[WIP] CycloneDX v2.0 Specification

.github/workflows/bundle_2.0_schemas.yml

@@ -0,0 +1,59 @@
+name: Bundle CycloneDX 2.0 JSON Schemas
+
+on:
+  push:
+    branches:
+      - 2.0-dev
+      - 2.0-dev-threatmodeling
+    paths:
+      - 'schema/2.0/**/*.schema.json'
+      - 'tools/src/main/js/bundler/bundle-schemas.js'
+  workflow_dispatch:  # Allows manual trigger
+
+jobs:
+  bundle-schemas:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write  # Required to push changes
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        working-directory: tools/src/main/js/bundler
+        run: npm install
+
+      - name: Bundle schemas
+        working-directory: tools/src/main/js/bundler
+        run: |
+          node bundle-schemas.js \
+            ../../../../../schema/2.0/model \
+            ../../../../../schema/2.0/cyclonedx-2.0.schema.json
+
+      - name: Check for changes and commit
+        run: |
+          BUNDLED_FILE="schema/2.0/cyclonedx-2.0-bundled.schema.json"
+          MINIFIED_FILE="schema/2.0/cyclonedx-2.0-bundled.min.schema.json"
+
+          # Add both files (works for both new and modified files)
+          git add "$BUNDLED_FILE" "$MINIFIED_FILE"
+
+          # Check if there are staged changes
+          if git diff --staged --quiet; then
+            echo "No changes to bundled schemas"
+          else
+            echo "Committing bundled schema changes"
+            git config --local user.email "github-actions[bot]@users.noreply.github.com"
+            git config --local user.name "github-actions[bot]"
+            git commit -m "chore: update bundled schemas [skip ci]"
+            git push
+          fi

docgen/json/gen.sh

@@ -2,6 +2,7 @@
 set -eu
 
 declare -a CDX_VERSIONS=(
+  '2.0'
   '1.7'
   '1.6'
   '1.5'
@@ -44,11 +45,15 @@ generate () {
   local title="CycloneDX v${version} JSON Reference"
   echo "Generating: $title"
 
-  local SCHEMA_FILE="$SCHEMA_PATH/bom-${version}.schema.json"
-  local STRICT_SCHEMA_FILE="$SCHEMA_PATH/bom-${version}-strict.schema.json"
-  if [ -f "$STRICT_SCHEMA_FILE" ]
-  then
+  local SCHEMA_FILE
+  if [[ "$version" == 1.* ]]; then
+    SCHEMA_FILE="$SCHEMA_PATH/bom-${version}.schema.json"
+    local STRICT_SCHEMA_FILE="$SCHEMA_PATH/bom-${version}-strict.schema.json"
+    if [ -f "$STRICT_SCHEMA_FILE" ]; then
       SCHEMA_FILE="$STRICT_SCHEMA_FILE"
+    fi
+  else
+    SCHEMA_FILE="$SCHEMA_PATH/${version}/cyclonedx-${version}-bundled.schema.json"
   fi
   echo "SCHEMA_FILE: $SCHEMA_FILE"
 

docgen/json/requirements.txt

@@ -1 +1 @@
-json-schema-for-humans==1.3.4
+json-schema-for-humans==1.5.1

docgen/json/templates/cyclonedx/base.html

@@ -40,6 +40,8 @@
                     v${version} (JSON)
                 </a>
                 <ul class="dropdown-menu" aria-labelledby="navbarScrollingDropdown">
+                    <li><a class="dropdown-item" href="/docs/2.0/json/">v2.0 (JSON)</a></li>
+                    <li><hr class="dropdown-divider"/></li>
                     <li><a class="dropdown-item" href="/docs/1.7/json/">v1.7 (JSON)</a></li>
                     <li><a class="dropdown-item" href="/docs/1.6/json/">v1.6 (JSON)</a></li>
                     <li><a class="dropdown-item" href="/docs/1.5/json/">v1.5 (JSON)</a></li>

docgen/json/templates/cyclonedx/section_properties.html

@@ -15,13 +15,13 @@ <h2 class="mb-0">
                         </em>
                     {%- endif -%}
                     {%- if sub_property.is_required_property -%}
-                        {{ " " }}<span class="badge required-property">Required</span>
+                        {{ " " }}<span class="badge badge-warning required-property">Required</span>
                     {%- endif -%}
-                    {%- if sub_property is deprecated -%}
-                        {{ " " }}<span class="badge deprecated-property">Deprecated</span>
+                    {%- if sub_property is deprecated or sub_property.kw_deprecated -%}
+                        {{ " " }}<span class="badge badge-danger deprecated-property">Deprecated</span>
                     {%- endif -%}
                     {%- if sub_property.is_pattern_property -%}
-                        {{ " " }}<span class="badge pattern-property">Pattern Property</span>
+                        {{ " " }}<span class="badge badge-info pattern-property">Pattern Property</span>
                     {%- endif -%}
                 </button>
             </h2>
@@ -35,7 +35,7 @@ <h2 class="mb-0">
                     <h2 class="handle">
                         <label>Pattern Property</label>
                     </h2>
-                    <p>All property whose name matches the following regular expression must respect the following conditions</p>
+                    <p>All properties whose name matches the following regular expression must respect the following conditions</p>
                     <span class="pattern-value">Property name regular expression: <code>{{ sub_property.property_name | escape }}</code></span>
                     <br/>
                 {%- endif -%}
@@ -52,4 +52,4 @@ <h2 class="handle">
             </div>
         </div>
     </div>
-</div>
+</div>

docgen/proto/templates/html.tmpl

@@ -271,6 +271,8 @@ https://github.com/pseudomuto/protoc-gen-doc/blob/master/resources/html.tmpl
                     v${version} (Protobuf)
                 </a>
                 <ul class="dropdown-menu" aria-labelledby="navbarScrollingDropdown">
+                    <li><a class="dropdown-item" href="/docs/2.0/json/">v2.0 (JSON)</a></li>
+                    <li><hr class="dropdown-divider"/></li>
                     <li><a class="dropdown-item" href="/docs/1.7/json/">v1.7 (JSON)</a></li>
                     <li><a class="dropdown-item" href="/docs/1.6/json/">v1.6 (JSON)</a></li>
                     <li><a class="dropdown-item" href="/docs/1.5/json/">v1.5 (JSON)</a></li>

docgen/xml/xs3p.xsl

@@ -340,6 +340,8 @@
                         <li class="dropdown">
                            <a href="#" class="dropdown-toggle version-selector" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">v<xsl:value-of select="$cycloneDxVersion"/> (XML)<span class="caret"></span></a>
                            <ul class="dropdown-menu">
+                              <li><a class="dropdown-item" href="/docs/2.0/json/">v2.0 (JSON)</a></li>
+                              <li style="padding:0"><hr class="dropdown-divider"/></li>
                               <li><a class="dropdown-item" href="/docs/1.7/json/">v1.7 (JSON)</a></li>
                               <li><a class="dropdown-item" href="/docs/1.6/json/">v1.6 (JSON)</a></li>
                               <li><a class="dropdown-item" href="/docs/1.5/json/">v1.5 (JSON)</a></li>

schema/2.0/README.md

@@ -0,0 +1,37 @@
+# CycloneDX 2.0 Schemas
+
+This directory contains the official JSON Schema definitions for CycloneDX 2.0, as standardised in 
+[ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/). 
+These schemas constitute the normative implementation of the CycloneDX specification and are intended for use in 
+validation, tooling, and data exchange.
+
+## Schema Overview
+
+| File                                                                                 | Description                                                                                                                                                                             |
+|--------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [`cyclonedx-2.0.schema.json`](./cyclonedx-2.0.schema.json)                           | The normative schema for CycloneDX Bill of Materials (BOM) documents. This schema references modular models and defines the complete structure for expressing inventories and metadata. |
+| [`cyclonedx-2.0-bundled.schema.json`](./cyclonedx-2.0-bundled.schema.json)         | A fully resolved version of the BOM schema with all external model references inlined. Useful for systems that require a self-contained schema.                                         |
+| [`cyclonedx-api-2.0.schema.json`](./cyclonedx-api-2.0.schema.json)                   | The normative API-focused schema. It reuses CycloneDX models but is structured for compatibility with request/response patterns in service architectures.                               |
+| [`cyclonedx-api-2.0-bundled.schema.json`](./cyclonedx-api-2.0-bundled.schema.json) | The combined version of the API schema with all model definitions embedded. Suitable for use in tools or validators that do not support `$ref` resolution.                              |
+
+## Modularity and Model Composition
+
+CycloneDX 2.0 is defined as a modular specification. All core concepts—such as components, services, vulnerabilities, 
+licensing, and AI/ML metadata, are encapsulated in reusable model definitions located in the [`model/`](./model) directory.
+
+This modular architecture promotes:
+
+- **Consistency** across multiple schema contexts
+- **Reusability** of models within and beyond CycloneDX
+- **Clarity and maintainability** for implementers
+
+## Bundled Schemas
+
+The `*-bundled` schema files are auto-generated from the normative schemas by resolving all references. 
+These are provided for convenience and do not supersede the authoritative pre-defined schemas.
+
+## Related Resources
+
+- CycloneDX Website: [https://cyclonedx.org](https://cyclonedx.org)
+- ECMA-424 Publication: [https://ecma-international.org/publications-and-standards/standards/ecma-424/](https://ecma-international.org/publications-and-standards/standards/ecma-424/)
+- Model Definitions: See [`model/README.md`](./model/README.md)