diff --git a/schema/2.0/README.md b/schema/2.0/README.md new file mode 100644 index 00000000..81d9ba25 --- /dev/null +++ b/schema/2.0/README.md @@ -0,0 +1,32 @@ +# CycloneDX 2.0 Schemas + +This directory contains the official JSON Schema definitions for CycloneDX 2.0, as standardised in [ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/). These schemas constitute the normative implementation of the CycloneDX specification and are intended for use in validation, tooling, and data exchange. + +## Schema Overview + +| File | Description | +|--------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [`cyclonedx-2.0.schema.json`](./cyclonedx-2.0.schema.json) | The normative schema for CycloneDX Bill of Materials (BOM) documents. This schema references modular models and defines the complete structure for expressing inventories and metadata. | +| [`cyclonedx-api-2.0.schema.json`](./cyclonedx-api-2.0.schema.json) | The normative API-focused schema. It reuses CycloneDX models but is structured for compatibility with request/response patterns in service architectures. | +| [`cyclonedx-combined-2.0.schema.json`](./cyclonedx-combined-2.0.schema.json) | A fully resolved version of the BOM schema with all external model references inlined. Useful for systems that require a self-contained schema. | +| [`cyclonedx-api-combined-2.0.schema.json`](./cyclonedx-api-combined-2.0.schema.json) | The combined version of the API schema with all model definitions embedded. Suitable for use in tools or validators that do not support `$ref` resolution. | + +## Modularity and Model Composition + +CycloneDX 2.0 is defined as a modular specification. All core concepts—such as components, services, vulnerabilities, licensing, and AI/ML metadata—are encapsulated in reusable model definitions located in the [`model/`](./model) directory. + +This modular architecture promotes: + +- **Consistency** across multiple schema contexts +- **Reusability** of models within and beyond CycloneDX +- **Clarity and maintainability** for implementers + +## Combined Schemas + +The `*-combined` schema files are auto-generated from the normative schemas by resolving all references. These are provided for convenience and do not supersede the authoritative pre-defined schemas. + +## Related Resources + +- CycloneDX Website: [https://cyclonedx.org](https://cyclonedx.org) +- ECMA-424 Publication: [https://ecma-international.org/publications-and-standards/standards/ecma-424/](https://ecma-international.org/publications-and-standards/standards/ecma-424/) +- Model Definitions: See [`model/README.md`](./model/README.md) diff --git a/schema/2.0/cyclonedx-2.0.schema.json b/schema/2.0/cyclonedx-2.0.schema.json new file mode 100644 index 00000000..78ab4913 --- /dev/null +++ b/schema/2.0/cyclonedx-2.0.schema.json @@ -0,0 +1,52 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "specFormat", + "specVersion" + ], + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "specFormat": { + "type": "string", + "title": "Specification Format", + "description": "Specifies the format. This value must be \"CycloneDX\".", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "type": "string", + "title": "Specification Version", + "description": "The version of the CycloneDX specification the BOM conforms to.", + "examples": [ + "2.0" + ] + }, + "serialNumber": { + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.", + "examples": [ + "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" + ], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "type": "integer", + "title": "BOM Version", + "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.", + "minimum": 1, + "default": 1 + } + }, + "allOf": [ + { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/extensibleProperties" } + ] +} diff --git a/schema/2.0/cyclonedx-api-2.0.schema.json b/schema/2.0/cyclonedx-api-2.0.schema.json new file mode 100644 index 00000000..2d892730 --- /dev/null +++ b/schema/2.0/cyclonedx-api-2.0.schema.json @@ -0,0 +1,10 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-api-2.0.schema.json", + "type": "object", + "title": "CycloneDX Transparency Expression Language: API", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + + } +} diff --git a/schema/2.0/model/README.md b/schema/2.0/model/README.md new file mode 100644 index 00000000..307e0068 --- /dev/null +++ b/schema/2.0/model/README.md @@ -0,0 +1,40 @@ +# CycloneDX 2.0 Model Definitions + +This directory contains the modular JSON Schema definitions that constitute the building blocks of the CycloneDX 2.0 specification. + +## Purpose + +The model definitions are: + +- **Reusable** across different schemas such as `bom.schema.json` and `api.schema.json` +- **Compositional**, enabling coherent and maintainable schema evolution +- **Portable**, supporting external reuse outside the CycloneDX context + +Each file in this directory defines a discrete concept and adheres to the CycloneDX data modelling conventions. + +These models are compiled into the schemas in the parent directory, ensuring consistency and maximising reuse. + +| Schema File | Purpose | +|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| [`cyclonedx-ai-model-parameters-2.0.schema.json`](./cyclonedx-ai-model-parameters-2.0.schema.json) | Defines configuration and metadata for AI/ML training, evaluation, and deployment parameters. | +| [`cyclonedx-ai-modelcard-2.0.schema.json`](./cyclonedx-ai-modelcard-2.0.schema.json) | Describes AI/ML model cards including intended use, limitations, and ethical considerations. | +| [`cyclonedx-annotation-2.0.schema.json`](./cyclonedx-annotation-2.0.schema.json) | Represents human or automated comments about BOM elements, such as components or services. | +| [`cyclonedx-common-2.0.schema.json`](./cyclonedx-common-2.0.schema.json) | Provides common types and base definitions used across all other schemas. | +| [`cyclonedx-component-2.0.schema.json`](./cyclonedx-component-2.0.schema.json) | Models hardware, software, data, cryptographic, and AI components and their attributes. | +| [`cyclonedx-composition-2.0.schema.json`](./cyclonedx-composition-2.0.schema.json) | Indicates the known and unknown completeness of BOM elements and their relationships. | +| [`cyclonedx-cryptography-2.0.schema.json`](./cyclonedx-cryptography-2.0.schema.json) | Defines cryptographic properties, including algorithms, keys, and post-quantum cryptographic readiness. | +| [`cyclonedx-declaration-2.0.schema.json`](./cyclonedx-declaration-2.0.schema.json) | Structures conformance declarations, claims, attestations, and associated evidence. | +| [`cyclonedx-definition-2.0.schema.json`](./cyclonedx-definition-2.0.schema.json) | Contains reusable definitions and enums referenced by other schemas. | +| [`cyclonedx-dependency-2.0.schema.json`](./cyclonedx-dependency-2.0.schema.json) | Captures dependency relationships among components and services in the BOM. | +| [`cyclonedx-formulation-2.0.schema.json`](./cyclonedx-formulation-2.0.schema.json) | Describes the process of manufacturing, building, or deploying a component or service. | +| [`cyclonedx-license-2.0.schema.json`](./cyclonedx-license-2.0.schema.json) | Models software licences using SPDX IDs, named licences, and optional full text. | +| [`cyclonedx-licensing-2.0.schema.json`](./cyclonedx-licensing-2.0.schema.json) | Expands on licence metadata with purchaser, licensee, terms, and validity periods. | +| [`cyclonedx-metadata-2.0.schema.json`](./cyclonedx-metadata-2.0.schema.json) | Contains metadata about the BOM, such as authorship, tools used, and timestamps. | +| [`cyclonedx-patent-2.0.schema.json`](./cyclonedx-patent-2.0.schema.json) | Represents patents relevant to components, including jurisdiction and legal status. | +| [`cyclonedx-patent-assertion-2.0.schema.json`](./cyclonedx-patent-assertion-2.0.schema.json) | Defines legal claims or disclaimers associated with patents. | +| [`cyclonedx-patent-family-2.0.schema.json`](./cyclonedx-patent-family-2.0.schema.json) | Groups related patents across different jurisdictions into patent families. | +| [`cyclonedx-release-notes-2.0.schema.json`](./cyclonedx-release-notes-2.0.schema.json) | Specifies structured release note content, including changes and version history. | +| [`cyclonedx-service-2.0.schema.json`](./cyclonedx-service-2.0.schema.json) | Models services such as APIs or microservices, including endpoints and interactions. | +| [`cyclonedx-standard-2.0.schema.json`](./cyclonedx-standard-2.0.schema.json) | Describes standards, regulations, and frameworks referenced in BOM declarations. | +| [`cyclonedx-vulnerability-2.0.schema.json`](./cyclonedx-vulnerability-2.0.schema.json) | Details vulnerabilities, including severity, remediation, and advisories. | + diff --git a/schema/2.0/model/cyclonedx-ai-model-parameters-2.0.schema.json b/schema/2.0/model/cyclonedx-ai-model-parameters-2.0.schema.json new file mode 100644 index 00000000..3fbc04a5 --- /dev/null +++ b/schema/2.0/model/cyclonedx-ai-model-parameters-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-ai-model-parameters-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: AI Model Parameters", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-ai-modelcard-2.0.schema.json b/schema/2.0/model/cyclonedx-ai-modelcard-2.0.schema.json new file mode 100644 index 00000000..710650e4 --- /dev/null +++ b/schema/2.0/model/cyclonedx-ai-modelcard-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-ai-modelcard-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: AI Model Card", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-annotation-2.0.schema.json b/schema/2.0/model/cyclonedx-annotation-2.0.schema.json new file mode 100644 index 00000000..845868ec --- /dev/null +++ b/schema/2.0/model/cyclonedx-annotation-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-annotation-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Annotation", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-common-2.0.schema.json b/schema/2.0/model/cyclonedx-common-2.0.schema.json new file mode 100644 index 00000000..dfa83ebf --- /dev/null +++ b/schema/2.0/model/cyclonedx-common-2.0.schema.json @@ -0,0 +1,660 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-common-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Common", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + "refType": { + "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "type": "string", + "minLength": 1, + "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" + }, + "refLinkType": { + "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", + "$ref": "#/$defs/refType" + }, + "bomLinkDocumentType": { + "title": "BOM-Link Document", + "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLinkElementType": { + "title": "BOM-Link Element", + "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLink": { + "title": "BOM-Link", + "anyOf": [ + { + "title": "BOM-Link Document", + "$ref": "#/$defs/bomLinkDocumentType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/bomLinkElementType" + } + ] + }, + "hash": { + "type": "object", + "title": "Hash", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/$defs/hashAlgorithm" + }, + "content": { + "$ref": "#/$defs/hashValue" + } + } + }, + "hashAlgorithm": { + "type": "string", + "title": "Hash Algorithm", + "description": "The algorithm that generated the hash value.", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3" + ] + }, + "hashValue": { + "type": "string", + "title": "Hash Value", + "description": "The value of the hash.", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "mediaType": { + "type": "string", + "title": "Media Type", + "description": "The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.", + "examples": [ + "text/plain", + "application/json", + "image/png" + ], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "mediaType": { + "$ref": "#/$defs/mediaType" + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ], + "meta:enum": { + "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + } + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + } + } + }, + "base64": { + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", + "description": "A Base64-encoded string." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/$defs/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link", + "$ref": "#/$defs/bomLink" + } + ], + "title": "URL", + "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "An optional comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "source-distribution", + "distribution", + "distribution-intake", + "license", + "build-meta", + "build-system", + "release-notes", + "security-contact", + "model-card", + "log", + "configuration", + "evidence", + "formulation", + "attestation", + "threat-model", + "adversary-model", + "risk-assessment", + "vulnerability-assertion", + "exploitability-statement", + "pentest-report", + "static-analysis-report", + "dynamic-analysis-report", + "runtime-analysis-report", + "component-analysis-report", + "maturity-report", + "certification-report", + "codified-infrastructure", + "quality-metrics", + "poam", + "electronic-signature", + "digital-signature", + "rfc-9116", + "other" + ], + "meta:enum": { + "vcs": "Version Control System", + "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", + "website": "Website", + "advisories": "Security advisories", + "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", + "mailing-list": "Mailing list or discussion group", + "social": "Social media account", + "chat": "Real-time chat platform", + "documentation": "Documentation, guides, or how-to instructions", + "support": "Community or commercial support", + "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", + "distribution": "Direct or repository download location", + "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", + "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", + "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", + "build-system": "Reference to an automated build system", + "release-notes": "Reference to release notes", + "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", + "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", + "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", + "configuration": "Parameters or settings that may be used by other components or services.", + "evidence": "Information used to substantiate a claim.", + "formulation": "Describes how a component or service was manufactured or deployed.", + "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", + "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", + "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", + "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", + "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", + "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", + "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", + "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", + "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", + "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", + "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", + "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", + "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", + "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", + "quality-metrics": "Report or system in which quality metrics can be obtained.", + "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", + "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", + "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", + "other": "Use this if no other types accurately describe the purpose of the external reference." + } + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/$defs/hash"}, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + } + } + }, + "postalAddress": { + "type": "object", + "title": "Postal address", + "description": "An address used to identify a contactable location.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/refType" + }, + "country": { + "type": "string", + "title": "Country", + "description": "The country name or the two-letter ISO 3166-1 country code." + }, + "region": { + "type": "string", + "title": "Region", + "description": "The region or state in the country.", + "examples": [ "Texas" ] + }, + "locality": { + "type": "string", + "title": "Locality", + "description": "The locality or city within the country.", + "examples": [ "Austin" ] + }, + "postOfficeBoxNumber": { + "type": "string", + "title": "Post Office Box Number", + "description": "The post office box number.", + "examples": [ "901" ] + }, + "postalCode": { + "type": "string", + "title": "Postal Code", + "description": "The postal code.", + "examples": [ "78758" ] + }, + "streetAddress": { + "type": "string", + "title": "Street Address", + "description": "The street address.", + "examples": [ "100 Main Street" ] + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Organization Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "address": { + "$ref": "#/$defs/postalAddress", + "title": "Organization Address", + "description": "The physical address (location) of the organization" + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Organization URL(s)", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": ["https://example.com"] + }, + "contact": { + "type": "array", + "title": "Organizational Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/$defs/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": ["Contact name"] + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": ["firstname.lastname@example.com"] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": ["800-555-1212"] + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/$defs/property" + } + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + }, + "additionalProperties": false + }, + "extensibleProperties": { + "type": "object", + "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organisations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", + "examples": [ + "ext::", + "ext:acme.org:myExtension" + ], + "patternProperties": { + "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { + "if": { + "type": ["object", "array"] + }, + "then": { + "type": "object", + "required": ["$schema"], + "properties": { + "$schema": { + "type": "string", + "format": "uri" + } + }, + "additionalProperties": true + }, + "else": { + "type": ["string", "number", "boolean", "null"] + } + } + }, + "additionalProperties": false + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", + "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." + }, + + + + + + + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/$defs/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/$defs/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, + "title": "Patch Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/$defs/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/$defs/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Issue", + "description": "An individual issue that has been resolved.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "meta:enum": { + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, + "title": "Issue Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "Issue ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Issue Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Issue Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "National Vulnerability Database", + "NVD", + "Apache" + ] + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": ["https://example.com"] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-component-2.0.schema.json b/schema/2.0/model/cyclonedx-component-2.0.schema.json new file mode 100644 index 00000000..2daee21d --- /dev/null +++ b/schema/2.0/model/cyclonedx-component-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-component-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Component", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-composition-2.0.schema.json b/schema/2.0/model/cyclonedx-composition-2.0.schema.json new file mode 100644 index 00000000..465feb0a --- /dev/null +++ b/schema/2.0/model/cyclonedx-composition-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-composition-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Composition", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json b/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json new file mode 100644 index 00000000..9ad0d7d8 --- /dev/null +++ b/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-cryptography-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Cryptography", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-declaration-2.0.schema.json b/schema/2.0/model/cyclonedx-declaration-2.0.schema.json new file mode 100644 index 00000000..02670c46 --- /dev/null +++ b/schema/2.0/model/cyclonedx-declaration-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-declaration-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Declaration", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-definition-2.0.schema.json b/schema/2.0/model/cyclonedx-definition-2.0.schema.json new file mode 100644 index 00000000..7db505e0 --- /dev/null +++ b/schema/2.0/model/cyclonedx-definition-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-definition-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Definition", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-dependency-2.0.schema.json b/schema/2.0/model/cyclonedx-dependency-2.0.schema.json new file mode 100644 index 00000000..4c2ed523 --- /dev/null +++ b/schema/2.0/model/cyclonedx-dependency-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-dependency-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Dependency", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-formulation-2.0.schema.json b/schema/2.0/model/cyclonedx-formulation-2.0.schema.json new file mode 100644 index 00000000..ae347c2c --- /dev/null +++ b/schema/2.0/model/cyclonedx-formulation-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-formulation-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Formulation", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-license-2.0.schema.json b/schema/2.0/model/cyclonedx-license-2.0.schema.json new file mode 100644 index 00000000..414c3c80 --- /dev/null +++ b/schema/2.0/model/cyclonedx-license-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-license-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: License", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-licensing-2.0.schema.json b/schema/2.0/model/cyclonedx-licensing-2.0.schema.json new file mode 100644 index 00000000..f5a0557b --- /dev/null +++ b/schema/2.0/model/cyclonedx-licensing-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-licensing-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Commercial Licensing", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-metadata-2.0.schema.json b/schema/2.0/model/cyclonedx-metadata-2.0.schema.json new file mode 100644 index 00000000..85262e30 --- /dev/null +++ b/schema/2.0/model/cyclonedx-metadata-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-metadata-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Metadata", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} diff --git a/schema/2.0/model/cyclonedx-patent-2.0.schema.json b/schema/2.0/model/cyclonedx-patent-2.0.schema.json new file mode 100644 index 00000000..601e375f --- /dev/null +++ b/schema/2.0/model/cyclonedx-patent-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-patent-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Patent", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-patent-assertion-2.0.schema.json b/schema/2.0/model/cyclonedx-patent-assertion-2.0.schema.json new file mode 100644 index 00000000..ab1304e5 --- /dev/null +++ b/schema/2.0/model/cyclonedx-patent-assertion-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-patent-asseretion-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Patent Assertion", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-patent-family-2.0.schema.json b/schema/2.0/model/cyclonedx-patent-family-2.0.schema.json new file mode 100644 index 00000000..ec1f4a2d --- /dev/null +++ b/schema/2.0/model/cyclonedx-patent-family-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-patent-family-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Patent Family", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-release-notes-2.0.schema.json b/schema/2.0/model/cyclonedx-release-notes-2.0.schema.json new file mode 100644 index 00000000..e3eec3f7 --- /dev/null +++ b/schema/2.0/model/cyclonedx-release-notes-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-release-notes-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Release Notes", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-service-2.0.schema.json b/schema/2.0/model/cyclonedx-service-2.0.schema.json new file mode 100644 index 00000000..42c8f708 --- /dev/null +++ b/schema/2.0/model/cyclonedx-service-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-service-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Service", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-standard-2.0.schema.json b/schema/2.0/model/cyclonedx-standard-2.0.schema.json new file mode 100644 index 00000000..f4fcb436 --- /dev/null +++ b/schema/2.0/model/cyclonedx-standard-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-standard-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Standard", + "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json new file mode 100644 index 00000000..e17afb26 --- /dev/null +++ b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "http://localhost:8080/schema/2.0/cyclonedx-vulnerability-2.0.schema.json", + "type": "null", + "title": "CycloneDX Transparency Expression Language: Vulnerability", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "$defs": { + } +} \ No newline at end of file