/$defs/annotations" }, "formulation": { "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/formulation" }, "declarations": { "$ref": "#/$defs/cyclonedx-declaration-2.0/$defs/declarations" }, "definitions": { "$ref": "#/$defs/cyclonedx-definition-2.0/$defs/definitions" }, "citations": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations" }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" }, "externalReferences": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" }, "signature": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature" } }, "allOf": [ { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties" } ], "$defs": { "cyclonedx-ai-modelcard-2.0": { "type": "null", "title": "CycloneDX AI Model Card", "$defs": { "modelCard": { "$comment": "Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json.", "type": "object", "title": "Model Card", "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", "description": "An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "modelParameters": { "type": "object", "title": "Model Parameters", "description": "Hyper-parameters for construction of the model.", "additionalProperties": false, "properties": { "approach": { "type": "object", "title": "Approach", "description": "The overall approach to learning used by the model for problem solving.", "additionalProperties": false, "properties": { "type": { "type": "string", "title": "Learning Type", "description": "Learning types describing the learning problem or hybrid learning problem.", "enum": [ "supervised", "unsupervised", "reinforcement-learning", "semi-supervised", "self-supervised" ], "meta:enum": { "supervised": "Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.", "unsupervised": "Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.", "reinforcement-learning": "Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.", "semi-supervised": "Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.", "self-supervised": "Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data." } } } }, "task": { "type": "string", "title": "Task", "description": "Directly influences the input and/or output. Examples include classification, regression, clustering, etc." }, "architectureFamily": { "type": "string", "title": "Architecture Family", "description": "The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc." }, "modelArchitecture": { "type": "string", "title": "Model Architecture", "description": "The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc." }, "datasets": { "type": "array", "title": "Datasets", "description": "The datasets used to train and evaluate the model.", "items": { "oneOf": [ { "title": "Inline Data Information", "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentData" }, { "type": "object", "title": "Data Reference", "additionalProperties": false, "properties": { "ref": { "anyOf": [ { "title": "Ref", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, { "title": "BOM-Link Element", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" } ], "title": "Reference", "type": "string", "description": "References a data component by the components bom-ref attribute" } } } ] } }, "inputs": { "type": "array", "title": "Inputs", "description": "The input format(s) of the model", "items": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters" } }, "outputs": { "type": "array", "title": "Outputs", "description": "The output format(s) from the model", "items": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters" } } } }, "quantitativeAnalysis": { "type": "object", "title": "Quantitative Analysis", "description": "A quantitative analysis of the model", "additionalProperties": false, "properties": { "performanceMetrics": { "type": "array", "title": "Performance Metrics", "description": "The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.", "items": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric" } }, "graphics": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection" } } }, "considerations": { "type": "object", "title": "Considerations", "description": "What considerations should be taken into account regarding the model's construction, training, and application?", "additionalProperties": false, "properties": { "users": { "type": "array", "title": "Users", "description": "Who are the intended users of the model?", "items": { "type": "string" } }, "useCases": { "type": "array", "title": "Use Cases", "description": "What are the intended use cases of the model?", "items": { "type": "string" } }, "technicalLimitations": { "type": "array", "title": "Technical Limitations", "description": "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?", "items": { "type": "string" } }, "performanceTradeoffs": { "type": "array", "title": "Performance Tradeoffs", "description": "What are the known tradeoffs in accuracy/performance of the model?", "items": { "type": "string" } }, "ethicalConsiderations": { "type": "array", "title": "Ethical Considerations", "description": "What are the ethical risks involved in the application of this model?", "items": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk" } }, "environmentalConsiderations": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations", "title": "Environmental Considerations", "description": "What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?" }, "fairnessAssessments": { "type": "array", "title": "Fairness Assessments", "description": "How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?", "items": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment" } } } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, "inputOutputMLParameters": { "type": "object", "title": "Input and Output Parameters", "additionalProperties": false, "properties": { "format": { "title": "Input/Output Format", "description": "The data format for input/output to the model.", "type": "string", "examples": [ "string", "image", "time-series" ] } } }, "environmentalConsiderations": { "type": "object", "title": "Environmental Considerations", "description": "Describes various environmental impact metrics.", "additionalProperties": false, "properties": { "energyConsumptions": { "title": "Energy Consumptions", "description": "Describes energy consumption information incurred for one or more component lifecycle activities.", "type": "array", "items": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption" } }, "properties": { "type": "array", "title": "Properties", "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" } } } }, "energyConsumption": { "title": "Energy consumption", "description": "Describes energy consumption information incurred for the specified lifecycle activity.", "type": "object", "required": [ "activity", "energyProviders", "activityEnergyCost" ], "additionalProperties": false, "properties": { "activity": { "type": "string", "title": "Activity", "description": "The type of activity that is part of a machine learning model development or operational lifecycle.", "enum": [ "design", "data-collection", "data-preparation", "training", "fine-tuning", "validation", "deployment", "inference", "other" ], "meta:enum": { "design": "A model design including problem framing, goal definition and algorithm selection.", "data-collection": "Model data acquisition including search, selection and transfer.", "data-preparation": "Model data preparation including data cleaning, labeling and conversion.", "training": "Model building, training and generalized tuning.", "fine-tuning": "Refining a trained model to produce desired outputs for a given problem space.", "validation": "Model validation including model output evaluation and testing.", "deployment": "Explicit model deployment to a target hosting infrastructure.", "inference": "Generating an output response from a hosted model from a set of inputs.", "other": "A lifecycle activity type whose description does not match currently defined values." } }, "energyProviders": { "title": "Energy Providers", "description": "The provider(s) of the energy consumed by the associated model development lifecycle activity.", "type": "array", "items": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider" } }, "activityEnergyCost": { "title": "Activity Energy Cost", "description": "The total energy cost associated with the model lifecycle activity.", "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure" }, "co2CostEquivalent": { "title": "CO2 Equivalent Cost", "description": "The CO2 cost (debit) equivalent to the total energy cost.", "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure" }, "co2CostOffset": { "title": "CO2 Cost Offset", "description": "The CO2 offset (credit) for the CO2 equivalent cost.", "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure" }, "properties": { "type": "array", "title": "Properties", "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" } } } }, "energyMeasure": { "type": "object", "title": "Energy Measure", "description": "A measure of energy.", "required": [ "value", "unit" ], "additionalProperties": false, "properties": { "value": { "type": "number", "title": "Value", "description": "Quantity of energy." }, "unit": { "type": "string", "enum": [ "kWh" ], "title": "Unit", "description": "Unit of energy.", "meta:enum": { "kWh": "Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)." } } } }, "co2Measure": { "type": "object", "title": "CO2 Measure", "description": "A measure of carbon dioxide (CO2).", "required": [ "value", "unit" ], "additionalProperties": false, "properties": { "value": { "type": "number", "title": "Value", "description": "Quantity of carbon dioxide (CO2)." }, "unit": { "type": "string", "enum": [ "tCO2eq" ], "title": "Unit", "description": "Unit of carbon dioxide (CO2).", "meta:enum": { "tCO2eq": "Tonnes (t) of carbon dioxide (CO2) equivalent (eq)." } } } }, "energyProvider": { "type": "object", "title": "Energy Provider", "description": "Describes the physical provider of energy used for model development or operations.", "required": [ "organization", "energySource", "energyProvided" ], "additionalProperties": false, "properties": { "bom-ref": { "title": "BOM Reference", "description": "An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "description": { "type": "string", "title": "Description", "description": "A description of the energy provider." }, "organization": { "type": "object", "title": "Organization", "description": "The organization that provides energy.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, "energySource": { "type": "string", "enum": [ "coal", "oil", "natural-gas", "nuclear", "wind", "solar", "geothermal", "hydropower", "biofuel", "unknown", "other" ], "meta:enum": { "coal": "Energy produced by types of coal.", "oil": "Petroleum products (primarily crude oil and its derivative fuel oils).", "natural-gas": "Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.", "nuclear": "Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).", "wind": "Energy produced from moving air.", "solar": "Energy produced from the sun (i.e., solar radiation).", "geothermal": "Energy produced from heat within the earth.", "hydropower": "Energy produced from flowing water.", "biofuel": "Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).", "unknown": "The energy source is unknown.", "other": "An energy source that is not listed." }, "title": "Energy Source", "description": "The energy source for the energy provider." }, "energyProvided": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure", "title": "Energy Provided", "description": "The energy provided by the energy source for an associated activity." }, "externalReferences": { "type": "array", "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" }, "title": "External References", "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." } } }, "graphicsCollection": { "type": "object", "title": "Graphics Collection", "description": "A collection of graphics that represent various measurements.", "additionalProperties": false, "properties": { "description": { "title": "Description", "description": "A description of this collection of graphics.", "type": "string" }, "collection": { "title": "Collection", "description": "A collection of graphics.", "type": "array", "items": { "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic" } } } }, "graphic": { "type": "object", "title": "Graphic", "additionalProperties": false, "properties": { "name": { "title": "Name", "description": "The name of the graphic.", "type": "string" }, "image": { "title": "Graphic Image", "description": "The graphic (vector or raster). Base64 encoding must be specified for binary images.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" } } }, "performanceMetric": { "type": "object", "title": "Performance Metric", "additionalProperties": false, "properties": { "type": { "title": "Type", "description": "The type of performance metric.", "type": "string" }, "value": { "title": "Value", "description": "The value of the performance metric.", "type": "string" }, "slice": { "title": "Slice", "description": "The name of the slice this metric was computed on. By default, assume this metric is not sliced.", "type": "string" }, "confidenceInterval": { "title": "Confidence Interval", "description": "The confidence interval of the metric.", "type": "object", "additionalProperties": false, "properties": { "lowerBound": { "title": "Lower Bound", "description": "The lower bound of the confidence interval.", "type": "string" }, "upperBound": { "title": "Upper Bound", "description": "The upper bound of the confidence interval.", "type": "string" } } } } }, "risk": { "type": "object", "title": "Risk", "additionalProperties": false, "properties": { "name": { "title": "Name", "description": "The name of the risk.", "type": "string" }, "mitigationStrategy": { "title": "Mitigation Strategy", "description": "Strategy used to address this risk.", "type": "string" } } }, "fairnessAssessment": { "type": "object", "title": "Fairness Assessment", "description": "Information about the benefits and harms of the model to an identified at risk group.", "additionalProperties": false, "properties": { "groupAtRisk": { "type": "string", "title": "Group at Risk", "description": "The groups or individuals at risk of being systematically disadvantaged by the model." }, "benefits": { "type": "string", "title": "Benefits", "description": "Expected benefits to the identified groups." }, "harms": { "type": "string", "title": "Harms", "description": "Expected harms to the identified groups." }, "mitigationStrategy": { "type": "string", "title": "Mitigation Strategy", "description": "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." } } } } }, "cyclonedx-annotation-2.0": { "type": "null", "title": "CycloneDX Annotation Model", "$defs": { "annotations": { "type": "array", "items": { "$ref": "#/$defs/cyclonedx-annotation-2.0/$defs/annotation" }, "uniqueItems": true, "title": "Annotations", "description": "Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed." }, "annotation": { "type": "object", "title": "Annotations", "description": "A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.", "required": [ "subjects", "annotator", "timestamp", "text" ], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", "description": "An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "subjects": { "type": "array", "uniqueItems": true, "items": { "anyOf": [ { "title": "Ref", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" }, { "title": "BOM-Link Element", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" } ] }, "title": "Subjects", "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs." }, "annotator": { "type": "object", "title": "Annotator", "description": "The organization, person, component, or service which created the textual content of the annotation.", "oneOf": [ { "required": [ "organization" ] }, { "required": [ "individual" ] }, { "required": [ "component" ] }, { "required": [ "service" ] } ], "additionalProperties": false, "properties": { "organization": { "description": "The organization that created the annotation", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" }, "individual": { "description": "The person that created the annotation", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" }, "component": { "description": "The tool or component that created the annotation", "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" }, "service": { "description": "The service that created the annotation", "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" } } }, "timestamp": { "type": "string", "format": "date-time", "title": "Timestamp", "description": "The date and time (timestamp) when the annotation was created." }, "text": { "type": "string", "title": "Text", "description": "The textual content of the annotation." }, "signature": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", "title": "Signature", "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } } } }, "cyclonedx-citation-2.0": { "type": "null", "title": "CycloneDX Citation Model", "$defs": { "citations": { "type": "array", "items": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation" }, "uniqueItems": true, "title": "Citations", "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." }, "citation": { "type": "object", "title": "Citation", "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference" }, "pointers": { "type": "array", "items": { "type": "string", "title": "Field Reference", "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies." }, "minItems": 1, "title": "Field References", "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." }, "expressions": { "type": "array", "items": { "type": "string", "title": "Path Expression", "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM." }, "minItems": 1, "title": "Path Expressions", "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." }, "timestamp": { "type": "string", "format": "date-time", "title": "Timestamp", "description": "The date and time when the attribution was made or the information was supplied." }, "attributedTo": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", "title": "Attributed To", "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." }, "process": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", "title": "Process Reference", "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." }, "note": { "type": "string", "title": "Note", "description": "A description or comment about the context or quality of the data attribution." }, "signature": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", "title": "Signature", "description": "A digital signature verifying the authenticity or integrity of the attribution." } }, "required": [ "timestamp" ], "anyOf": [ { "required": [ "attributedTo" ] }, { "required": [ "process" ] } ], "oneOf": [ { "required": [ "pointers" ] }, { "required": [ "expressions" ] } ] } } }, "cyclonedx-common-2.0": { "type": "null", "title": "CycloneDX Common Model", "$defs": { "refType": { "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "type": "string", "minLength": 1, "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" }, "refLinkType": { "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "bomLinkDocumentType": { "title": "BOM-Link Document", "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", "type": "string", "format": "iri-reference", "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" }, "bomLinkElementType": { "title": "BOM-Link Element", "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", "type": "string", "format": "iri-reference", "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" }, "bomLink": { "title": "BOM-Link", "anyOf": [ { "title": "BOM-Link Document", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType" }, { "title": "BOM-Link Element", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" } ] }, "hash": { "type": "object", "title": "Hash", "required": [ "alg", "content" ], "additionalProperties": false, "properties": { "alg": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm" }, "content": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashValue" } } }, "hashAlgorithm": { "type": "string", "title": "Hash Algorithm", "description": "The algorithm that generated the hash value.", "enum": [ "MD5", "SHA-1", "SHA-256", "SHA-384", "SHA-512", "SHA3-256", "SHA3-384", "SHA3-512", "BLAKE2b-256", "BLAKE2b-384", "BLAKE2b-512", "BLAKE3", "Streebog-256", "Streebog-512" ] }, "hashValue": { "type": "string", "title": "Hash Value", "description": "The value of the hash.", "examples": [ "3942447fac867ae5cdb3229b658f4d48" ], "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" }, "mediaType": { "type": "string", "title": "Media Type", "description": "The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.", "examples": [ "text/plain", "application/json", "image/png" ], "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" }, "attachment": { "type": "object", "title": "Attachment", "description": "Specifies the metadata and content for an attachment.", "required": [ "content" ], "additionalProperties": false, "properties": { "mediaType": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/mediaType" }, "encoding": { "type": "string", "title": "Encoding", "description": "Specifies the optional encoding the text is represented in.", "enum": [ "base64" ], "meta:enum": { "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." } }, "content": { "type": "string", "title": "Attachment Text", "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." } } }, "base64": { "type": "string", "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", "description": "A Base64-encoded string." }, "externalReferences": { "type": "array", "items": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" }, "title": "External References", "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." }, "externalReference": { "type": "object", "title": "External Reference", "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", "required": [ "url", "type" ], "additionalProperties": false, "properties": { "url": { "anyOf": [ { "title": "URL", "type": "string", "format": "iri-reference" }, { "title": "BOM-Link", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLink" } ], "title": "URL", "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." }, "comment": { "type": "string", "title": "Comment", "description": "A comment describing the external reference" }, "type": { "type": "string", "title": "Type", "description": "Specifies the type of external reference.", "enum": [ "vcs", "issue-tracker", "website", "advisories", "bom", "mailing-list", "social", "chat", "documentation", "support", "source-distribution", "distribution", "distribution-intake", "license", "build-meta", "build-system", "release-notes", "security-contact", "model-card", "log", "configuration", "evidence", "formulation", "attestation", "threat-model", "adversary-model", "risk-assessment", "vulnerability-assertion", "exploitability-statement", "pentest-report", "static-analysis-report", "dynamic-analysis-report", "runtime-analysis-report", "component-analysis-report", "maturity-report", "certification-report", "codified-infrastructure", "quality-metrics", "poam", "electronic-signature", "digital-signature", "rfc-9116", "patent", "patent-family", "patent-assertion", "citation", "other" ], "meta:enum": { "vcs": "Version Control System", "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", "website": "Website", "advisories": "Security advisories", "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", "mailing-list": "Mailing list or discussion group", "social": "Social media account", "chat": "Real-time chat platform", "documentation": "Documentation, guides, or how-to instructions", "support": "Community or commercial support", "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", "distribution": "Direct or repository download location", "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" bu