CycloneDX · stevespringett · Jun 15, 2025
@@ -0,0 +1,32 @@
+# CycloneDX 2.0 Schemas
+
+This directory contains the official JSON Schema definitions for CycloneDX 2.0, as standardised in [ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/). These schemas constitute the normative implementation of the CycloneDX specification and are intended for use in validation, tooling, and data exchange.
+
+## Schema Overview
+
+| File                                                                                 | Description                                                                                                                                                                             |
+|--------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [`cyclonedx-2.0.schema.json`](./cyclonedx-2.0.schema.json)                           | The normative schema for CycloneDX Bill of Materials (BOM) documents. This schema references modular models and defines the complete structure for expressing inventories and metadata. |
+| [`cyclonedx-api-2.0.schema.json`](./cyclonedx-api-2.0.schema.json)                   | The normative API-focused schema. It reuses CycloneDX models but is structured for compatibility with request/response patterns in service architectures.                               |
+| [`cyclonedx-combined-2.0.schema.json`](./cyclonedx-combined-2.0.schema.json)         | A fully resolved version of the BOM schema with all external model references inlined. Useful for systems that require a self-contained schema.                                         |
+| [`cyclonedx-api-combined-2.0.schema.json`](./cyclonedx-api-combined-2.0.schema.json) | The combined version of the API schema with all model definitions embedded. Suitable for use in tools or validators that do not support `$ref` resolution.                              |
+
+## Modularity and Model Composition
+
+CycloneDX 2.0 is defined as a modular specification. All core concepts—such as components, services, vulnerabilities, licensing, and AI/ML metadata—are encapsulated in reusable model definitions located in the [`model/`](./model) directory.
+
+This modular architecture promotes:
+
+- **Consistency** across multiple schema contexts
+- **Reusability** of models within and beyond CycloneDX
+- **Clarity and maintainability** for implementers
+
+## Combined Schemas
+
+The `*-combined` schema files are auto-generated from the normative schemas by resolving all references. These are provided for convenience and do not supersede the authoritative pre-defined schemas.
+
+## Related Resources
+
+- CycloneDX Website: [https://cyclonedx.org](https://cyclonedx.org)
+- ECMA-424 Publication: [https://ecma-international.org/publications-and-standards/standards/ecma-424/](https://ecma-international.org/publications-and-standards/standards/ecma-424/)
+- Model Definitions: See [`model/README.md`](./model/README.md)
@@ -0,0 +1,52 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "http://localhost:8080/schema/2.0/cyclonedx-2.0.schema.json",
+  "type": "object",
+  "title": "CycloneDX Transparency Expression Language",
+  "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.",
+  "required": [
+    "specFormat",
+    "specVersion"
+  ],
+  "additionalProperties": false,
+  "properties": {
+    "$schema": {
+      "type": "string"
+    },
+    "specFormat": {
+      "type": "string",
+      "title": "Specification Format",
+      "description": "Specifies the format. This value must be \"CycloneDX\".",
+      "enum": [
+        "CycloneDX"
+      ]
+    },
+    "specVersion": {
+      "type": "string",
+      "title": "Specification Version",
+      "description": "The version of the CycloneDX specification the BOM conforms to.",
+      "examples": [
+        "2.0"
+      ]
+    },
+    "serialNumber": {
+      "type": "string",
+      "title": "BOM Serial Number",
+      "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.",
+      "examples": [
+        "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+      ],
+      "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
+    },
+    "version": {
+      "type": "integer",
+      "title": "BOM Version",
+      "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.",
+      "minimum": 1,
+      "default": 1
+    }
+  },
+  "allOf": [
+    { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/extensibleProperties" }
+  ]
+}
@@ -0,0 +1,10 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "http://localhost:8080/schema/2.0/cyclonedx-api-2.0.schema.json",
+  "type": "object",
+  "title": "CycloneDX Transparency Expression Language: API",
+  "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.",
+  "$defs": {
+
+  }
+}
@@ -0,0 +1,40 @@
+# CycloneDX 2.0 Model Definitions
+
+This directory contains the modular JSON Schema definitions that constitute the building blocks of the CycloneDX 2.0 specification.
+
+## Purpose
+
+The model definitions are:
+
+- **Reusable** across different schemas such as `bom.schema.json` and `api.schema.json`
+- **Compositional**, enabling coherent and maintainable schema evolution
+- **Portable**, supporting external reuse outside the CycloneDX context
+
+Each file in this directory defines a discrete concept and adheres to the CycloneDX data modelling conventions.
+
+These models are compiled into the schemas in the parent directory, ensuring consistency and maximising reuse.
+
+| Schema File                                                                                        | Purpose                                                                                                 |
+|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
+| [`cyclonedx-ai-model-parameters-2.0.schema.json`](./cyclonedx-ai-model-parameters-2.0.schema.json) | Defines configuration and metadata for AI/ML training, evaluation, and deployment parameters.           |
+| [`cyclonedx-ai-modelcard-2.0.schema.json`](./cyclonedx-ai-modelcard-2.0.schema.json)               | Describes AI/ML model cards including intended use, limitations, and ethical considerations.            |
+| [`cyclonedx-annotation-2.0.schema.json`](./cyclonedx-annotation-2.0.schema.json)                   | Represents human or automated comments about BOM elements, such as components or services.              |
+| [`cyclonedx-common-2.0.schema.json`](./cyclonedx-common-2.0.schema.json)                           | Provides common types and base definitions used across all other schemas.                               |
+| [`cyclonedx-component-2.0.schema.json`](./cyclonedx-component-2.0.schema.json)                     | Models hardware, software, data, cryptographic, and AI components and their attributes.                 |
+| [`cyclonedx-composition-2.0.schema.json`](./cyclonedx-composition-2.0.schema.json)                 | Indicates the known and unknown completeness of BOM elements and their relationships.                   |
+| [`cyclonedx-cryptography-2.0.schema.json`](./cyclonedx-cryptography-2.0.schema.json)               | Defines cryptographic properties, including algorithms, keys, and post-quantum cryptographic readiness. |
+| [`cyclonedx-declaration-2.0.schema.json`](./cyclonedx-declaration-2.0.schema.json)                 | Structures conformance declarations, claims, attestations, and associated evidence.                     |
+| [`cyclonedx-definition-2.0.schema.json`](./cyclonedx-definition-2.0.schema.json)                   | Contains reusable definitions and enums referenced by other schemas.                                    |
+| [`cyclonedx-dependency-2.0.schema.json`](./cyclonedx-dependency-2.0.schema.json)                   | Captures dependency relationships among components and services in the BOM.                             |
+| [`cyclonedx-formulation-2.0.schema.json`](./cyclonedx-formulation-2.0.schema.json)                 | Describes the process of manufacturing, building, or deploying a component or service.                  |
+| [`cyclonedx-license-2.0.schema.json`](./cyclonedx-license-2.0.schema.json)                         | Models software licences using SPDX IDs, named licences, and optional full text.                        |
+| [`cyclonedx-licensing-2.0.schema.json`](./cyclonedx-licensing-2.0.schema.json)                     | Expands on licence metadata with purchaser, licensee, terms, and validity periods.                      |
+| [`cyclonedx-metadata-2.0.schema.json`](./cyclonedx-metadata-2.0.schema.json)                       | Contains metadata about the BOM, such as authorship, tools used, and timestamps.                        |
+| [`cyclonedx-patent-2.0.schema.json`](./cyclonedx-patent-2.0.schema.json)                           | Represents patents relevant to components, including jurisdiction and legal status.                     |
+| [`cyclonedx-patent-assertion-2.0.schema.json`](./cyclonedx-patent-assertion-2.0.schema.json)       | Defines legal claims or disclaimers associated with patents.                                            |
+| [`cyclonedx-patent-family-2.0.schema.json`](./cyclonedx-patent-family-2.0.schema.json)             | Groups related patents across different jurisdictions into patent families.                             |
+| [`cyclonedx-release-notes-2.0.schema.json`](./cyclonedx-release-notes-2.0.schema.json)             | Specifies structured release note content, including changes and version history.                       |
+| [`cyclonedx-service-2.0.schema.json`](./cyclonedx-service-2.0.schema.json)                         | Models services such as APIs or microservices, including endpoints and interactions.                    |
+| [`cyclonedx-standard-2.0.schema.json`](./cyclonedx-standard-2.0.schema.json)                       | Describes standards, regulations, and frameworks referenced in BOM declarations.                        |
+| [`cyclonedx-vulnerability-2.0.schema.json`](./cyclonedx-vulnerability-2.0.schema.json)             | Details vulnerabilities, including severity, remediation, and advisories.                               |
+
@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "http://localhost:8080/schema/2.0/cyclonedx-ai-model-parameters-2.0.schema.json",
+  "type": "null",
+  "title": "CycloneDX Transparency Expression Language: AI Model Parameters",
+  "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.",
+  "$defs": {
+  }
+}
@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "http://localhost:8080/schema/2.0/cyclonedx-ai-modelcard-2.0.schema.json",
+  "type": "null",
+  "title": "CycloneDX Transparency Expression Language: AI Model Card",
+  "$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.",
+  "$defs": {
+  }
+}
@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "http://localhost:8080/schema/2.0/cyclonedx-annotation-2.0.schema.json",
+  "type": "null",
+  "title": "CycloneDX Transparency Expression Language: Annotation",
+  "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.",
+  "$defs": {
+  }
+}